Technology has changed the way we live our lives and organize our information. There are wireless systems, Bluetooth, and different messaging methods. However, with new ways of accessing information, there are also new ways for hackers to access restricted information. It is common to hear about database systems hacked into and millions of personal credentials stolen in the news today. Likewise, there are personal stories about stolen social media credentials and banking info. Hacking starts when a party gains unauthorized access to a victim’s device. Hackers gain access to a device include phishing, using trojans, Bluetooth hacking, and sim card swapping. Other ways that hackers gain access include Wi-Fi hacking and USB malware. Even though computers and mobile devices are primarily hacked, items under the Internet of Things are also affected.
Firstly, phishing is considered one of the oldest and most common ways hackers access a device. Phishing is impersonating a company or an individual to trick the victim into doing a task that the hacker wants. Most phishing attempts occur through email and often look like events that would persuade a victim to follow through on the email. Examples of phishing emails include claiming that the victim has won a prize, their financial institution needing to verify their credentials, and impersonating tech support that needs access to their computer and information. Suppose the victim follows through with the email/message. In that case, they hand over personal information such as passwords, banking information, or a vector for the hacker to deliver malware to the device.
Python is involved in phishing attempts in that there are python programs that have phishing tools. One python tool called the social engineer toolkit module demonstrates how to use python for phishing attempts. This tool allows info security professionals to create fake websites, forms, and QR codes to practice against phishing attempts for research. This tool kit shows that a while loop can send mass phishing emails, allowing hackers to broaden their target audience.
Another way that hackers can gain access to a device is by using trojans. Trojans are malware that gets on to a device by disguising itself as something else. The associated malware is often used to gain personal information and take over a device’s resources, such as processing power. Mobile device apps are a prime vector to pass trojans. To illustrate, hackers can create an app that looks similar to a harmless app, such as a calculator, but with the intent of stealing the user’s information. The app then inserts a trojan into the mobile device. When the user opens their banking app, the trojan creates a log-in page that looks similar to the one that looks like the banking app. However, unknown to the user, the log-in page captures the information and sends it to the hacker.
Additionally, Bluetooth hacking is a recent form of hacking, following the invention of Bluetooth. This hacking method is more sophisticated in that the hacker looks for devices with an open Bluetooth connection and must be in the range of the device, approximately 30 ft away. Both a Linux machine and python are used to hack Bluetooth connections. The Linux machine can access a Bluetooth dongle configuration and sense other Bluetooth devices. It can sense other nearby devices and pair to them, allowing upload and download of files. There is a python program called, “bluescan” which is a powerful Bluetooth scanner used on Linux machines. Below is an example of bluescan finding low-energy Bluetooth devices.
Image 1. Example of python running bluescan to find low-energy Bluetooth devices.
With Bluetooth hacking, hackers can eavesdrop on users, perform man-in-the-middle attacks, or perform denial of service/ fuzzing attacks. In eavesdropping, hackers listen in on the data transmitted/received by the device. They can then use the device unit number to access other Bluetooth-connected devices or brute force PINs using another Bluetooth sniffer. In man-in-the-middle attacks, a third-party device impersonates a legitimate device connecting the user. The victim believes that they are connected to the legitimate device. The hacker can access and manipulate all the data on the victim’s device. Finally, in denial of service/fuzzing attacks, fuzzing is the act of “…sending malformed non-standard data to the Bluetooth radio”. The goal is to exhaust the battery or overwhelm the device to crash frequently.
Moreover, a modern and most sophisticated tactic hackers use is “Sim swapping. Scammers take advantage of text message and phone call two-factor authentication in sim swapping. To gain access to the sim card, hackers try to find sensitive information about their target through social engineering, including phishing and using trojan malware. The hacker then calls the target’s mobile carrier customer service and pretends to be the target. Their goal is to convince customer service that they need a new sim card activated. In turn, the hacker ports the target’s telephone number to the hacker’s mobile device. They can now receive any two-factor authentication codes and password reset requests sent to the target’s device.
In addition, Wi-Fi hacking is when hackers pretend to be a legitimate Wi-Fi connection point to intercept data that passes through the connection. This method is also called an “Evil Twin Attack.” Hackers commonly prey on individuals using public Wi-Fi in busy areas such as malls, libraries, coffee shops, and airports. They will copy the legitimate network’s Service Set Identifier and set up a new account with the same identifier using a mobile device such as a cellphone, laptop, or portable router. Having the same identifier increases the chance that a victim will connect to the malicious network rather than the legitimate network since devices cannot differentiate between the two networks. When the victim connects, they are often taken to a fake log-in page to input credentials, and then the data is sent to the hacker. The victim is now connected to the hacker, and the hacker can monitor all of the victim’s online activity.
