Amid all the fear and hype generated over the past few days as a result of Wikileaks and its precipitous Vault 7 dump, one fact was crystal clear: People have no idea what hacking an Android smartphone or an iPhone means or what it entails.
News headlines warned of hacking tools that let CIA agents break into anyone’s iPhones, iPads, and Android devices. Wikileaks claimed that there were tools that let agents bypass secure messaging apps like Signal, Telegram, WhatsApp, and Confide to intercept encrypted messages.
While scary, none of those claims are borne out in the initial dump of 7,818 pages and 943 file attachments, many of which read like knowledgebase articles anyone can find.
Simply put, Android and iOS devices aren’t any more susceptible to hacking than they ever were, and nothing in the dump suggests that the CIA—if Vault 7 really does describe the CIA’s hacking arsenal—has special tools or exploits that make compromising mobile devices easier.
Much of the purported hacking arsenal was composed of bugs not in the mobile OSes but in mobile apps. And the OS bugs that Wikileaks claimed gave it access had previously been fixed by Apple and Google, leaving only older Android devices still vulnerable to them. Many of the hacks require a CIA agent actually get hold of your device to exploit it.
When it comes to mobile hacking, there are essentially four avenues of attack:
- Exploits targeting operating system or hardware vulnerabilities to gain full control over the device
- Malicious apps that can perform certain tasks without the user’s awareness
- Man-in-the-middle attacks intercepting network traffic
- Social engineering tricks targeting the user
Most people tend to worry about attackers gaining full control over their mobile devices, but in reality, the average person is more likely to encounter those last three: social engineering scenarios, man-in-the-middle attacks, and malware.
What it means to “hack” mobile devices
All software has bugs, and operating systems are no different. There are vulnerabilities in iOS and Android that can be exploited to give the attacker full control of the device. That’s essentially the goal behind jailbreaking and rooting: To give users the ability to do more things on the device they normally cannot do. Jailbreaking bypasses Apple’s restrictions on what can be done on the device, and rooting gives Android users privileges associated with the device administrator account.
However, most jailbreaks and rooting methods require physical access to the device, and Apple and Google tend to patch those holes promptly. The claimed Vault 7 jailbreaking and rooting tools appear to rely on known methods against older versions of Android and iOS. Both Apple and Google have released statements claiming the vulnerabilities described in Vault 7 have either already been fixed or there are security protections in place to prevent exploits from successfully triggering them.
That, right there, is why patching and updating software is so important. The vulnerabilities the tools claim to be able to exploit have been addressed in newer versions. Apple users have an advantage because they tend to update to the latest iOS within weeks of the latest rollout. The vast majority of Android devices don’t receive updates from their carriers and manufacturers for many months or at all, despite Google fixing the issues; that makes the situation for Android users trickier. But people with newer Android devices aren’t susceptible to the Vault 7 tools.
For users with older devices, there’s still no reason to panic. As mentioned earlier, most of the tools of this type tend to require physical access. If the CIA has physical access to your phone, you have bigger worries.
Physical vs. remote hacking
That brings us to the basic tenet of hacking: If the adversary has physical access to your device, the game is over. Physical access means the attacker can do the same things on the device that you could. Locking devices with a passcode and encrypting the contents slows down the adversary, but all bets are off once the device is unlocked. If the attacker uses any of the available physical methods to jailbreak or root the device, then he or she has full control of the device, regardless of the security measures in place.
Remote root or jailbreaks are extremely rare, especially on iOS. Pegasus, the spyware tool used by governments, used the Trident vulnerabilities to remotely jailbreak an iOS device, but the process took three zero-day vulnerabilities to succeed: one to compromise the web browser, and two more in the operating system itself. There’s a reason why Zerodium offered a million-dollar bounty in search of a full remote jailbreak for the iOS. Exploits that target hardware weaknesses—à la the Rowhammer exploit for Android—are even rarer.
The biggest “meat” in the Vault 7 dump was the claim that CIA agents can grab the contents of encrypted messaging services like Telegram, Confide, WhatsApp, and Signal. But what’s actually happening is that these tools, if installed on the device, can collect unencrypted audio and message content. If the adversary has physical access to install those tools or has full control of the device, then of course that person can see the messages before they are encrypted to be sent, or when the arriving messages are viewed through the app. There's nothing magical or surprising here.
The next question is whether the CIA—or other government spooks—secretly have bought up zero-day vulnerabilities capable of these remote attacks we don’t know about. Based on both the Edward Snowden disclosures on the NSA and the details of the Vault 7 dump, that seems unlikely. The NSA’s arsenal focused on the network traffic, such as tapping the network backbone and eavesdropping on communications, and the Vault 7 tools emphasize local techniques, such as using the USB stick or physical access to load the attacks. The CIA’s modus operandi is much more targeted and physical in nature.
The easier way to “hack” mobile
There are easier ways to hack mobile devices, but even those have varying degrees of success. In fact, phishing is possibly the only reliable method of compromise—and that targets the users, not the app or device.
There’s a lot said about malicious apps that can perform unauthorized tasks, such as recording conversations, taking screen captures of what the user is doing, tracking user location, and copying files to remote servers. But users who stick to official app stores rarely encounter these type of apps. Google and Apple have put in significant amounts of effort to keep malicious apps out of their catalogs and to promptly remove them if they sneak through. Android users, for example, need to actually change the operating system setting to allow apps from unofficial sources to be installed. iOS users don’t have even that option.
Malicious apps are bigger problems for users who frequent alternate app stores (a common practice in foreign markets like China) and grab apps from web forums.
Even so, what the app can do on the device is limited by the permissions it has requested, as well as the operating system’s own security features. By itself, an app can’t read data from other apps; it needs an exploit to break out of the application sandbox or to bypass the filesystem permissions, and as described earlier, there isn’t a way to do that reliably remotely.
If you aren’t installing apps that claim to be cracked, DRM-free versions of paid apps or aren’t downloading apps from dodgy sites, odds are you won’t be exposed to mobile malware. That’s not to say it isn’t possible—as already mentioned, some malicious apps do sometimes get on Google Play, but they tend to get removed fairly quickly.
The most common way for users to get compromised on their mobile devices has nothing to do with apps or vulnerabilities. They are more likely to lose control of their accounts or credentials through phishing or other forms of social engineering. There are plenty of commercial apps that can track and spy on phone owners—marketed to parents for keeping kids safe or to people jealously keeping tabs on their partners’ activities—that follow the same principles.
If the user is tricked into installing a keylogger app, nothing on the device can be secure. Someone looking over your shoulder can see what you are doing if you aren’t aware of your surroundings. As far as the users can tell, they were hacked, but it wasn’t the device or app that got compromised; it was themselves.
If you are worried about being hacked—whatever that may mean to you—watch out for phishing and nosy people trying to grab your device. Those are the real threats.