How to Hack a Cell Phone | Demo for Understanding Mobile Security


– [Female Announcer]
Please welcome Jeremy Kaye. (audience applauds) – How are we all doing? Doing good? How could they put me after that guy? That’s not fair. Who remembers this? Who had this? A few hands. Remember carrying it around? Watch this video. It will remind you. – [Narrator] Finding a phone in a car isn’t that unusual anymore, except when it leaves the car. For greener pastures, the high seas, or a leisurely lunch. Radioshack keeps you in constant communication with their affordable, transportable, cellular telephone. (phone rings) – Hello? Oh, yes, he’s right here. It’s for you. – Yes, I heard about the merger. Buy 100 shares. – Who has one of these? Put your hand up. Come on, that’s not enough hands. Who has a smartphone? Alright, who has more than one smartphone in their pocket right now? A lot of people. We’re at a security conference. So, December 2014, there
was a turning point. That was the moment where in society there were more mobile phone subscribtions than there were people in the world. Pretty impressive. A survey of college students
on American campuses last year, July 2017, found that students between the ages of 18 and 34 had seven internet connected devices. That’s the world that we’re living in. Now, what’s interesting is that, as the number of devices grow, the potential for malware
increases rapidly. Gartner make a very, very bold prediction in their report, the Mobile Threat Defense
report from last year. They come along and say by 2019, mobile malware will amount
for one-third of all malware. That’s a game changer. That’s something that we are not paying attention to right now. We need to think about
that and that’s what we are going to do today. Now, we’re not the only
ones that like cell phones. The other people that like cell phones are the bad guys and what we are going to explore is a very simple equation. That equation is about understanding the motivation, the hacker’s motivation, of why mobile devices are
so attractive for them. We’re going to take a
couple of parameters. Number one is the number of devices that a hacker can infect in a single company. That’s our first parameter. The second parameter is the amount of time I can have that malware out there on these devices before it gets detected. That’s our second thing. The combination of those is very simple. It’s money. It’s the big bitcoin. It’s what all the hackers are looking for. That’s the motivation. So, let’s explore each one of those in one go. We’re familiar with WannaCry. We’ve all spoke about it. Gil mentioned it in the beginning. So, WannaCry, for all its devastation, and WannaCry was huge, it infected 300,000 end points. Only 300,000. Take a look at mobile malware campaigns like Judy, like Gooligan, like HummingBad. The number of infected
devices were in the millions. Now CopyCat, which is another
mobile malware campaign, which, by the way, we’ll
take the opportunity to do a shout out to
CheckPoint Threat Research Team because they discovered
CopyCat back last year in 2017 so a big shout out to those guys. (audience applauds) So CopyCat infected
over 14 million devices. Now, CopyCat, itself, we think, well, if you’re familiar with CopyCat, it’s about adware. Mobile adware. They just wanted to generate revenue from injecting the
adware into these devices and then they were
collecting money from them. That’s fine. But, as a result of that malware campaign, they managed to root 8 million android devices around the world. So, from a hacker’s perspective, that’s not what they were after. They were after the money, but actually the net result for us as businesses that are bringing mobile devices into our businesses and giving them access to our data, we now have another 8
million rooted devices that we need to deal with. If you compare the number,
that’s 45 times more endpoints being impacted
by CopyCat than WannaCry. Yet, WannaCry makes the news. Let’s take a look at that
second parameter, duration. So Judy and HummingBird, by the time that they were discovered, it had been twelve months. That’s the amount of time that Judy and HummingBird were on our devices until it was actually picked up. By contrast, WannaCry and Petya, they weren’t only discovered, but they were discovered and stopped in a matter of days. So duration is a huge motivational factor for hackers and why mobile is so attractive for them. A key to spread malware that can be on devices for a year or it could spread malware and be
on devices for a day. I know what I’d go after. Now, of course, the combination if we make that comparison, the combination is very easy. Like we said, the net
result is about money. So WannaCry netted 130
thousand dollars of Bitcoin. That doesn’t mean it
wasn’t a huge disruption to the industry because it was, but in terms of financial
value to the hackers, and of course we can track that because all these digital wallets now can be monitored, and we know that’s the amount of money that they got in terms of Bitcoin. We take a look at CopyCat. That netted one and a
half million dollars. Eleven times the amount of money. Now, of course there’s
nothing new with this. Alright, this is the hacker’s formula because what the hackers
just do all the time is that they identify the
areas of least resistance and high profitability. Today, that’s mobile devices. And that’s how they’re going
