0

Knowing that anything is possible for the many ways a hacker can break into a system, is it also possible that if I have an infected phone acting as a hotspot, my outdated computer could get infected after connecting to it for an hour?

I’m not a random target, the hacker knows me and is targeting me. The hacker is advanced, with many years of knowledge and experience.

Specifically, the case would be my Android/iPhone is infected with spyware, a rootkit, a backdoor for the hacker to maintain persistence, and a malicious DNS server is being used by the phone. Infection started because of an exploit kit taking advantage of a vulnerability to deliver the payload. The exploit kit was executed on a website from a link that was clicked on which was sent through SMS by the hacker spoofing a phone number of a contact.

Spyware is to know what I’m doing on the screen, through the microphone and camera, etc. Rootkit is to have full root control of the phone and alter any data to suit the hacker’s needs. Backdoor is for the hacker to be actively in my phone whenever he wants to execute new commands through the rootkit, such as to perform lateral movement to another device. The DNS server is for any redirection to malicious websites to download more malware at will.

The computer connecting to the phone’s hotspot is new out of the box and is using Windows 10 that is behind a year on updates.

Computer was ordered through the phone so the spyware has info that it shipped with Windows 10 preinstalled. Later, spyware sees that I’m creating a hotspot to connect to the computer and the hacker is notified through his C2 server. Hacker then enters backdoor and waits for the computer to connect to the phone.

Once connected, no web browsing occurs on computer so I assume he cannot do any malicious DNS server redirection to a website for a drive by download. Packet injecting malicious ads would not work either. No files are downloaded so there can be no packet injection to alter files and download malware. Only Windows updates are downloaded and installed a few at a time, but since they are signed, they cannot be altered.

The only way I see he could enter, is to scan open ports of default running services on the computer for vulnerabilities, and leverage his way in through an exploit to deliver Windows malware to the computer.

I’m thinking of two methods:

  1. Use the rootkit to run an exploit kit on the phone. I don’t know if this is even possible to do on phone architecture.
  2. The rootkit can alter hotspot traffic to create an outbound connection to an IP address that will execute the exploit kit.

Since it takes about an hour for all updates to download and install, that is the amount of time the computer is very vulnerable. Of course even after being fully updated, the hacker could use a zero day exploit but as with all devices that access the internet, it’s a small risk that can never be avoided.

So I would like to know if this scenario is even possible. Appreciate any advice on this. Correct me if I am wrong in anything.

Quentin Bolton
  • 11
  • 3
  • IF you know that the phone is hacked, why keep using it in its current state? Factory reset it – schroeder Jan 09 '23 at 13:53
  • I didn't say how your phone was hacked... – schroeder Jan 09 '23 at 21:24
  • @schroeder, nevermind about the way I got hacked, it’s unrelated. Let’s say the malicious website from the link looked “safe”, perhaps some blogging website, and phone showed zero signs of an infection. During this time, computer was connected to phone. Later, after talking to contact that was being spoofed through text, I realized then that my phone was hacked because the link was not sent by the contact. – Quentin Bolton Jan 09 '23 at 22:10

1 Answers1

1

I’m not a random target, the hacker knows me and is targeting me. The hacker is advanced, with many years of knowledge and experience.

Yes. A hacker targeting specifically someone with an outdated phone and outdated OS will always win. He is halfway to the computer, as he controls the router (the phone in this case).

An outdated Windows may have remote code execution vulnerabilities. Default services (like file sharing, network discovery) can be attacked. The attacker controls the networking on the phone, so he can stop the computer from accessing updates. It can redirect any connection to a server he controls, and tamper any unencrypted connection.

