You Are All A Hacker Needs To Track You, Steal Your Info

A Channel News Asia headline on my Facebook feed caught my attention. “Your phone number is all a hacker needs to track you, steal your info.” This sounds deadly serious. Not thoroughly impossible, but I imagined if there was a serious new discovery, like the recent one concerning Broadcom Wi-Fi SoC, I would have heard about it first from elsewhere.

So, falling for the clickbait like how Channel News Asia probably intended it to be, I followed the link to see what Channel News Asia had to say. It’s about a recent episode of Talking Point. There was nothing particularly revealing in terms of technical details. There was a video, from Talking Point. Again, following the clickbait that Channel News Asia had carefully planned, I had to check out what they had to say.

Let’s take a look at what the headline had screamed out. The hacker only needs to have your phone number, according to the article, to track you.

In the video, ethical hackers from the Whitehat Society at the Singapore Management University exploited the Mediacorp host Steven Chia’s smartphone. The hacker needed the victim’s phone number, yes. But then the crucial bits of information were revealed:

  • The hacker sent the victim a text message with a download link;
  • The victim had to click that link to install a malicious software.
  • That link is suspicious, and clearly the software isn’t from the official app store.

Now, there are certainly other smartphone exploits that only required the victim to, say, open a message, which is a lot easier to fall prey to. Or, like the recent Broadcom Wi-Fi SoC bug, you merely needed to use a Wi-Fi network that a malicious attacker also has access to, and that would be enough for your smartphone to be compromised.

In this case cited by Channel News Asia, the victim had to click a link, which on its own should perhaps already raise alarm bells, and that’s not just because of the suspicious URL, but then further install an Android application from outside the Google Play Store.

The article’s headline is totally misleading. It is not your phone number that the hacker needs. The hacker needs you. Specifically, the hacker needs a person who’s totally clueless and completely lacking in the most basic of cybersecurity awareness.

Of course, perhaps their main point is many people are precisely that, i.e. totally clueless and completely lacking in the most basic of cybersecurity awareness. I wouldn’t disagree. But now the focus is different. This is not about how a clever hacker only needs your phone number.

The article went on to talk about how public hotspots are dangerous. To some extent, yes. But the way Channel News Asia has presented it is misleading. Here’s the text on the dangers of public Wi-Fi:

This is where a hacker uses his phone’s own hotspot to pose as a free WiFi network, and when you connect to it, it gives him access to your phone, personal files and credit card details.

Okay, stop it right there. It’s not so simple. Maybe the context they were trying to present this is with people who do their online shopping or send confidential information over unencrypted connections to Internet sites. Perhaps the people don’t understand about SSL. Tell me, which major, well-established, and trusted online shopping site does not use SSL? If the site isn’t using SSL, they probably shouldn’t be considered a trusted shopping site.

It’s true that despite all encryption efforts, public Wi-Fi may still reveal some basic information about which Internet sites you’re accessing. That’s all part about understanding the risks and making an informed choice on using public Wi-Fi (not withstanding the recent Broadcom Wi-Fi SoC vulnerability).

The problem here, again, isn’t that public Wi-Fi is dangerous. It’s about cybersecurity awareness. Public Wi-Fi per se is not the problem.

There are certainly for more serious, impactful, and dangerous exploits. This demo isn’t one of them. It’s disappointing (but perhaps not unexpected) that Channel News Asia would contribute to the misinformation instead of trying to properly raise awareness in cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *