Experts at the University of Birmingham have innovated a new strategy to protect users from phone hacking attacks.
In a world dominated by mobile technology, computer science researchers have made significant strides in identifying and addressing security vulnerabilities that make individuals susceptible to account takeover attacks.
As mobile devices become increasingly interconnected, the risks of exploitation by hackers have grown substantially, leading to dire consequences for users.
Dr Luca Arnaboldi, in collaboration with Professor David Aspinall of the University of Edinburgh, Dr Christina Kolb, University of Twente, and Dr Sasa Radomirovic, University of Surrey, has developed a pioneering method to catalogue security vulnerabilities and model account takeover attacks.
This breakthrough involves breaking down complex attacks into their fundamental building blocks, providing a more granular understanding of phone hacking strategies.
Identifying security vulnerabilities
Traditional approaches to studying security vulnerabilities have relied on ‘account access graphs,’ illustrating stages of access involving the phone, SIM card, apps, and security features.
However, these graphs fall short in modelling account takeovers, where an attacker disconnects a device or app from the account ecosystem, creating new opportunities for exploitation.
Innovative modelling to combat phone hacking
The research team’s novel method, grounded in the formal logic used by mathematicians and philosophers, captures the decision points faced by a hacker with access to a mobile phone and PIN.
This approach offers a comprehensive view of how account access changes as devices, SIM cards, or apps are disconnected from the account ecosystem, providing more accurate insights into potential vulnerabilities.
Industry implications
The researchers anticipate widespread adoption of their approach by device manufacturers and app developers. This method promises to help catalogue vulnerabilities and deepen the understanding of intricate phone hacking attacks, empowering the industry to proactively enhance security measures.
In addition to theoretical advancements, the researchers tested their approach against claims made in a Wall Street Journal report. The report suggested that an attack strategy used on an iPhone could be replicated on an Android.
However, the researchers found that Android’s installation process, requiring a Google account, added an extra layer of protection against attacks. This work also led to a security fix implemented by Apple for iPhones.
Manufacturer-specific vulnerabilities
Extending their analysis to various devices, including Motorola G10 Android 11, Lenovo YT-X705F Android 10, Xiaomi Redmi Note Pro 10 Android 11, and Samsung Galaxy Tab S6 Lite Android, the researchers discovered vulnerabilities in devices with their own manufacturer accounts, such as Samsung and Xiaomi.
While Google accounts remained secure, bespoke manufacturer accounts were found to be compromised.
The researchers also applied their method to test the security of their own mobile devices. One researcher discovered that sharing access to a shared iCloud account with his wife compromised his security.
Despite robust security measures on his end, his wife’s chain of connections posed a potential risk, highlighting the need for users to be vigilant even in seemingly secure setups.
This work highlights the urgent need to secure mobile devices and protect users from evolving cyber threats, marking a crucial step forward in the ongoing battle against phone hacking.
