lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d37a9aca4e5f4a4d91222fe0249fac456ce5cdc2
hpr-knowledge-base/hpr_transcripts/hpr2717.txt

112 lines
11 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 2717
Title: HPR2717: Mobile Device Security
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2717/hpr2717.mp3
Transcribed: 2025-10-19 08:04:24
---
This is HPR episode 2,717 entitled Mobile Device Security.
It is hosted by Edward Miro and is about 10 minutes long and can remain an explicit flag.
The summary is cell phone cyber security 101.
This episode of HPR is brought to you by AnanasThost.com.
Get 15% discount on all shared hosting with the offer code HPR15.
That's HPR15.
For web hosting that's honest and fair, add AnanasThost.com.
Hello and welcome to Hacker Public Radio. I'm Edward Miro and for this episode I decided to address mobile device security.
As with most of the research and articles I've written in the past, these are geared towards standard users in a business setting and are meant to be a jumping off point for further research and to be a foundation for cyber security 101 level training classes.
If you like what I do and want to have me come speak to your team, feel free to email me.
As an information security researcher I have noticed a trend in what potential clients lately have been interested in, cell phones.
Almost everyone I have consulted for in the area of private investigation make this area their main priority.
This makes sense as users have started to transition to using mobile devices more and more.
Not only do cell phones represent the main conduit to the internet for a huge chunk of people, but many use them for work also.
A lot of companies have smartly presented policies against this, but there are still many organizations that allow bring your own device style implementations.
In the following podcast I will try to define the threats, defense and considerations in very broad strokes.
Cell phones differ from a standard hacking target in a few ways.
For the most part many of the same factors are still valid, but remote code execution is however a little more rare, but not out of the question.
I'm going to attempt to present these different vectors in an ascending list of what is most likely to be used as an attack in my humble and possibly ignorant opinion.
So here we go.
Number one, passive surveillance.
This vector is one many in the hacking world will already be familiar with and it is a major concern for mobile devices as well.
Attackers can monitor and access point where the mobile device is connected and collect packets in all the usual ways.
Open Wi-Fi is a treasure trove and tons of data that's being sent in the clear can be collected, analyzed and leveraged by attackers.
Defense here is a bit more complicated for the general user, but shouldn't be too intrusive for most.
One, use a VPN on your mobile devices.
Two, switch to a DNS provider that provides secure DNS sec.
Three, implement proper encryption on all access points.
And number two, spyware.
There are many commercial spyware applications readily available on both of the main app stores.
The challenge for attackers lie in either gaining physical access to the unlock device to install the spyware or tricking the user into installing it themselves.
Most often the target spouse or close contact does this.
Some of these apps can be disguised to look like innocuous applications as a feature, but with devices that are rooted or jailbroken, they can be completely hidden from the user.
I found a few surveys that state the average smartphone user has about 30 apps installed, and I don't think it's unreasonable to suspect the average person wouldn't notice a second calculator or calendar app.
I know for my personal device, there were several calendar apps that came standard.
These apps feature the full gamut of what you'd expect from a spyware app.
Defense against spyware, it's pretty simple.
Number one, don't allow unsupervised access to your device.
Number two, use a strong passcode or biometric lock.
Three, remove unused applications and be aware of new apps that may pop up.
Four, try not to root or jailbreak your device.
And number three, social engineering.
The tried-and-trude vector that has always worked and will continue to work is social engineering.
It doesn't matter what kind of device a target is using if you can get them to click a malicious link, open a malicious attachment or disclose their password to attackers.
With the user's password, you can conduct a vast amount of surveillance through their Google or Apple account.
Not to mention leverage their password into all the other accounts as most users still use the same password for everything.
We can also call back to the previous section on spyware by mentioning that many users are already familiar with enabling the installation of third party applications and can be tricked into installing a cleverly disguised spyware app.
Basic op-seq recommendations are applicable here.
Number one, don't click any stranger unsolicited links or attachments on your devices.
Two, never disclose your password to anyone through a text message or voice call.
Three, don't install third party applications.