to attack our businesses. The hacker’s motivation is perhaps the easier part to explain. What is harder to try and understand is the lack of industry response. That’s why I want to do a
little exercise with you guys. Anyone like basketball? Any guys that are ball players? Yes? Alright. We’re going to do a very,
very simple exercise. I’m going to have a video. I’m not worried about the sound, although it would be nice if the sound worked. What I want you to do, there’s two teams playing basketball. There’s a team dressed in white and there’s a team dressed in black. I want you to watch the
team dressed in white and count how many
times they pass the ball between each other. Alright? Sounds simple? Alright. Let’s see if we can get this working. – [Narrator] This is an awareness test. – It was a simple exercise. Who found eight? Who found more than eight? Ten? Who found ten? Who found eleven? Twelve? Thirteen? Anyone more than thirteen? Alright, so you’ve done really well. The actual answer is thirteen, so well done to those
that counted thirteen. But, that’s actually not the question. What the question is is How many of you saw the dancing bear in the middle of the basketball players? I’ve got about three percent. You don’t believe me there was
a dancing bear in the middle? Alright, let’s rewind that. Let’s take a look. (video rewind noise) – He’s doing a bit of a
Michael Jackson moonwalk. Coming up the stage. So, something so obvious,
if we don’t pay attention ends up not being noticed
until it’s too late. You guys are not going to
forget that dancing bear. Lazarus. Lazarus Group, an
amazing group of hackers, allegedly from North Korea, these guys were obsessed with Bitcoin. These guys are behind the attacks on, again, allegedly, behind the attacks on the big Sony hack, the SWIFT network, WannaCry. These are the guys behind that. What they wanted, they wanted to go after YouBit. Anyone familiar with YouBit? YouBit is like the federal reserve for cryptocurrency. So YouBit is South Korea’s
cryptocurrency exchange. When you kind of want to
get rich from hacking, you can go after one
bitcoin here or there. That’s one approach. Or you can go after the whole exchange. That’s what these guys did. Now, YouBit had over a billion dollars of cryptocurrency locked
within its cyber vaults. And, of course, they’re not
just obsessed with money, YouBit’s obsessed with security. There’s multiple layers of defense. What they needed to do
was to try and identify what was the weakest part and the way that they could get into that. And, of course, it was a mobile phone. And the way that they did that was that they sent fake messages to IT staff asking people to download an application which was malicious in its very nature. By the time that they managed to do that, and actually get this
malware on the devices, they’d managed to bypass the
two factor authentication that the IT staff were using and it gave them full access to the IT servers. Now the net result of
that was catastrophe. YouBit lost 100 million
dollars of cybercurrency, they went bankrupt, It’s a horrible story. And it’s because of these. Now, we could say, well, that
was allegedly North Korean cyber criminals and what about the average day to day company? What about you and me? So CheckPoint did a really
interesting study last year. We took a look at 850 of our customers that had SandBlast mobile, which is our mobile threat defense solution installed in their environments. We took a look at 850
customers that had over 500 devices with our software deployed. What we found was startling. The first thing we found was that every single company without fail had some mobile malware
installed in their environment. That’s not like we found
three percent of companies where it could be some edge case. It was more like every single company had some devices infected with mobile malware. On average, 54 malware events per company. To highlight this, I’m going to do a quick demo with you guys. Okay? Now, we’re all in Vegas. A lot of us flew in. Imagine you get in to an airport and you want to get on WiFi. We want to download emails, We just go toff the plane. We want to speak to our spouses. Whatever it is we want to do. And, as we arrive at the airport, we get a message from the airport, as we often do, saying, “Hey! We’re going to give you free WiFi.” Awesome. We take a look, we click on it, we install a profile. Classic human psychology,
give me something to click on and I’ll say yes to that. What that profile allows the hackers to do is to conduct a full man in
the middle attack on my phone. Now this actually leverages a known vulnerability in iOs. I know we all often
talk about that android is super unsecure and iOs is super secure. This is a known vulnerability on iOs. It uses a vulnerability
known as side stepper. This actually existed for a few years. So, with that, once my device is infected, the hackers are now able to
actually install a malicious application on my phone. I’m actually going to open my phone. I’m going to open that up. So we can see it’s now
loading up on the device. There we go, “Mobile
