Arcadia, a Canadian computer security company, teaches intelligence and law enforcement officials worldwide how to hack mobile phones. (Brendan Smialowski / AFP)
- Filed Under
Smartphone vulnerability is a prickly issue, a tradeoff between the alluring conveniences the devices offer and the risks they bring.
The U.S. government is seeking ways to exploit the former without raising the latter, a quest for what’s being called “secure mobile.” The Defense Department is developing a plan to let staffers use smartphones for classified data. The National Security Agency’s Troy Lange told this year’s C4ISR Journal Conference that the agency is improving security on smartphones through specialized apps and encryption software.
But it’s men like Pierre Roberge who may offer the most intriguing insight. Roberge runs Arcadia, a Canadian computer security company with a unique specialty: He teaches intelligence and law enforcement officials worldwide how to hack mobile phones.
His business, he says, is “exploits” — the vulnerabilities that allow him to penetrate smartphones, which are, after all, just computers.
“It’s been called an underground industry for a long time,” he said.
His specialty is hacking phones remotely, undetected by the user. He doesn’t need to actually have the phone in hand. He offers two classes for intelligence and law enforcement. One teaches students to hack iPhones and the other focuses on penetrating Android devices.
A course syllabus for the “iOS Exploitation Course” (iOS is the Apple mobile operating system) says the first day is spent learning software reverse-engineering with an interactive disassembler program. By day three, students are prepared for lab work, running an exploit on a “real WebKit vulnerabilily for the IOS 6.x.”
From his unique perspective, Roberge says that both Android and iPhone devices have their pros and cons. iPhones are technically tougher to break into, he says, but once you are in, you are in.
“It is super hard for me to develop an exploit, but once I have one, it works on all the iPhones,” he said.
And such hacks, he says, give him complete control of the phone.
“The list of things we can do: Turn the camera on, take pictures, take video, turn the mike on, take copies of your phone calls,” he said.
It’s easier to break into an Android phone, he says, but the diverse range of devices means each exploit needs to be customized.
“You need to adopt the exploit for the device. That is, a Samsung can be hacked one way, but an LG or HTC may need a different back door,” he said. (A tip: Roberge notes that Google phones — those provided directly by Google, that is — are the most secure, because the software is updated so rapidly.)
Roberge says he has taught his techniques to intelligence agents and law enforcement from five countries. The U.S. has not been among them. Although computer exploit exports aren’t controlled by the government of Canada, he says in all cases, he got approval from Canadian authorities.
Roberge said even with approval, proliferation of the technology is a potential problem: “I have to be careful that the country will not resell it to bad people!”
There is this additional puzzle to his craft: Why would a lawful agency need to hack a phone? In most Western democracies, domestic law-enforcement services can get court-ordered cooperation from network providers.
Roberge says that isn’t enough. Modern communications software such as Skype, he says, can be used on devices, and the packets of information are impenetrable even to the network providers. Only hacking the phone — penetrating the operating system of the device — can reveal what someone is saying.
And that raises another issue: Much of the focus of the push for secure mobile has been to scramble the communications. That is, the transmissions are protected from interception en route, when the data is transmitted from one device to another, either in a call or as data. Some mobile phones even offer communications that can match the NSA’s Suite B standards for encryption. (See “Obamaberry maker extends secure mobile,” April issue.) It’s virtually unbreakable code.
The problem, Roberge argues, is that none of this would necessarily stop a hacker. Once he’s hacked the phone, he can be at a level below the encryption.
“This is where the power of exploits comes in,” he said. “Encryption becomes moot.”
The user, any time he enters a password, is giving it to the attacker. “I can run on the device, wait until you enter your RSA token, and then you get hash created out of this,” he said. A hash is a string of data created by a type of cryptographic algorithm. “It gives you access to your own data. At this point, I can copy this hash and use it myself. I am you. Exploitation defeats all encryption. If you open a file, when you read it, we read it.”
He says he’s now planning to enter the American market, and will register his company in Delaware, to make it easier to get U.S. government contracts.
This story first appeared in C4ISR Journal.