Jeff Bezos, commonly thought of as one of the most powerful men in tech, has had his phone hacked. A smart phone is inherently a personal device that we carry in our pockets and bags. Attacking a smart phone allows you to listen to calls, read messages and e-mails as well as tracking the user’s location. The impact of these attacks can feel more like an invasion of privacy compared to the impact of a phishing attack or business email compromise.
We predict that the targeting of mobile devices will grow exponentially in the next three years. The prevalence of end-to-end encryption means an attacker may feel they have no choice but to attack a handset itself, rather than attempting to listen in over the air. Attacks directly against mobile devices are also not geographically limited – they do rely on access to the telecommunications infrastructure of a country, but can be used anywhere. This makes it a valuable intelligence tool – it would not be possible for a country to intercept a call in the USA in any other low risk way, when the alternative is to be physically next to your target.
Our threat intelligence team has been tracking the rise in mobile devices being targeted since 2016. In that time we have seen a prevalence of high-end tools being used to target high-profile individuals. We also have seen unconfirmed reports of these techniques being used by sophisticated private investigatory firms.
Early attacks tended to be untargeted, and were mostly confined to Android devices. Tools are now available, at a significant cost, that allow the successful compromise of a wide range of devices including Apple handsets, often thought to be more secure. The next phase of attack could also involve legitimate mobile apps being used for unintended purposes. The provenance of mass popularity apps is now being called into question, given how they could be misused.