Betrayed by Your Mobile Phone: Be'er Sheva Scientists Discover New Cyber-threat

You may be a patriot but your phone may be soaking up data from your employer and transmitting it to evildoers

GPO / Kobi Gideon

You wake up in the morning, have coffee and yell at the kids, unplug your mobile phone from its charger and stick it in your pocket. Then you go to work, where you may be the tea-lady but still work around your employer's computer systems. And you may be the most patriotic tea-lady or scientist in the land, but a hacker somewhere else and your phone have made you a traitor.

Scientists at the Ben-Gurion University of the Negev scientists are working on identifying potential new threats thanks to that ubiquitous convenience: the mobile phone. Among their discoveries is that cellphones can be used to access – and then share – top-secret information in the most isolated of computer networks, called "air-gapped networks".

An "air-gapped network" is a group of computers in the company or organization that are connected to each other, but not to the outside world. The air-gapped network operates by itself, in isolation.

These attacks are all the harder to prevent in an era when everybody and his dog has a mobile phone.

The attack with your unwitting help starts with hackers infecting your phone with malware (malicious software), usually through email but also, possibly, through some other message, to somebody who works in physical proximity to the isolated network.

"Anybody who can penetrate the phone can penetrate the organization, and extract information from the organization. We demonstrated this to President Peres. The malware carrier doesn’t even know that information is being extracted through him," explains Yuval Elovici, professor at the Department of Information Systems Engineering and Director of Deutsche Telekom Laboratories at BGU.

By the way, Stuxnet is an example of a successful hack of an air-gapped network – the Iranian nuclear-program computer system.

Once the phone's infected, if that somebody opens the email and infects the network, that's that – it's compromised.

The special thing about mobile phones, for good and bad, is their ability to soak up information from the environment without physical connections.

"We demonstrated that mobile phones can be used to get information from the environment without being physically connected to say the computer system," says Elovici. For instance, a phone equipped with perfectly normal FM receivers can be manipulated into collecting data from compromised computers, whose monitors can be used as sort of FM transmitters to the phone.

It had been known that software can intentionally create radio frequency emanations from a monitor. But this is the first time that mobile phones were been considered as intended receivers of radio frequency emanations in an attack scenario.

The Ben Gurion team found a new way evil-doers can extract information from isolated networks with the help of smartphones. Basically, the compromised computer helplessly transmits information from the network to the phone, using a monitor as a radio transmitter.

Textual and binary data can be exfiltrated from a physically isolated computer to a mobile phone at a distance of one to six meters," the BGU team stated.

That isn't the only potential danger posed by your cellphone habit. Other abuses can begin with simply keeping track of every step you take – "Mobile phones have become like a wearable device, business they can collect a huge amount of information from your surroundings," says Elovici. Another set of abuses derive from the information the phone stores: if say you handle banking through your phone, it will know your password and so can clever hackers.

The third, as said, is that the phone can betray king and country without you knowing a thing about it.

What can be done about that? Well, one solution is simple. If you work for a company with sensitive information on its computers, leave the phone outside, says Elovici.

"But that isn't a solution people can live with," he admits. Therefore, the Ben-Gurion cyber-labs team is working on alternatives to dumping the thing at the entrance to work. "First we have to identify the dangers," the professor explains. "Then we can think how to balance convenience with risk."