A Tacoma, Washington, family is claiming the mobile phones it uses have been taken over by hackers, who are turning them on at will, capturing conversations and manipulating the mobile phone camera.
The story of the Kuykendall family, as reported in the Tacoma News Tribune last week, seems an unlikely one, with tales of how they believe their cell phones, as well as those owned by other families, have been taken over and cell-phone cameras mysteriously turned on and off. While the mystery of the Kuykendall family's cell-phone experience isn't fully explained, people are wondering whether such events are even possible. Security experts say yes -- but still in the realm of the unlikely.
Security experts from IBM, McAfee and Symantec all agree that mobile phones of virtually any type can be broken into and maliciously controlled, though it takes a high degree of sophistication to do it.
"It's definitely possible but still something that is limited to a very sophisticated attacker," says Neel Mehta, team lead in the advanced research group at IBM's Internet Security Systems Division.
Mehta said malicious code to take over the phone could be sent to the intended victim in the guide of a picture or audio clip. Once the victim clicked on it, however, the malware to control the phone would be installed. Many in the industry refer to this as "snoopware."
This type of cell phone hijacking, enabling the attacker to manipulate the microphone and camera, remains "a very rare occurrence in the field," said Paul Miller, managing director of mobile security at Symantec.
However, he noted that J2EE-styled malware such as the "Red Browser" for sending SMS messages, believed to have originated in Russia, is known to exist, and has been used typically to defraud the victim, particular in Europe. He added the number of viruses targeting smart phones and feature-based cell phones remains low, roughly one in the mobile realm for every 500 viruses targeting PCs, he noted.
Miller also pointed out that there are 'spouse-monitoring tools" that can be obtained on the Internet to snoop on phone use, and some pure hacker varieties of this are starting to appear as well.
McAfee had a similar perspective on hijacking of cell phones, whether feature-added voice phones with cameras or the newer breed of computer-based smartphones, agreeing it can happen but appears to be a rare occurrence.
"People aren't expecting any trouble with mobile phones and in general, it's been a safe tool," says Jan Volzke, senior manager in mobile security at McAfee. But having your cell phone hacked "is possible though unlikely."
Volzke said the ways this might be done would depend on someone deliberately tampering with the cell phone by gaining physical access to it, or possibly tricking the cell phone user into downloading of malicious software through Bluetooth infrared or other means.
Once installed, that Trojan, acting like a small application, would let the attacker remotely control the phone and its features, such as cameras and microphones.
However, Volzke added this kind of attack remains highly unusual and is regarded as likely targeted at the specific individual using the cell phone rather than a mass attack against an entire cell-phone population base.
A Verizon Wireless spokesman said the situation concerning the Kuykendall family, couldn't occur on a CDMA wireless network. Jeffrey Nelson, executive director corporate communications for the carrier, based in Basking Ridge, N.J., says: "As any responsible wireless service provider should, we're investigating to best understand what may have happened in this particular situation, and whether it's even theoretically possible. At this point, we don't believe our customers are in any way vulnerable to the kind of remote hacking you describe."
Yet Nelson declined to give any explanation of why Verizon thinks that. And in response to a request for a technical expert to explain it, he emailed back: "sorry, don't have anybody."
Network World Senior Editor John Cox contributed to this story.