It seems that everyone has a smartphone these days. And this little piece of technology, which has become so integral to modern life, can do so much more than call and text.
Today’s mobile phones are used for shopping, photography, directions, health and fitness – even investing. To discover how secure a smartphone really is, 60 Minutes’ Sharyn Alfonsi headed to Berlin, Germany to meet some of the world’s greatest hackers. What she found will shock you.
In regards to security, “all phones are the same,” says German hacker Karsten Nohl. Karsten has a doctorate in computer engineering and works for a company that advises Fortune 500 companies on computer security. He also tests the devices we use everyday for flaws hackers can use to gain access.
Most recently, Karsten’s team has been probing the security of mobile phone networks. With just a phone number, Karsten says he can track a person’s whereabouts, listen in on phone conversations, read text messages, and even hack into any phone that called the original phone.
To test Karsten’s bold claims, 60 Minutes handed New York Representative Ted Lieu a new smartphone and gave that number to the German hackers. Lieu, who has a computer science degree from Stanford, was informed that his phone would be hacked.
With a simple call from Sharyn to Congressman Lieu, the hackers were in and listening. They were able to gain access through a flaw in Signaling System Seven. SS7 is a massive network that connects all phone carriers. Most of us have never heard of it, but every cellphone in the world uses SS7 to make calls, send texts, and roam.
But most hackers don’t use SS7 to get into your cell phone. To learn more about other methods of hacking, Sharyn attended an annual hacking convention in Las Vegas. There, she was introduced to John Hering, a hacker who co-founder the mobile security company “Lookout” at age 23.
“Any system can be broken, it’s just knowing how to break it,” says Hering. When asked how likely it is that someone’s phone has been hacked, Hering gave the chilling reply: “In today’s world there’s really only two types of companies or two types of people, which are those who have been hacked and realize it and those who have been hacked and haven’t.”
Phones are computers, explains Hering, but most people don’t think of them that way. “There’s more technology in your mobile phone than was in, you know, the space craft that took man to the moon.”
To prove that he could hack into anything, Hering gathered a team of specialists and met up with Sharyn at her Las Vegas hotel. “Would you put your money in a bank that didn’t test their locks on their safes? We need to try and break it to make sure the bad guys can’t,” explains one of the ace hackers.
The hacking started when Sharyn used her phone to connect to the hotel’s Wi-Fi. Turns out, it was a ghost network created by Hering designed to look like the hotel’s Wi-Fi (this is called spoofing).
Sharyn was shocked when just seconds later the team had access to her email account, phone number, and credit card accounts.
Human nature is the greatest weakness in mobile security, points out Jon Oberheide, another member of the team. “With social engineering, you can’t really fix the human element. Humans are gullible. They install malicious applications. They give up their passwords every day. And it’s really hard to fix that human element.
Meanwhile, the team in Berlin had been busy spying on Congressmen Lieu. Using the aforementioned flaw in SS7, Karsten was able to track Lieu’s movements and record entire phone conversations.
Karsten points out that even with location services turned off, the GPS chip in your phone gives away your location. Since the flaw is in the mobile network (SS7) is shared by all cell phones, any choices Lieu might have made regarding carrier, passwords, etc. would not have made a difference regarding phone security.
Lieu was shocked when Sharyn showed him what the hackers had been able to do. He was infuriated when she told him that US intelligence agencies know about the flaw and don’t want that hole sealed. “The people who knew about this flaw…should be fired,” said Lieu, concerned about the types of conversations bad guys might be able to gain access to if they hacked into the phones of congressmen and other officials.
“You cannot have 300-some million Americans – and really, right, the global citizenry be at risk of having their phone conversations intercepted with a known flaw, simply because some intelligence agencies might get some data. That is not acceptable,” said Lieu.
The average person will not be exposed to such malicious and advanced attacks, explains Hering, but the goal of the experiment was to show what’s possible – so that people will understand the magnanimity of the issue. “We live in a world where we cannot trust the technology that we use.”
Editor’s Note: We believe the attack on privacy is one of the gravest threats to American culture. Information is power. Information about you is power over you. Without privacy you are powerless.