Be careful who you give your
number out to. An attacker with the right toolkits and skill could
hijack your phone remotely just by sending SMS messages to it,
according to mobile security firm Trust Digital.
the Trust Digital demo on YouTube, an attacker sends an SMS message to
the victim phone (on the left) which opens up a Web browser and
downloads an executable file that directs it to send an SMS to the
attacker's phone (on the right).
In what it calls a "Midnight Raid Attack" because it would be most
effective when a victim is asleep, an attacker could send a text
message to a phone that would automatically start up a Web browser and
direct the phone to a malicious Web site, said Dan Dearing, vice
president of marketing at Trust Digital. The Web site could then
download an executable file on the mobile phone that steals data off
the phone, he said.
In another type of attack, an attacker could hijack a phone by sending
a type of SMS message called a control message over the GSM network to
a victim's phone that is using a
network and then use special toolkits to sniff the Wifi traffic looking
for the victim's e-mail log-in information. This attack is explained in
another YouTube video.
While the attacks at this point are proof-of-concepts, they could be
done if someone has the requisite knowledge and toolkits, said Dearing.
Trust Digital recently announced software called EMM 8.0 that can help
organizations protect employee phones from these types of attacks, he
"This is a completely real threat," said Philippe Winthrop, a director
in the global wireless practice at Strategy Analytics. "We will see
these attacks. It's a matter of time."