The folks at the online security firm Trustwave never cease to freak me out. They generally keep me abreast of various new tactics hackers can use to steal your information, almost as if it’s a sport they play to see how quickly I can hyperventilate. The hacking methods the researchers discover are always ways I never knew were humanly possible.
The other day I chatted with another Trustwave Senior Security Consultant, Neal Hindocha, and he explained how it’s now possible for cybercriminals to log users’ keystrokes on mobile devices. That is, anything someone presses or enters on a smartphone or tablet can be tracked and recorded, despite the fact that he or she is not using a keyboard.
This is especially alarming because quite often people turn to mobile devices for authentication, precisely because of this lack of keyboard. Frequently we hear of new forms of two-step authentication to make passwords more secure; sometimes the authentication require a mobile input. As Hindocha explained it to me, “if you know where the user is hitting the touchscreen, you know what they are doing.”
He looked into this concept, merely wondering if it was possible to do. And sure enough, it was. He and his team discovered techniques to record what mobile users were doing on jailbroken iOS devices as well as both rooted and non-rooted Android devices. “We had a working concept in less than a day,” he said. That is, he built an actual hack that could record mobile keystrokes… or should I say finger-strokes.
There are a few ways to do so. One of the easiest methods Hindocha’s research team discovered was merely mapping screens’ X and Y coordinates, and then using that as a blueprint of sorts. From there, the team was able to track “anything that the user enters into the phone.” This included, passwords, passcodes, websites you just visited, honest to god anything that goes into your mobile device.
There are two caveats that must noted, however, about this revelation. One, is that this attack is a very specific kind and takes a lot of time and energy to perform. “You actually have to sit down and look at the screen and its coordinates,” Hindocha explained, in order to extrapolate any useful data. That’s why he deems this tactic a “very targeted attack,” and not one for the masses like, say, the huge Target security breach.
The other important thing to know is that, as far as he knows, this attack hasn’t actually occurred yet. “I have not seen this actually used in malware, not yet.” So while this should be cause for alarm, it hasn’t plagued the masses, or even a mass, just yet.
But, for people in Hindocha’s profession — those who are always seeking out new ways to protect online information — it’s not a question of what tactics hackers will utilize, but when. This is why he will be presenting his findings at the upcoming RSA conference in February.
There, Hindocha will be among his online security ilk, and hopefully they will be able to brainstorm some proper safeguards to protect from this kind of malware. For now, Hindocha says that you probably shouldn’t jailbreak your phone if you’re using iOS. As for Android, you just have to make sure you’re up to date on malware protection and pray that’s enough.
With these protections, you are hopefully somewhat safe. Although, given the rate at which these discoveries are occurring, perhaps the next big security reveal will be that everything’s unsafe and nothing is okay. At least in terms of computer security. And probably life too.
[illustration by Brad Jonas for Pando]