The cell phone use of millions of Americans and foreign nationals has been tracked by the National Security Agency, a massive U.S. spy unit, according to documents provided by renegade intelligence analyst Edward Snowden.
But you don’t need the multibillion-dollar secret budget of the NSA to handle rudimentary hacking. Just ask Delegate Joe Morrissey. Cell-phone hacking is a key element of the sex crime case against him.
The firebrand lawyer and former Richmond prosecutor was indicted on one misdemeanor and four felonies involving an underage girl last week. In a special grand jury indictment and supporting documents, prosecutor William Neely charges that Morrissey had a sexual relationship with the woman when she was younger than 18.
The state’s case against Morrissey may rest on whether his and other smart phones were hacked and imbedded with phony text messages and seminude photos of the woman he employed as a receptionist at his law office.
Proclaiming innocence, Morrissey told reporters outside the Henrico County Courthouse last week that his defense experts have determined he was a victim of a hacker. Morrissey identified her as 24-year-old woman and correctional officer who was in love with the office worker, saying she broke into the cell phones and placed the texts.
“The evidence is overwhelming that she hacked in,” Morrissey said at the news conference. “Our experts have uncovered a hacking device, serial number and the text.”
Morrissey didn’t elaborate on the kind of device, and didn’t respond to an email from Style Weekly seeking details.
But the possibility raises profound questions about just how much you can trust cell phones for such everyday chores as communicating with family and friends, surfing the Web, paying bills or ordering taxis.
Cell-phone hacking is illegal but common. With existing technology and alleged security lapses by cell-phone carriers, experts say, it’s possible to do just what Morrissey says happened to him — although it’s easier to extract information from cell phones than put it in them.
Among the easiest tricks is to break into cell phone voice mail. One method is called “double screwing,” in which two people call one phone at exactly the same time. While the receiving phone is answering, the second caller is sent electronically into voice mail, where simple access codes often are easily breached.
Sending phony text messages, called “spoofs,” is so widespread that you can buy instructions and codes online to send false texts. The website Spoofmytextmessage.com pitches: “the possibility is given to describe yourself as someone else, without noticing by anybody else. … The person, who’ll get the message, isn’t able to distinguish between an imitated message and a real one.”
A key component of any cell phone is the Subscriber Identify Module, otherwise known as a SIM chip, which contains personal data and is transferable. Hacking can be achieved by somehow copying someone’s SIM chip.
That copy then can be used to make calls and send text messages impersonating the phone’s owner, according to cell phone security expert Karsten Nohl, a former University of Virginia graduate student who is chief scientist of Security Research Labs in Berlin.
Asked how such things can be done, a spokeswoman at the CTIA, a Washington-based advocacy group for the cell phone industry, responds that “as you can probably understand, we do not provide instructions on how people can ‘hack’ into people’s devices.” She provided list of precautions that can be taken, such as changing passwords, making them less obvious, and regularly installing security updates from service carriers and manufacturers.
But Nohl has said the cell industry has been negligent in making technological fixes available since 2008, which could have thwarted hacking by groups such as the NSA. He also says that flawed SIM cards make about 750 million cell phones vulnerable to hacking.
One possible way to hack cell phones was revealed last year by security experts at iSec Partners, based in San Francisco. Easily available wireless network extenders, called femtocells, help boost reception for cell phone users living in remote areas where coverage is poor. They cost around $300, and mimic cell phone towers.
They also allow access to the phone including texts, photos and emails, as reported by NPR. Tom Ritter, an iSec Partners security expert, told a conference that his firm easily hacked phones using femtocells, which he called “a bad idea.” One version was made by Samsung for Verizon, which reportedly has taken action to prevent hacking.
It’s unclear whether Morrissey’s experts are saying the allegedly hacked cell phones in question were broken into remotely or if someone had physical access to them, their SIM cards and other electronic components.
Without spyware or direct physical handling of the phone, taking over control remotely would be difficult, says Marc Rogers, a principal security researcher at the San Francisco-based security company Lookout.
“It seems very unlikely,” Rogers says. “If someone had physical access to his phone and it had no pin lock, then maybe. Remotely, this would be a very challenging attack unless he had spyware installed on his phone, but even then that’s not really what spyware does. It would be an unusual piece of spyware. This is not something I’ve heard of happening before.”
In any event, hacking cell phones violates Virginia and federal laws. It’s seen as a crime similar to breaking into someone’s house, says Christopher A. Citropia, a computer law expert at the University of Richmond Law School.
The 1999 Virginia Computer Crimes Act makes violations a class one misdemeanor punishable by 12 months in jail or a $2,500 fine, and the penalties can go higher. Cell phone privacy is considered so important that the U.S. Supreme Court ruled June 24 that police need a search warrant to seize one.
While declining to comment directly on Morrissey’s case or the hacking that the defendant alleges took place, Cotropia says, “It would not shock me to find that’s possible.”
Among lawyers, there’s a new courtroom joke, he says: “It’s the old ‘They hacked my Twitter,’ defense.”