Actions

Account and Mobile Security

From Whonix


SIM32423.jpg

Introduction[edit]

Recent revelations highlight that advanced mobile phone spyware (Pegasus) poses a serious surveillance threat. Quote The Guardian: What is Pegasus spyware and how does it hack phones? [archive]:

It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met. ... Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix. ... Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.

The tool is already in use by many governments worldwide, posing a significant threat to journalists, human rights defenders and NGOs among others. It emphasizes that even the most security-conscious individuals cannot prevent such attacks, therefore those at high-risk should limit the use of mobiles for sensitive activities whenever possible:

  • A compromised mobile phone could turn on the microphone and eavesdrop without any compromise indicator noticeable by the user.
  • The audio leakage from keyboard typing can be used to infer the words up to a certain degree of accuracy. This might reveal passwords; see Microphone.
  • Similar risks exist for the in-built camera.
  • All content on the mobile phone can potentially be exfiltrated, including contacts, media, messages and documents.
  • All browsing and communications history can potentially be monitored.
  • Location data might be accessed by adversaries.
  • Any other data or activities on the mobile phone is at risk of access/exfiltration.

SIM Swap Scam[edit]

Essential knowledge: SIM Swap Scam [archive]

Due to SIM Swap Scam and Malicious SMS Re-Routing, consider setting a registration lock. This prevents someone who has gotten access to your mobile number from re-registration without knowing the pin code for re-registration.

  • Signal messenger: three dots → settings → privacy → scroll down → Registration Lock PIN
  • Telegram: settings → privacy and security → two factor authentication
  • WhatsApp: settings → account → Two-step verification

Malicious SMS Re-Routing[edit]

Even without SIM Swap Scam, attackers can do malicious SMS re-routing [archive].

Two-factor Authentication (2FA)[edit]

Even users who are knowledgeable about bulk phishing or spear phishing can benefit from 2FA. See Two-factor Authentication (2FA).

Phone Number Security Compartmentalization[edit]

Consider using at least two different mobile phone numbers. One that you give to friends, colleges, etc. To real people. The other phone number you give only to banks and perhaps other money sensitive services that require SMS as a second factor or as a means to contact you.

The rationale behind this is that people you know might give your mobile number to others. Or their mobile phone may be hacked or stolen. Thereby or through other means your mobile number might end up being published on the internet. This might make you a target for SIM swap scam. However, if you used different phone numbers in different places, a SIM swap scam would cause less damage.

A phone which is being carried outside and daily is more likely to get stolen or robbed than a phone which most of the time is being kept in a safe(er) location. Thereby using your everyday phone, the thief at least does not get a chance to fraudulently access any bank accounts.

Due to possible SIM swap scam:

  • Avoid using a phone number (SMS) for Two-factor authentication (2FA) whenever possible and use better options such as "google authenticator". It doesn't or shouldn't have to be literally be "google authenticator" but any alternative 2FA application. See 2FA for more information.
  • Inform all contacts of a possible SIM swap scam. Should they receive any requests for money or other strange requests, encourage them to call you instead to confirm.
  • Prefer messengers or other chat applications that support a Registration Lock PIN over SMS.

External[edit]

Incomplete[edit]

Ambox warning pn.svg.png Documentation for this is incomplete. Contributions are happily considered!

A lot more could be said about mobile security. However, the Whonix ™ project is not (yet) a mobile security software project. The reader might be interested in this Overview of Mobile Projects, that focus on either/and/or security, privacy, anonymity, source-available, Freedom Software, de-googled, un-googled.

See Also[edit]



Fosshost is sponsors Kicksecure stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Account and Mobile Security&body=https://www.whonix.org/wiki/Account_and_Mobile_Security link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Account_and_Mobile_Security&title=Account and Mobile Security link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Account_and_Mobile_Security&t=Account and Mobile Security link=https://mastodon.technology/share?message=Account and Mobile Security%20https://www.whonix.org/wiki/Account_and_Mobile_Security&t=Account and Mobile Security

We are looking for video makers to help create demonstration, promotional and conceptual videos or tutorials.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.