16

As I understand, a relatively outdated phone (Android 5, not updated for a few years) could be easily compromised by using security exploits through WiFi, mobile data, NFC or Bluetooth.

I'm about to participate to an event where other people might try to hack into my phone (I suppose there is a similar issue when going to the conferences such as DEF CON). Given that NFC and Bluetooth are already turned off, is there any chance for another person to hack into my phone if I keep WiFi and mobile data turned off as well?

Naturally, physical stealing of the phone is out of question, but the intruder can get within centimeters of the phone in a crowd.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Arseni Mourzenko
  • 4,644
  • 6
  • 20
  • 30
  • So, "airplane mode"? – schroeder Dec 23 '17 at 12:19
  • 2
    I think so, although I'm not sure if airplane mode disables NFC as well. – Arseni Mourzenko Dec 23 '17 at 12:25
  • That's easy enough to check ... – schroeder Dec 23 '17 at 13:25
  • 1
    Would it be valid to say, even though you're not 100% safe, your phone becomes such an outlying target that it stops being interesting? Whatever attack vector that works on your phone will work on so many other phones, they just wouldn't bother with your phone... – Nelson Dec 23 '17 at 18:59
  • 4
    An anecdote. I tend to put my iPhone into airplane mode when I am charging it (so it charges faster). Sometimes I forget, and earlier today I successfully used Apple Pay to buy something, only later realizing I was in Airplane mode. I don't know if Android Pay works in the same way, but if it's configured on the device, an attacker could potentially steal money from you by exploiting it, even in Airplane mode. – JMK Dec 23 '17 at 20:18
  • 1
    Don't forget the other common short range radio transmission technologies: Bluetooth and NFC! – David Foerster Dec 23 '17 at 20:40
  • Consider leaving your real phone home and get a cheap burner phone instead. – Schwern Dec 24 '17 at 03:48
  • FWIW, I don't bring any phone to things like DC. It's not that difficult to live without one. – forest Dec 24 '17 at 06:04
  • Even if you disable mobile data, the rest of the cellular modem is still running - calls, SMS etc. Data collection is certainly possible, other stuff... maybe. – SomeoneSomewhereSupportsMonica Dec 24 '17 at 09:03
  • To be honst, if you exclude unpatched SMS security holes, I doubt you can get personally hacked with your Wi-Fi off even when your mobile data is *enabled*, unless you actively browse a website with a browser exploit embedded in it. Carrier-grade NAT means nobody can access your IP directly, so getting hacked is only possible if you actively connect to a compromised server. On the other hand, with Wi-Fi on, anybody can connect to your IP directly, so suddenly now you're open to attacks on ports your apps may be listening to (for which exploits are more likely). – user541686 Dec 24 '17 at 09:42
  • @schroeder You can use wifi in airplane mode. To be clear: turning on airplane mode usually turns off wifi but you can turn it (and presumably nfc etc) back on but still be in airplane mode. –  Dec 24 '17 at 16:08

3 Answers3

19

By disabling WiFi and mobile data, you shut down some attack paths. That means that your system is more secure, and probably immune to most "script kiddies" attacks.

However, the telephony part will still be active. It is certainly harder to exploit, but a smartphone is far from a 1960s telephone, and even the telephony part has interaction with the phone's OS. That means that is is still possible that a combination of calls and SMS triggers an unexpected condition leading to a possible exploit. I know none of those, because even the Stagefright bug cited by @SteffenUllrich in his answer uses a crafted MMS. And a MMS can only be delivered when mobile data (or possibly WiFi) is active, and will never be if only telephony is allowed.

If you can be sure that god himself was among the engineers that designed your phone system, you are absolutely safe. In any other case, bugs are always possible...

Of course, if you use other functions of your phone like displaying photos, viewing videos, or playing music, you open new doors for attacks with every new application.

LS97
  • 788
  • 1
  • 5
  • 14
Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 2
    Don't forget about the baseband processor, which is independent of the phone's primary CPU. It facilitates access to the phone's radios and could theoretically allow some control over the phone remotely. – Nathan Osman Dec 24 '17 at 02:19
  • You might want to mention [e911](https://en.wikipedia.org/wiki/Enhanced_9-1-1). – forest Dec 24 '17 at 05:56
  • A little bit dated, but there was the glorious [Baseband Apocalypse](https://www.youtube.com/watch?v=CPPQ8vA6cRc) talk from 27c3. – Jonas Schäfer Dec 24 '17 at 14:03
10

If you only disable WiFi, mobile data, NFC and Bluetooth you still leave normal telephony and SMS/MMS.

MMS was for example the attack vector for exploiting the Stagefright bug which is still not fixed on all mobile phones. Even if mobile data are switched off you'll still receive a SMS notification about the pending MMS which is spooled at the provider and will usually be automatically downloaded as soon as mobile data are available again. This means that the Stagefright exploit will not be triggered when somebody sends the message to you but only once you feel safe again to turn mobile data on again.
In other words, it might still be possible to hack your phone this way, only that the exploit will not be active immediately.

Apart from this known bug there might be still unknown or unpublished bugs which use the ability of the attacker to send data to your phone even if most of the communication services are switched off like you do. For example there might be bugs in the handling of plain SMS messages or handling of GPS data or by processing normal calls which might be triggered for example with customized GSM stations or GPS spoofing equipment. The data processing stacks are often not developed with an attacker in mind which works at the lower protocol level, which can be seen for example by the far reaching recent exploit of Broadcom chips (which requires WiFi at least partly on).

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    And even then, one could have physical access to your phone and just use an USB-OTG cable and game over. – Ismael Miguel Dec 23 '17 at 15:12
  • 6
    AFAIK, Stagefright uses a crafted MMS and MMS are not delivered when both mobile data and WiFi are off. – Serge Ballesta Dec 23 '17 at 16:18
  • @SergeBallesta Actually, I believe you do. You can receive an MMS over GSM/GPRS, if I'm not mistaken. – Ismael Miguel Dec 24 '17 at 00:50
  • @SergeBallesta: you are right that MMS needs mobile data for delivery. This means that the exploit can still be sent but it will only be active later once the OP feels safe again and left the dangerous environment and turns mobile data on again. I've edited my answer accordingly. – Steffen Ullrich Dec 24 '17 at 05:54
  • @SteffenUllrich A bug over MMS isn't going to be more or less likely to occur at a security con like DC unless you give out your number. This is more of an answer to whether or not remote exploitation is ever possible, not the security implications of this specific question. – forest Dec 24 '17 at 05:58
  • @forest: You are correct that it requires the phone number. But I think it is likely that contact information are shared. And it is probably also more likely that somebody at the security conference will try such a hack than at some other events. – Steffen Ullrich Dec 24 '17 at 06:12
1

When disabling all that, as the other answers mention, there are still various attack vectors such as SMS/MMS. If you do use any apps on your phone, those apps may re-enable wifi/mobile data. If I were you I would just take the battery out of my phone completely :).

eclipse
  • 83
  • 4