And I'll extend this to say not to install any shady or questionable apps even once hosted on by the app stores.
There have been instances of vetted apps being malicious.
Number four, IMSI Catchers or FM Disos.
And I refer to these as DIY stingrays.
Stingrays are devices used by law enforcement to track and surveil cell phone traffic.
These devices emulate a cell tower or in the case of boosting cell tower signals when used legitimately.
Mobile phones are designed to prefer using stations that are the closest and strongest.
And any technically proficient attacker can DIY one of these devices for not a lot of money, like less than 20 to 30 dollars.
When an attacker deploys one of these devices, the target's phone usually has no idea that the device isn't an official cell tower.
And happily connects and passes traffic through it.
The rogue stations can then be configured to pass the traffic on to an authentic tower and the user will generally have no idea, though I have heard some
cell phone manufacturers and developers are starting to notify users when they lose the encryption and are using a strange tower.
But haven't been able to confirm this.
These rogue towers can not only collect identifying information about the mobile device that can be used to track or market target,
but they can also monitor voice calls, data and SMS as well as perform men in the middle of the tax.
And they can often disable the native encryption of the target's phone as well.
Defense against this vector is a bit more complicated.
One, as before, use the VPN.
Two, use signal or other encrypted communication apps, although this may change with coming legislation.
Three, avoid disclosing sensitive information during voice calls.
Four, there is software that has been developed to detect and notify users when a rogue station has been detected, but this is not going to be super helpful for your standard users.
And there are also maps online of known cell towers and it is possible to use software to identify your connected tower and compare it to known good towers.
This is a little bit more complicated, but you power users and your hacker should be able to figure that out.
And lastly, exploits.
Speaking very generally, this attack vector is for the most part less of a concern, depending on your particular threat level.
But we all know that the chances of this happening in the wild is probably remote for most people.
Now the technical implications, pardon me, the technical implementations of exploits such as Rohammer, stage fright and blue-borne, well outside the scope of this particular talk, but we would be incorrect to not mention them and what can be done to protect against them.
And we should also pay special attention to more and more exploits being developed to attack mobile devices as attackers have started putting a lot of attention in that area.
Even though many of these vulnerabilities are being patched and have been patched, we all know that many users are still using old versions of Android and iOS.
And many devices are simply outside the support period offered by the manufacturers and will never be updated past a certain point.
Couple that with the general idea that mobile devices or any device running a non-windows-based operating system are safer because less exploits exist for them.
It's currently a very poor assumption.
This is changing more and more every day.
This will probably get worse as the cost of keeping up with new devices now, being over a thousand dollars, and many users simply won't be able to get devices that are constantly patchable.
And what we can do, one, keep your mobile devices updated with the most current OS updates and carrier settings, also keep your applications updated.
I don't know how many times I've noticed friends or family with devices that are ready to be updated, but the notifications to simply go ignored.
Two, if it's possible, replace devices when they are outside the support period.
Three, be paranoid if it applies to you.
Now, what this means is, when you use any computer or device, always remember that zero-day exploits can exist for years before being disclosed.
You could follow all the best op-sec practices, and you could still be vulnerable to exploits that haven't been disclosed and or patched.
This might not matter if you're just a general user, but if you work for the government or do intelligence work, act as if.
Well, thank you for taking the time to listen to my basic introduction to cell phone cyber defense.
I know most of the information I provided is only the tip of the iceberg, and if current trends hold up, this will only get worse in the future.
If you want to add to or correct any mistakes I may have made, like I stated in the introduction, feel free to email me and let's have a conversation.
I don't claim to know all there is to know and love feedback and any opportunities to learn more or collaborate with others in the field.
Thanks again, and have a great 2019.
You've been listening to Hecropublic Radio at HecropublicRadio.org.
We are a community podcast network that releases shows every weekday, Monday through Friday.
Today's show, like all our shows, was contributed by an HPR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
Hecropublic Radio was founded by the digital dog pound and the Infonomicon Computer Club, and is part of the binary revolution at binwreff.com.
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released under creative comments, attribution, share a life, 3.0 license.
Reference in New Issue Copy Permalink