A lot of modern life is interconnected through the Internet of things — a global empire of billions of devices and machines. Automobile navigation systems. Smart TVs. Thermostats. Telephone networks. Home security systems. Online banking. Almost everything you can imagine is linked to the world wide web. And the emperor of it all is the smartphone. You’ve probably been warned to be careful about what you say and do on your phone, but after you see what we found, you won’t need to be warned again.
We heard we could find some of the world’s best hackers in Germany. So we headed for Berlin. Just off a trendy street and through this alley we rang the bell at the door of a former factory. That’s where we met Karsten Nohl, a German hacker, with a doctorate in computer engineering from the University of Virginia.
We were invited for a rare look at the inner workings of security research labs. During the day, the lab advises Fortune 500 companies on computer security. But at night, this international team of hackers looks for flaws in the devices we use everyday: smartphones, USB sticks and SIM cards. They are trying to find vulnerabilities before the bad guys do, so they can warn the public about risks. At computer terminals and work benches equipped with micro lasers, they physically and digitally break into systems and devices.
Now, Nohl’s team is probing the security of mobile phone networks.
Sharyn Alfonsi: Is one phone more secure than another? Is an iPhone more secure than an Android?
Karsten Nohl: All phones are the same.
Sharyn Alfonsi: If you just have somebody’s phone number, what could you do?
Karsten Nohl: Track their whereabouts, know where they go for work, which other people they meet when– You can spy on whom they call and what they say over the phone. And you can read their texts.
We wanted to see whether Nohl’s group could actually do what they claimed — so we sent an off-the-shelf iPhone from 60 Minutes in New York to Representative Ted Lieu, a congressman from California. He has a computer science degree from Stanford and is a member of the House committee that oversees information technology. He agreed to use our phone to talk to his staff knowing they would be hacked and they were. All we gave Nohl, was the number of the 60 Minutes iPhone that we lent the congressman.
Sharyn Alfonsi: Hello congressman? It’s Sharyn Alfonsi from 60 Minutes.
As soon as I called Congressman Lieu on his phone, Nohl and his team were listening and recording both ends of our conversation.
Sharyn Alfonsi: I’m calling from Berlin.
Sharyn Alfonsi: I wonder if I might talk to you about this hacking story we’re working on.
Karsten Nohl: What hacking story?
They were able to do it by exploiting a security flaw they discovered in Signaling System Seven — or SS7. It is a little-known, but vital global network that connects phone carriers.
Sharyn Alfonsi: Congressman thank you so much for helping us…
Every person with a cellphone needs SS7 to call or text each other. Though most of us have never heard of it.
Nohl says attacks on cellphones are growing as the number of mobile devices explodes. But SS7 is not the way most hackers break into your phone–
Those hacks are on display in Las Vegas.
John Hering: “Three-days of non-stop hacking.”
That’s where John Hering guided us through an unconventional convention where 20,000 hackers get together every year to share secrets and test their skills.
John Hering: It’s proving what’s possible. Any system can be broken it’s just knowing how to break it.
Hering is a hacker himself, he’s the 30-something whiz who cofounded the mobile security company “Lookout” when he was 23. Lookout has developed a free app that scans your mobile phone for malware and alerts the user to an attack.
Sharyn Alfonsi: How likely is it that somebody’s phone has been hacked?
John Hering: In today’s world there’s really only– two types of companies or two types of people which are those who have been hacked and realize it and those who have been hacked and haven’t.
Sharyn Alfonsi: How much do you think people have been kind of ignoring the security of their cellphones, thinking, “I’ve got a passcode, I must be fine?”
SOURCE: Sharyn Alfonsi