Israeli Firm Creates a Device That Can Hack Any Nearby Phone

An anonymous reader writes: Israeli startup Rayzone created a device that can hack any smartphone that has its WiFi connection open. The device can steal passwords, files, contact lists, photos, and various others. Called InterApp, the device is dumb-proof (comes with a shiny admin panel), works on hundreds of devices at the same time, and leaves no forensics traces behind after the hack. The company says it will only sell it to law enforcement agencies.

Colour me suspicious

[sandbagger]

Given the way panicked elected officials think, and the fact that kids of people attracted to life in uniform are of exactly the opposite mindset needed to go into computer science, I'm guessing this is an overblown and over promoted 'grabs text transmitted in the clear' thing that's not designed to do much other than pick the pockets of taxpayers.

Re:Colour me suspicious

It's more like load Nessus onto a portable device, create an open wifi network, and then scan and exploit any phone dumb enough to connect. So, tell your phone not to connect to unknown networks, or networks without a shared secret.

Re: Colour me suspicious

[guruevi]

There's a reason it doesn't work that way. Wifi does support AP hopping (it will pick different APs depending on signal strength) as long as they have the same ssid and are on the same network. That's why your connection continues working even though it switches from 80211n to 80211g (which is technically a different AP) as you go out of range of the former.

Re: Colour me suspicious

[Proudrooster]

Read the ad carefully and look at the screen shot. It works on older versions of IOS and Androids. It exploits the cloud push notification system.

Re: Colour me suspicious

[harlequinn]

It only works on phones that meet the specified criteria:

"smartphones that have their WiFi connection open, and then, employing a diverse arsenal of security vulnerabilities, gain root permission on devices"

I.e. they must have an open wifi connection and they must have an unpatched security vulnerability.

This automatically excludes millions of older phones of various brands that don't have wifi, any phone with wifi disabled, and any phone with encrypted wifi.

And if the phone is fully patched for known exploits, they need a zero day attack.

Re: Colour me suspicious

[dbIII]

So my N900 is safe since it has a real linux and built with security in mind (and is too big, heavy and ugly for physical theft to be considered).

Re: Colour me suspicious

[dbIII]

If there was something new with the same features it would be a case of living in the past. Sadly not - there are a whole lot of phones that have to be "jailbroken" instead of ones like the N900 where you get full control out of the box - and that's without even considering the keyboard etc.

Re: Colour me suspicious

[The-Ixian]

I am sure it comes down to priorities.

I completely get it. I *could* spend $500 on an iPhone or I could spend $50 on a Windows phone that is just as fast.

I will never do the "contract" thing again, it is just a waste of money. $40 / month pre-paid with unlimited data and text seems a lot more reasonable than $80 / month for basically the same thing under contract. Where does the extra $40 / month go? Paying off the iPhone... which you will have paid almost $1000 for by the end of the 2 year contract.

I highly doubt it.

The chances that it can get into ANY phone from the Wi-FI connection is virtually nil. Anyone with an ounce of tech knowledge should be highly suspect of everything they're claiming the device does.

Re:I highly doubt it.

[Noah+Haders]

I'm trying to figure out how this works and what the threat level is. does it just lurk in the background and record any traffic going back and forth? or does it infiltrate the phone and extract things? The latter is obviously much more scary.

here's a list of what the device purports to capture (FTFA):

InterApp system extracts the following information from the targets smartphone:
User email address, password and content
Twitter, Facebook and other social media passwords and information
Dropbox passwords & content
Previous locations on map
MSISDN and IMEI identities
MAC address, device model, operating system Contact list of the target
Photos
Targets personal info: gender, age, address, education, etc.

Re:I highly doubt it.

[mikael]

If you disabled the TCP/IP stack, it would be rather hard to connect to through the network. But what about that remote shutdown feature that Sandy Bridge processors have.

http://www.techspot.com/news/4...

Re:I highly doubt it.

[currently_awake]

There are only a handful of companies making phone chip sets. It would be easy for the NSA to pay off enough people to install backdoor hardware in the designs, to allow remote access. Such access would bypass the phone software completely, and be very hard to detect. The payoff to cost ratio (ROI) is so high we should assume it's already happened.

Re:I highly doubt it.

[jon3k]

If the NSA wanted something from you then they'd just put a bag over your head and hit you with a pipe wrench until you told them what the want. The only difference is you live a life of inconvenience under the guise of security.

Re: I highly doubt it.

No, that's the CIA's methodology. The NSA is full of introverts who don't like pipe wrenches because they're heavy.

Re:I highly doubt it.

Any govt agency could beat you with a wrench to get what they want. This is TARGETED at a specific person and requires time, money, and resources. If the government wants you, the TARGETED person, there is very little you can do about it. They have had this capability before the USA existed.

In the past several decades governments have done BULK surveillance, collecting massive amounts of data on everyone and spend very money little doing so. Bulk surveillance reduces the peoples' confidence in the government and is very bad for our country. It is unacceptable and, in my opinion, treason.

Thankfully there are many things anyone can do to reduce bulk capturing of their electronic footprint, mainly by leaving less of a footprint. Power off your cellphone and remove the battery when not in use. Use cash for everyday purchases. Stop using electronic billing and go back to paper bills. Your "papers" are specifically protected in the USA constitution, your e-mail is not. E-mails older than 6-months don't even require a warrant. The government could request my account information and e-mail from a provider, but then they would be TARGETING me, and I'm not too worried about TARGETED surveillance. That said, there is nothing wrong with making TARGETED surveillance tougher, but that is not my goal. Giving up my cellphone was the toughest, after a while it gets easier. If you *must* be contactable at times get a nice one-way pager, keep a cellphone in the car with the battery removed. There is no one-size-fits-all for personal privacy, each person needs to figure out how much inconvenience you are willing to put up. I'm willing to accept a lot of inconvenience.

