A lot has happened for me in the past few months since my last article. I have gotten involved with corporate level security and data management, and with that comes a lot more information to digest. I have actually begun questioning the integrity of software that I have used for years. I have even begun to question the applications on my phone. Why does an application really need access to everything it requested access to? Is there a legitimate reason? Is there possibly malicious code hidden somewhere to gain access and possibly do something that I wouldn’t want it to do? I guess you could call it paranoia (and yes, I agree that it is) however how much do you truly understand what is happening behind the scenes in your electronics? I have discovered that I don’t know enough, or in some cases just enough to screw something up.
I have been following news articles about hacking and security vulnerabilities that are discovered in widely used software or operating system packages that can cause a lot of problems if exploited by those that know how to do so. When the bash scripting vulnerability announcement was made, people started taking advantage of that within hours. There are a lot of computers that still aren’t protected from that vulnerability. These articles got me to thinking about how easy it is for someone to start taking advantage of vulnerabilities without really learning about it. I started by looking at phones.
iPhones and iOS devices are actually pretty protected in that they have built in application sandboxing, which means apps aren’t allowed to communicate with anything but the internet and a few other apps. Unless you jailbreak your iPhone and put a third-party app on it, your iOS device is pretty well protected. Android is a little different, you can install any application from the app store, and the app store isn’t monitored or regulated like Apple’s is. Anyone can submit to the Android app store and if you aren’t paying attention to the reviews, you could be installing something that is capable of reading all your information or even accessing the cameras whenever they are commanded to by an outside source.
These intrusive acts can be done with mobile devices. You have to give them superuser (AKA “root”) access which means elevated privileges. I rooted an Android phone, installed a few applications and was pretty amazed at what it could do. I managed to intercept my friends WiFi connection and replace every .jpg image on every webpage he visited with a picture of my beautiful face, with his permission of course. I did this all from an Android phone with an app downloaded from the app store. Once I found that piece of software, I began to hunt for additional tools that would give anyone with a little knowledge, the ability to hijack a WiFi connection on a connected access point.