Israeli Firm Creates a Device That Can Hack Any Nearby Phone

An anonymous reader writes: Israeli startup Rayzone created a device that can hack any smartphone that has its WiFi connection open. The device can steal passwords, files, contact lists, photos, and various others. Called InterApp, the device is dumb-proof (comes with a shiny admin panel), works on hundreds of devices at the same time, and leaves no forensics traces behind after the hack. The company says it will only sell it to law enforcement agencies.

Colour me suspicious

[sandbagger]

Given the way panicked elected officials think, and the fact that kids of people attracted to life in uniform are of exactly the opposite mindset needed to go into computer science, I'm guessing this is an overblown and over promoted 'grabs text transmitted in the clear' thing that's not designed to do much other than pick the pockets of taxpayers.

Re:Colour me suspicious

It's more like load Nessus onto a portable device, create an open wifi network, and then scan and exploit any phone dumb enough to connect. So, tell your phone not to connect to unknown networks, or networks without a shared secret.

Re: Colour me suspicious

[Proudrooster]

Read the ad carefully and look at the screen shot. It works on older versions of IOS and Androids. It exploits the cloud push notification system.

Re: Colour me suspicious

[harlequinn]

It only works on phones that meet the specified criteria:

"smartphones that have their WiFi connection open, and then, employing a diverse arsenal of security vulnerabilities, gain root permission on devices"

I.e. they must have an open wifi connection and they must have an unpatched security vulnerability.

This automatically excludes millions of older phones of various brands that don't have wifi, any phone with wifi disabled, and any phone with encrypted wifi.

And if the phone is fully patched for known exploits, they need a zero day attack.

I highly doubt it.

The chances that it can get into ANY phone from the Wi-FI connection is virtually nil. Anyone with an ounce of tech knowledge should be highly suspect of everything they're claiming the device does.

Re:I highly doubt it.

[currently_awake]

There are only a handful of companies making phone chip sets. It would be easy for the NSA to pay off enough people to install backdoor hardware in the designs, to allow remote access. Such access would bypass the phone software completely, and be very hard to detect. The payoff to cost ratio (ROI) is so high we should assume it's already happened.

Re:I highly doubt it.

[jon3k]

If the NSA wanted something from you then they'd just put a bag over your head and hit you with a pipe wrench until you told them what the want. The only difference is you live a life of inconvenience under the guise of security.

Re:I highly doubt it.

[swillden]

There are only a handful of companies making phone chip sets. It would be easy for the NSA to pay off enough people to install backdoor hardware in the designs, to allow remote access. Such access would bypass the phone software completely, and be very hard to detect.

Thinking about this in the context of Android (since that's what I know -- though I don't know as much as I should about the radio subsystems), it is conceivable that there are back doors in the radio (Wifi and cellular; they're different, and separate) chipset firmware. The radio chipsets don't have any access to device storage, though, so without some additional steps this could only be used to get data flowing through the relevant radio. Exfiltrating the data obtained would presumably have to be done via the same radio. In the case of Wifi this would be pretty easy to detect by anyone monitoring Wifi transmissions, or examining the data flowing through the Wifi router. If the data were encrypted it might not be possible to tell what the unexplained data was, but its presence and destination could easily be observed.

If the drivers that talk to the radio firmware modules are also backdoored, then the drivers could be used to take control of the Linux kernel, and thereby take control of the entire Android system. Stuff protected by the Trusted Execution Environment (TEE) wouldn't be affected, but TEE software also comes from a small set of vendors, and most comes in binary form only. The exception is Google's "Trusty" OS, which open source, but is used (thus far) only on the Nexus 9 [1]. So if the NSA could get backdoors into the radio firmware, it could probably get them into the TEEs as well. Except on Nexus 9.

However, assuming such firmware backdoors exist, it seems like they would be closely guarded secrets of the agencies that arranged for them to be installed, not something they'd share with some Israeli company, and absolutely not something they'd want embedded in a commercial product where it could discovered easily, just by watching what it transmits.

For that matter, I'm skeptical that such back doors exist. Many people have reverse engineered the common baseband and Wifi chipset firmware modules, and no such backdoors have been found, which means that if they're there, they're pretty well-concealed. If anything, I'd bet that rather than full-blown back doors, there are merely subtle security vulnerabilities which can be exploited and then chained with other exploits to pwn the device. Again, though, I'm skeptical that this one Israeli company has such powerful knowledge and extremely skeptical that they'd put it in a commercial product where knowledge of it could be easily discovered.

Sunday Sarcasm.

[geekmux]

The company says it will only sell it to law enforcement agency.

Oh, thank goodness, what a relief.

For a minute there I was worried that this would fall into the hands of people who might abuse this technology, or even break the law.

Because of course, that would never happen.

Oh gee, what a coincidence, this company sells an IMSI catcher too...

Short: No, but only "outdated" mobile devices

[burni2]

Hey slashdot.editors,

this is slashdot a news-site for nerds that mostly have a basic understanding of the "cracking" processes

And btw. the softpedia page is full of marketing speech shit.

Q: How can I "enter" a smartphone without physical contact?

A: There must be a security hole.
(the term outdated hints that there are -known- sec holes in older devices)

Q: How can I "enter" a smartphone without physical contact? another way

A: The user connects to an access point with/out any or weak encryption and the eMail app does not know of any current encryption

Q: How can I "enter" a smartphone without physical contact? another nother way

A: The user connects to an access point I control and I tell their eMail app that I'm from turk-trust and naserbajew-trust and that I'm Vladimir Putin the most trustworthy entity only followed by the NSA.

(Man in the middle attack)

The definition of "hack"...

[carlhaagen]

...seems to have its bar lowered every year by mainstream journalism and wannabe computer "aficionados".

Yes, marketing claims do say that.

[gavron]

There are many smartphones with WiFi that cannot be "rooted" let alone remotely.

Then there are many of us who run permission-checking programs that alert us if something is touching something it shouldn't.

Finally the claims are too broad to be taken seriously. It's a simple application of Okham's Razor
along with a little bit of "If it sounds too good to be true... it probably is."

I suspect their device allows them local WiFi access to a subset of smartphones (as they say "older")
that have known vulnerabilities in the OS (e.g. previous Android or IOS). There's no known remote root
for BlackBerry (remember them?) or current Android (CM12.x).

Marketing people do what they do and LOOK THEY'VE SUCCEEDED because their original ad has
now transformed into a discussion on /. :)

Best holiday wishes,

Ehud Gavron
Tucson AZ