With New Hack, Cellphone Can Get Data Out of Computers

by  David Shamah, Times of Israel

A cellphone can be used to engage in air-gap network hacking, according to researchers at Ben Gurion University (BGU). The researchers say a hacker could use an email-phishing attack to get an unsuspecting cellphone user to install the right kind of malware onto their device.

The Iranian network targeted by Stuxnet was an air-gapped one, connected only to local computers, with no external connection to the Internet. The virus infected the servers controlling the Iranian nuclear program’s centrifuges, “choking” them until they ground to a halt. It was, many experts believe, physically transferred to the closed network via a USB flash drive. The attack described by Elovici is light-years ahead of Stuxnet, because no physical contact is required to compromise a system.

Even if you don’t think your computer is connected to anything, it sends electromagnetic or acoustic emanations from its hardware. The NSA’s (National Security Agency) TEMPEST program uses special devices to pick up data from computers and servers via leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations from hardware such as video monitors, keyboards, network cards and memory chips.

Once the cellphone is within one to six meters of a system, a hacker on the other side of the world will be able to remotely access any data they want, and no Internet connection is needed. Once the malware is on the phone, it scans for electromagnetic waves, which can be manipulated to construct a network connection using FM frequencies to install a virus onto a computer or server.

A team led by BGU Cyber Security Lab director and professor Yuval Elovici has demonstrated how the technique is done with computer video cards and monitors. Elovici considers air-gap network hacking via cellphone to be a major security risk because currently there is little that can be done to prevent it other than turning off a phone. He expects the risk to grow as news of the attack technique spreads among hackers.  Read the full article

DCL: Well, the defense is not to open email on your cell phone unless you are absolutely certain it is from someone you trust. Otherwise, as this article says, watch out! The crooks will learn how to do this.