Conference” application. This is what we’re talking about. Now, what I don’t know, and of course I do know, but what I don’t realize is that behind the scenes I’ve got my great friend Tom at Green Belt and he’s going to be our hacker for the day. What he’s going to do is that he’s going to activate an attack on my phone. Alright? So that’s what he’s going to do. You can see that this is Tommy’s command and control center. We’re actually looking at his computer right now. He’s attacking my phone. What we’re now seeing is that we are seeing him go into his email and what the malware is actually doing is collecting information from my device. So, he’s received email number one. What we can see here, Thank you, Tommy, he’s actually managed to extract all the contacts from my phone. Number one, he can tell by now where I am. He’s got my GPS location. He can click on that and
let’s see where we are. That’s right. We are at the Venetian Hotel. We’re in Vegas. He can see stuff like my operating system or my device information and he can also see my calendar. Now, imagine this. Imagine how the hackers, how they’ve got access to my phone, they know where I am.
They know what I’m doing. They know what meetings I’ve got. It would now be very easy for them to say, “Hey, that’s an interesting meeting. I want to listen in on what’s going on.” And hackers can do this. It’s pretty easy. Tom has now received another email. (audio clip of previous
segment of speech plays) (audience applauds) That’s some scary stuff. Thank you, Tom. The great news is we can help you. Okay, SandBlast Mobile,
the solution we spoke about is the leading threat
defense solution to protect against advanced mobile cyberattacks. Now, let’s just guess a little. We’ve spoken about why it’s important. I hope by now you will get it and even if I wasn’t on this stage, I hope you would have got that already. What I want to talk about is why it should be a priority for you guys in 2018. Alright? So let’s talk about that. Making mobile device security a priority. Number one. If we’re going to provide access to our employees to data, we need to secure it. It’s not new. That’s just in the same way we provide access to our employees to lots of things. We need to secure it. That’s what Brittany was talking about before from AMC. We need to know what’s going on. So, if we are taking a corporate decision, which many of us are doing, where we want to mobilize our workforce because we want to increase productivity and efficiency of our employees, we need to do it in a secure way. Okay? Now, this should be standard for us. It should be part of our security policy. It should be part of our security audit. Wherever we are putting our
data, we need to protect it. So, that’s number one. Number two: We’re all
using these things 24/7. We’re accessing our SAS
applications, books, Gmail, personal accounts, sales force, we’re accessing lots of stuff. If my phone can be hijacked, and it’s pretty easy to do that, then all of my account credentials can also be stolen, too. Once they’ve got that, my
access to corporate data it’s now not just about my device. It’s also about data that
I’ve got in the cloud. We’re making and exposing that data. Third, if that wasn’t enough, this is just something we have to do. I’m tired of seeing security laws demand that we do this. Whether it’s GDPR or whether
it’s HIPAA for healthcare, or whether it’s ISO or
MIST Federal requirements, a device is a device. Our data, we need to
protect whatever it is. It’s not enough to say
that we didn’t know. All of the privacy and
security laws extend to mobile devices. Fourthly, employee protection. Many of us are living in a BYOD world. BYOD, Bring your own device. We actually encourage our employees to bring in their own phones. Once we do that, when we say, “Hey, we’re
going to save money on buying the phone. You guys bring in the
phone and we’re going to give you access to corporate data.” But, now, because of the fact that they’re an employee of the company, their phones are now at an increased risk because people want to get
access into that information. Now their personal data is also at risk. So, if we are going to be in a BYOD world, and we’re going to ask people
to bring in their own phones, we have an obligation to protect
our employees cell phones and protect their private data. So, let’s summarize. And, with that, I’ll hand
it over to the next speaker. Number one: Hacker
motivation hasn’t changed. They’re always going to look for the areas of least resistance
and high profitability. That hasn’t changed. We all want to mobilize our workforce, but in doing so we are exposing our data. At the moment we expose our data, we have a duty of care
to protect that data. We’re not talking about
something futuristic. This is about here and now. We’re not talking about, like, PAB losses or like things where there’s a futurist direction of the world. This is about today, malware being spread across devices and we’re
simply not doing anything. So, put your hand up again. Who’s got a smartphone? Let’s see those hands again. Alright, let’s get
those devices protected. Thank you very much. (audience applauds)

Related Posts

Ajax Alarm System Review: Ajax Hub 2 [2019]
VIDEO: Teen arrested after chase, crash in stolen security car

VIDEO: Teen arrested after chase, crash in stolen security car

THE DEATH TOLL IS NOW 250 PEOPLE WITH 365 OTHERS INJURED. WE ARE HEARING FROM THE SECURITY COMPANY THAT FOUND
Self Driving Car – Automation and the Future of Transportation

Leave a Reply

Your email address will not be published. Required fields are marked *