June 22, 2007 at 6:40 PM ET
Just how easy is it to hack into a cell phone?
The strange story of Heather Kuykendall and her neighbors in Tacoma, Wash., begs that question. Kuykendall says someone has managed to hijack her phone and use it to spy on her. Whoever it is apparently is able to turn her phone on and off, order the unit's camera to take pictures and even enable the speakerphone function so the device can be used as a bug. You can see the icky details in a Michael Okwu report that aired Friday on the Today Show.
Cell phone hacking to read someone’s contact list is one thing; but cell phone spying is a far more disturbing possibility. Could whatever happened to Kuykendall and her neighbors happen to you?
The short answer: Yes, but it's very, very unlikely.
Cell phones are loaded with so much personal information -- and have so many new capabilities -- that phone hacking has been the holy grail for computer criminals for some time. Remember the hubbub after Paris Hilton's T-Mobile phone was "hacked” and her contact list stolen? Her Hollywood friends were getting prank calls for weeks.
Today, phones have even more capabilities. Many have GPS chips, allowing telephone companies -- and probably hackers -- to determine the exact location of any phone user. If computer criminals could figure out how to hack into these smart phones, imagine the chaos that could follow.
They've been trying. For years, enterprising software developers have invented tools that turn cell phone handsets into spying devices. Some are even sold commercially. These tools remain very rudimentary, however. Most important: They require physical access to the phone, both to load the spyware and to turn it on.
If you think about it, this physical access requirement severely limits the threat of cell phone spying. An anonymous criminal tapping into your phone from across the Internet is frightening; having a family member or ex-boyfriend spy on your phone is still spooky, but that's not really a technology problem. After all, someone who had possession of your phone long enough install software could also read through your sent text messages.
There have been some demonstrations of spyware being added to cell phones without physical access -- over short distances using Bluetooth technology, for example.
New viruses being developed
In an effort to install cell phone spying software over longer distances, virus writers are also trying to invent Trojan horses that would trick consumers into downloading and installing spyware on their phones, similar to the way e-mail attachment viruses work, says Paul Miller, the head of mobile device security at Symantec Corp. But so far, there have been no confirmed attacks using this method, only experiments, he said.
Another problem for the virus writers: Only about 15 percent of cell phone users have "smart phones" with operating systems sophisticated enough to be hit by such an attack, Miller said.
That's part of the reason it's hard to hack cell phones. A PC hacker knows that any software flaw can be used to attack about 95 percent all computers, because the Windows operating system is so widespread. But there are numerous cell phone operating systems, so flaws can't be used for widespread attacks. Perhaps more important, hackers’ can’t build on one another’s work.
"Any flaw you find couldn't be used on 98 percent of the phones out there," Miller said.
All these factors indicate that cell phone spying of the type that hit Tacoma would likely be committed by a family member, friend or neighbor.
But not everyone agrees that remote cell phone spying is so unlikely. Massachusetts-based security consultant James Atkinson says cell phones that run some operating systems designed to download new applications can be tricked into downloading spy software.
"It's just a matter of accessing the operating system," he said.
Atkinson could not point to confirmed cases of this happening. And if it were widespread, hacker chat rooms would certainly be abuzz with discussion about it. After all, when it became known that criminals could use caller-ID spoofing to hear other people's cell phone voice mail, that didn't stay a secret long. And stories of crazed ex-boyfriends spying on their former girlfriends through voicemail snooping were widespread.
That doesn't mean there won't some day be widespread spying committed with these incredibly sophisticated cell phone we are all carrying around. The more capabilities each cell phone has, the more chances that hackers can find a glitch and exploit it. So consumers should treat those smart phones with the same care they treat their PCs. Never agree to open a file or install a program that arrives unexpectedly, for example.
"These things are small computers," Miller said. "We want to get people the message to treat them like computers."
For the truly paranoid, you could consider removing your cell phone battery from your phone when you are not using it. That would foil any attempts to use it as a spying device. Of course, it would also severely limit the phone's usefulness. And you should balance a choice like that with the answers to some realistic questions, such as: How valuable would it be for someone else to remotely access your cell phone camera and take pictures of the inside of your pocket?