Tapped: All the Ways Your Phone Can Be Hacked

The headline was published on a trusted news site that I read off of my iPhone. It stunned me into disbelief: "A 9.5 Magnitude Earthquake Destroys Central California, Splits State Into Northern and Southern Halves," it read. Fortunately for the inhabitants of the Golden State, this was not real news. Rather, it was some crafty misinformation that was wirelessly injected into my phone by a hacker named Samy Kamkar.

In our third and final episode of "Phreaked Out" we tackle the question of mobile phone security. With global smartphone ownership expected to hit nearly 1.75 billion by the end of 2014, the threat of phone attacks is becoming as democratized as ever. Anyone with a smartphone is exploitable; any smartphone can be compromised. The control we thought we had over our devices has increasingly eroded away. The sophistication levels of our mobile devices allow them to moonlight as spy tools capable of the absolute worst case scenario: turning on their owners.

It's a sobering reality that fascinates Kamkar. I met up with the security polymath—the same Samy Kamkar responsible for the virus that knocked out MySpace in 2005—at his Tony Spark-esque enclave in West Hollywood for a series of phone hack demos.

To begin, Kamkar recreated a man-in-the-middle mobile attack, whereby he created an unencrypted, wireless network that combines ARP and DNS spoofing intended to modify content on any phone that joins it.

The demonstration illustrated how eager our smartphones can be to automatically hop onto any previously accessed network. For example, by forging a commonly dubbed wifi name, such as "attwifi" or "Starbucks," Kamkar can dupe phones into thinking it's joining a secure network. He admits that this man-in-the-middle style attack is by no means cutting edge, but it still works because many phones are still susceptible.

Ever stop to think that phones can graduate from hacking target to hacking assailant? On the heels of Kamkar's headline-swapping trick, he showed us how phones and tablets can be instrumental in controlling drones that then hack each other in the sky. Our cameras were rolling for Kamkar's first ever, live demonstration of his zombie drone hack. He calls it Skyjack.

Here's how it worked: Kamkar spun up a "master" drone to detect any wireless signals from other exploitable drones (currently limited to the Parrot AR.Drone for now). Once a signal is identified, the master drone injects packets to the Parrot's unprotected network, enabling it to de-authenticate the target drone from its owner. In this case, Kamkar programmed the zombified drone to perform a flip once its controls were hijacked by the master drone.

Kamkar was inspired by Amazon's far-fetched but not implausible drone delivery service. Here, the phone or tablet-controlled Skyjack can exploit weaknesses in the open networks of some of today's drones. So think twice before ordering a pricey Leica M9 digital camera using Amazon's Prime Air drone service because a more spiteful hacker than Kamkar might just be able to reroute it to their doorstep. (To be fair, Amazon will likely have thought of this scenario by the time it brings drone delivery to market.)

Since the filming of Skyjack, Kamkar told us that he has developed a newer version of Skyjack that runs on 2.4GHz radio frequency, which can potentially control most drones on the market.

To further explore the gamut of phone hacks over wifi networks, our team went to London, England, to meet with Sensepost security researcher Glenn Wilkinson and his Snoopy drone. The software and hardware schematics of Snoopy allow it to fly over crowds of people, masquerading as a trusted wifi network designed to lure smartphones to connect with it, and subsequently monitor phone owners and sniff their data in real-time.

Essentially, Snoopy works the same as Kamkar's man-in-the-middle phone hack. But considering the aerial capacity of Wilkinson's fake wifi network, Snoopy widens the playing field by increasing hacking range for higher volumes of credential extractions. For example, in Wilkinson's 15-minute demonstration, he was able to collect web browsing history, login information, and geolocated coordinates of 290 unsuspecting devices in and around London's Hyde Park.

Moving away from the options of hacking over wifi, Mathew Solnik, security researcher at Accuvant Labs and famed car hacker, gave us an exciting glimpse into the world of intercepting phone data over a cellular network.

Using cellular base-station hardware and techniques that have been public knowledge since 2010, Solnik's mock phone hack illustrated the relative ease with which one can sniff someone else's network traffic. To clarify, a cellular interception is not a technique of directly hacking someone's phone.

Direct attacks over cellular networks are extremely difficult with limited public knowledge even within the security community. Since the filming of Solnik's hack, he's been preparing to reveal some groundbreaking new research at this year's Black Hat conference, which he claims shows flaws that could allow a malicious actor to remotely hack and control over 2 billion cellular devices worldwide.

The idea behind these hacks, Kamkar, Wilkinson, and Solnik claim, is to make the public more cognizant of what they're doing on their phones amid the minefield of chinks in mobile security systems. By demonstrating and open-sourcing these exploits, white hats hope to provoke the public to demand immediate changes from its phones' manufacturers.

Remember the Heartbleed bug? When holes were discovered in the security bug in April 2014, nearly 50 percent of the Internet changed almost overnight. If that exploit had not been released publicly, there would've been no public outcry, and tens of thousands of companies would have taken their sweet time to make the major restructuring changes to all its internal security.

Over the course of our "Phreaked Out" series, we've seen how devices such as urban control systems, moving vehicles, and smartphones are not impervious to hacks when connected to a network—cellular or wifi.

As new mobile threats continue to emerge, these law-abiding white hats continue to reveal security flaws to safeguard the public from more nefarious hackers. Ethical hackers like Kamkar, Wilkinson, and Solnik, share the same persistence and know-how as black hats, only they channel their skills into fortifying the digital armor of innocent smartphones around the world.