Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.
In the Trust Digital demo on YouTube, an attacker sends an SMS message to the victim phone (on the left) which opens up a Web browser and downloads an executable file that directs it to send an SMS to the attacker's phone (on the right).
In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.
In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information.
While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.
"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."