First action: clean the phone. Factory reset and firmware update should remove hacker access. Don't use an infected device. The more you use it, the more damage an attacker can do, and more data he can obtain. If you know (or even suspect) a device is compromise, re-image the device, don't try to remove hacker apps by hand.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • So to be clear, the hacker can in this specific case where no web browsing has occurred on computer: 1. Exploit the default vulnerable services like file sharing, etc 2. Prevent windows updates from being downloaded. 3. Redirect any connection to hacker’s server (I’m assuming only from default running services with open ports.) The hacker could then easily send malware, correct? 4. Unencrypted data in packets can be changed, regardless of where a connection is going to, it’s intended destination or the hacker’s server. Does this mean the hacker could send a malicious download? – Quentin Bolton Jan 10 '23 at 00:29
  • He can execute remote code direct on the PC without the need to download anything. – ThoriumBR Jan 10 '23 at 13:31
  • 2. It can redirect any DNS request, any FTP/SSH/HTTP/HTTPS connection. If the client ignores the certificate error, he can impersonate any site and tamper with every downloaded file. – ThoriumBR Jan 10 '23 at 13:32
  • @QuentinBolton: A Windows 10 computer in factory-default configuration does plenty of network access which is not user-initiated interactive "web browser". – Ben Voigt Jan 10 '23 at 16:01
  • @ThoriumBR: Thanks for your reply. I misunderstood you, so remote code execution is another attack vector. It is completely irrelevant to executing a payload on the computer sent from an exploit kit. – Quentin Bolton Jan 11 '23 at 09:58
  • I have little knowledge in this area. Can you elaborate more on remote code execution and the exact process for this attack, ports used by default running services (is it only ssh?), and softwares used. You also mentioned this attack vector in relationship to a vulnerability, which I don’t understand exactly. Does this mean for example ssh port service may be vulnerable because it is out of date, and therefore computer can be controlled remotely and code executed? Without any exploit sent? – Quentin Bolton Jan 11 '23 at 09:59
  • This is how I think an attack would play out and correct me on any mistakes: Phone rootkit creates an outbound connection to hacker’s server from the default vulnerable running service on ssh port of computer. Server would use something like powershell or a Linux software to log in remotely and execute a malicious script on computer. – Quentin Bolton Jan 11 '23 at 09:59
  • I understand somewhat about DNS redirection. Although there is no web browsing occurring in this specific scenario, I would still like to know why certificate errors would show on websites if web browsing did occur. – Quentin Bolton Jan 11 '23 at 10:01
  • @BenVoigt: Can you elaborate more on this? Are there other things a hacker can use to his advantage that hasn’t been mentioned? – Quentin Bolton Jan 11 '23 at 10:18
  • @QuentinBolton: Pretty much just the things that have already been mentioned (e.g. HTTPS hijacking). Just that they don't have to wait for the user to open a web browser; they can take place on connections open in the background like Windows Update downloads. – Ben Voigt Jan 11 '23 at 14:57
  • @BenVoigt: Thanks for clarifying. What do you think about a Bluetooth attack? I know Bluetooth is a terrible security nightmare (will link a reference here soon). Say without even using a hotspot, infected phone whether on or supposedly off, from a few feet away up to 200 feet away from computer, could perform a Bluetooth attack in hidden (if phone is on, screen shows Bluetooth is off), and without myself pairing the computer and phone manually? – Quentin Bolton Jan 11 '23 at 18:23
  • If there's a vulnerability in the Bluetooth stack on the computer then yes a compromised smartphone could exploit it. Display of Bluetooth status cannot be trusted on a compromised device. Having no manual pairing will restrict the attack surface... the adversary can only exploit pre-pairing vulnerabilities (although exploits can be combined, e.g. using one to pair without user permission, and then using the paired connection to perform remote code execution) – Ben Voigt Jan 11 '23 at 18:39
  • @BenVoigt, even without pairing manually, the phone rootkit should be able to pair phone and computer at will if Bluetooth is of course turned on for both devices, correct? Or will there perhaps be a one time prompt on computer asking to accept the new phone connection? Also, I understand about combining exploits, but not pre-pair vulnerabilities specifically. – Quentin Bolton Jan 12 '23 at 05:55
  • Here is the reference btw I mentioned above for Bluetooth Security Issues: https://security.stackexchange.com/questions/26356/what-can-an-attacker-do-with-bluetooth-and-how-should-it-be-mitigated. – Quentin Bolton Jan 12 '23 at 07:56
  • @QuentinBolton: Yes, if there's no vulnerability in the PC bluetooth stack, it will require user consent to a pairing request. Typically not just a yes/no do you accept, but inputting a PIN displayed on one device into the other. – Ben Voigt Jan 12 '23 at 15:09