Hackers can spy on your calls, texts and track your movements using just your phone number, experts say

Hyacinth Mascarenhas

Conversations of political leaders, business executives and high-ranking officials could fetch a high price in the Dark Web

Reuters

German security experts say hacking into a smartphone is much easier than one would think giving digital thieves the ability to potentially track a person's calls, texts and whereabouts. To demonstrate their findings, a team of experts spied on a phone used by US Congressman Ted Lieu from California, a member of the House Oversight and Reform Subcommittee on Information Technology, who agreed to use an off-the-shelf iPhone knowing it would be hacked.

In an interview with "60 Minutes" correspondent Sharyn Alfonsi, Berlin-based Karsten Nohl of Security Research Labs and a team of hackers highlighted how digital pickpockets can exploit mobile phones using a flaw in a global mobile network called Signalling System Seven (SS7) - a little-known, but essential network that connects mobile phone carriers across the globe.
Using the congressman's phone number, Nohl, who has a doctorate in computer engineering from the University of Virginia, was able to exploit that flaw to intercept and record calls, view his contacts, read his texts and even track his movements.
"Any choices that a congressman could've made, choosing a phone, choosing a pin number, installing or not installing certain apps, have no influence over what we are showing because this is targeting the mobile network," said Nohl.
They also automatically logged the number of every phone that called Congressman Lieu as well. Lieu said this list, in a typical congressman's phone, could include other members of Congress and elected officials.
"First, it's really creepy. And second, it makes me angry," said Lieu. "They could hear any call of pretty much anyone who has a smartphone. It could be stock trades you want someone to execute. It could be calls with a bank. Last year, the president of the United States called me on my cellphone. And we discussed some issues. So if the hackers were listening in, they would know that phone conversation. And that's immensely troubling."
A significant risk to political leaders, business executives and high-ranking officials whose private phone conversations could fetch a high price in the Dark Web, Nohl says the SS7 flaw is actually an open secret among the world's intelligence agencies. He also notes that the key flaw lies in the mobile network itself.
"Mobile networks are the only place in which the problem can be solved," said Nohl. "There is no global policing of SS7. Each mobile network has to move -- to protect their customers on their networks. And that is hard." According to Nohl, all phones are the same and no one phone is more secure than the other.
Hacker and co-founder of the mobile security company Lookout, John Hering, also assembled a group of ace hackers in a hotel room with the 60 Minutes team. The group of hackers who were in Las Vegas for Defcon - one of the largest hacker conferences in the world - try to identify security vulnerabilities in order to protect the public.
They created a "ghost" version of the hotel's Wi-Fi, which Alfonsi connected to, through a process called "spoofing". Once she was connected, they were able to access her email, pull her phone number, credit card information, recent purchases and track her movements using ride-sharing app records. They could also take control of her phone's camera.
Hering does note that while the average person isn't likely to be exposed to these types of attacks, it is important to be aware of the possibility of such security breaches.
"Our goal was to show what's possible," said Hering. "So people can really understand if we don't address security issues, what the state of the world will be. We live in a world where we cannot trust the technology that we use."

These findings come amid rising concerns about the growing threat of cybercrime that ranges from identity theft and high-profile security breaches to cyberwar and cyberterrorism. According to the 2015 Identity Fraud Study released by Javelin Strategy & Research, as much as $16bn (£11.2bn) was stolen from 12.7 million US consumers in 2014 which means there was a new identity fraud victim every two seconds that year. Business on the Dark Web is also booming, according to a report by Dell, where "customer-friendly" hackers offer a variety of illicit goods and services on the cheap.