It always amazes me how quickly criminals are able to identify the weak spot in security systems and figure out ways around it.
Think about cars, for example. A quick search on the web reveals videos demonstrating how easily thieves can get through supposedly unbreakable protection such as steering wheel locks and wheel clamps while the more high tech gangs have already worked out how to bypass new keyless locking systems.
The same has been happening to our mobile phones since they turned ‘smart’. Not only are the physical devices often worth hundreds of Euros but they also give access to all kinds of potentially valuable applications, information and data. It’s no surprise therefore that smartphone thefts are high. More than three million handsets were stolen in the US in 2013, while police figures show that 300 mobile phones are stolen in London everyday (and almost half of these are iPhones).
Many of those stolen devices will end up being sold on the black market but what about the thief who wants to gain access to the applications and information on the device? It might surprise and shock you just how easy it is to do.
If you have a feature such as remote lock or wipe on your smartphone you might think you can just delete everything before the thief can get access to it, right? Well you’d be wrong. For that feature to work the phone needs to be able to connect to a cellular network or GPS. To stop the phone making that connection the thief can simply power off the device.
The next step involves forensic software, such as ElcomSoft, which is designed mainly for law enforcement, business, military and intelligence agencies to use – although its sale is not restricted. Using the software you are able to boot a smartphone in a tethered mode, connected by a cable to a laptop or PC. You can boot a virtual image and then do a brute force attack against the passcode or PIN.
I have demonstrated this in live hacking sessions before and it took me just three to five minutes to break a four-digit PIN code. At that point, with that PIN, the private key to encrypt the underlying infrastructure is in plain sight. For example the keypad file on an iPhone is encrypted with that PIN. With that central key file you are able to access other applications and username and password authentication to your mail server. The forensic software also enables you to take copies of any files onto your laptop or PC.
The phone and tech companies are taking steps to address this. Apple introduced a feature called Activation Lock in 2013 and that is now set up to work by default in iOS 8. That feature allows the user to password protect a phone from being booted up again – a kind of ‘kill switch’. Google and Microsoft have said they will do something similar with new phones. And law enforcement has reported noticeable falls in smartphone thefts in major cities around the world since this was introduced.
How else can you stop your smartphone being broken into so easily? Two-factor authentication is one answer – a strong password in combination with a fingerprint or iris biometric, for example. But we are still some way off that becoming usable enough to be mainstream.
Until then the simplest advice is to use a strong password. The four-digit PIN code has only 10,000 possible combinations and takes forensic software minutes to break. Make your code longer and make it alphanumeric – there are more than 56 billion possible six-character alphanumeric passwords. On my secure Blackphone, for example, I use a 10-digit password that uses a combination of lowercase and uppercase letters, numbers and special characters. Something of that strength would take hundreds of years to break using brute force methods.
But first we have to get even those simple things right. Among all those statistics about smartphone theft are some worrying ones – only 36 per cent of users set any kind of PIN code, only 11 per cent user a PIN or password longer than four digits and a third take no security measures at all. We all have a responsibility to make it harder for the criminals.