The danger with Wi-Fi hacking is that the hacker can now access all of the victims’ sensitive information. If successful, hackers can steal sensitive credentials to financial accounts and insert malware to cause further damage. Another danger with Wi-Fi hacking is that it is hard to distinguish between being connected to a legitimate network versus a malicious network. To stay safe while using public Wi-Fi, avoid unsecured Wi-Fi hot spots, disable auto-connect on your device, and avoid logging into sensitive accounts while on public Wi-Fi.
Furthermore, USB sticks are ubiquitous that others do not give a second thought about inserting a free USB into their computer. USB malware can be hazardous and possible with free random USBs. Generally, with USB malware, hackers will deliver an infected USB to a victim via postal mail. They then trick the victim into plugging the USB into their computer, and the USB will automatically run malware. These infected USB sticks are called “BadUSBs,” and USB cables called “OMG Cable” perform similarly.
BadUSBs use Ducky Script, which someone with no programming experience can quickly learn. Ducky script has a straightforward syntax and using this language exploits computers’ “human interface device” permissions. With the human interface device permissions, the computer authorizes the BadUSB as a human behind the computer. Ducky script then performs exploits such as keylogging keyboard commands to control the computer, install malware, deploy ransomware, and redirect network traffic. Hardware security measures can prevent attacks on a device via USB malware. These include implementing security policies with users, restricting access to USB ports, and monitoring computer usage behavior such as keyboard typing speed to find USB malware.
Below is an example of a generated Ducky script used on a BadUSB. Here, the script uses keyboard commands to open windows power shell to start notepad. It then uses more keyboard commands to create a script with the admin user name, ‘ducky’ and password, ‘luckyducky.’ It then adds this to the windows registry to become an administrator account.
Image 2: Example of ducky script creating an administrator account on a Windows machine.
Internet of Things
Likewise, while it is common for mobile devices and computers to be hacked, items called the “Internet of Things” (IoT) can also be hacked. IoT refers to any device with an on/off switch connecting to the internet and other devices. Some examples of IoT devices include microwaves, self-driving cars, and fitness wearables. When IoT devices are hacked, it is often due to lack of updates, inability to manage security features, insecure access ports, and weak password credentials. The most common operating systems vulnerable to an IoT attack are Android and Windows.
IoT attacks are often due to malware infecting the device. Currently, there are two common types of IoT malware: Mirai and Silex/Brickerbot. Mirai malware works by scanning the internet for IoT devices with default factory log-in credentials. When it connects to a device, it uses it as part of a botnet to execute a denial of service attack. Silex/Brickerbot has the same approach as Mirai. Instead of using the device as part of a botnet, the software overwrites all the data and deletes the network configuration. As a result, the IoT device is unusable and must be physically fixed.
General prevention and protection
Finally, hackers use tactics to exploit vulnerabilities to gain unauthorized access to a device. Signs that the device is hacked include a quickly drained battery, the application or device randomly shutting off or turning on, or unrecognized charges and subscriptions on your bills. Other signs include being unable to receive calls or texts or unable to access your accounts. Ways to prevent others from gaining access to your device include: updating your device and apps, using security software on your devices, turning off Wi-Fi and Bluetooth when not in use, and not using third-party app stores or unfamiliar apps. Other ways to protect yourself include: not providing personal information to anyone, including posting it online or over the phone, not advertising your financial assets, using unique passwords or a password manager for accounts, and not solely relying on your phone number for security or identification.
Technology makes it convenient for users to quickly access our sensitive information, such as our bank accounts. As technology has become increasingly sophisticated, the ways that hackers gain access to devices have developed as well. Phishing, trojans, Bluetooth hacking, and sim swapping are the standard ways hackers access our devices. The other ways hackers gain access to devices include Wi-Fi hacking and USB malware. Although hacking is more common for computers and mobile devices, IoT items are also susceptible to hacking. Users need to understand that it is essential to keep devices up to date, use strong passwords, and refrain from giving out personal information unless necessary to protect themselves from hackers.