Re:I highly doubt it.

[swillden]

There are only a handful of companies making phone chip sets. It would be easy for the NSA to pay off enough people to install backdoor hardware in the designs, to allow remote access. Such access would bypass the phone software completely, and be very hard to detect.

Thinking about this in the context of Android (since that's what I know -- though I don't know as much as I should about the radio subsystems), it is conceivable that there are back doors in the radio (Wifi and cellular; they're different, and separate) chipset firmware. The radio chipsets don't have any access to device storage, though, so without some additional steps this could only be used to get data flowing through the relevant radio. Exfiltrating the data obtained would presumably have to be done via the same radio. In the case of Wifi this would be pretty easy to detect by anyone monitoring Wifi transmissions, or examining the data flowing through the Wifi router. If the data were encrypted it might not be possible to tell what the unexplained data was, but its presence and destination could easily be observed.

If the drivers that talk to the radio firmware modules are also backdoored, then the drivers could be used to take control of the Linux kernel, and thereby take control of the entire Android system. Stuff protected by the Trusted Execution Environment (TEE) wouldn't be affected, but TEE software also comes from a small set of vendors, and most comes in binary form only. The exception is Google's "Trusty" OS, which open source, but is used (thus far) only on the Nexus 9 [1]. So if the NSA could get backdoors into the radio firmware, it could probably get them into the TEEs as well. Except on Nexus 9.

However, assuming such firmware backdoors exist, it seems like they would be closely guarded secrets of the agencies that arranged for them to be installed, not something they'd share with some Israeli company, and absolutely not something they'd want embedded in a commercial product where it could discovered easily, just by watching what it transmits.

For that matter, I'm skeptical that such back doors exist. Many people have reverse engineered the common baseband and Wifi chipset firmware modules, and no such backdoors have been found, which means that if they're there, they're pretty well-concealed. If anything, I'd bet that rather than full-blown back doors, there are merely subtle security vulnerabilities which can be exploited and then chained with other exploits to pwn the device. Again, though, I'm skeptical that this one Israeli company has such powerful knowledge and extremely skeptical that they'd put it in a commercial product where knowledge of it could be easily discovered.

Sunday Sarcasm.

[geekmux]

The company says it will only sell it to law enforcement agency.

Oh, thank goodness, what a relief.

For a minute there I was worried that this would fall into the hands of people who might abuse this technology, or even break the law.

Because of course, that would never happen.

Oh gee, what a coincidence, this company sells an IMSI catcher too...

Short: No, but only "outdated" mobile devices

[burni2]

Hey slashdot.editors,

this is slashdot a news-site for nerds that mostly have a basic understanding of the "cracking" processes

And btw. the softpedia page is full of marketing speech shit.

Q: How can I "enter" a smartphone without physical contact?

A: There must be a security hole.
(the term outdated hints that there are -known- sec holes in older devices)

Q: How can I "enter" a smartphone without physical contact? another way

A: The user connects to an access point with/out any or weak encryption and the eMail app does not know of any current encryption

Q: How can I "enter" a smartphone without physical contact? another nother way

A: The user connects to an access point I control and I tell their eMail app that I'm from turk-trust and naserbajew-trust and that I'm Vladimir Putin the most trustworthy entity only followed by the NSA.

(Man in the middle attack)

The definition of "hack"...

[carlhaagen]

...seems to have its bar lowered every year by mainstream journalism and wannabe computer "aficionados".

Re: Coming soon to U.S. technology firms

Israel and the US are in bed with each other. It's the Palestinian that need to worried.

Partial Immunity

[amberdalan]

I manually manage my phones data, both LTE and wifi. I turn it on only when needed, and turn it off when I am done. I only connect my wifi to AP's I know and trust. (all 2 of them) I do this mainly to extend battery life, but in part because I barely trust the few app's I have. It seems to me that my everyday usage provides a moderate amount of immunity to this particular "attack". I have no illusions about the security of my phone. I will never mobile bank on it. I do not check my primary email account on it. I backup my data (pictures) to my computer, not drop box or any other cloud storage. I assume that anything I upload to the cloud can and will be made public. I don't trust my carrier, my email providers, my ISP, or any cloud with anything more than what is absolutely needed to maintain the service. We've seen the breaches, the hacks, the outing of private information from individuals, major companies, and even governments. I'm in a position where I do not have to trust, so why open attack vectors if I don't have to?

I would feel safer

if they only sell it to the crooks

Yes, marketing claims do say that.

[gavron]

There are many smartphones with WiFi that cannot be "rooted" let alone remotely.

Then there are many of us who run permission-checking programs that alert us if something is touching something it shouldn't.

Finally the claims are too broad to be taken seriously. It's a simple application of Okham's Razor
along with a little bit of "If it sounds too good to be true... it probably is."

I suspect their device allows them local WiFi access to a subset of smartphones (as they say "older")
that have known vulnerabilities in the OS (e.g. previous Android or IOS). There's no known remote root
for BlackBerry (remember them?) or current Android (CM12.x).

Marketing people do what they do and LOOK THEY'VE SUCCEEDED because their original ad has
now transformed into a discussion on /. :)

Best holiday wishes,

Ehud Gavron
Tucson AZ