You are on page 1of 14

c  

 
  

 

   

 

   !"


c 


Introduction
Bluetooth Hacking
SMS spoofing
Mobile cloning
Obscene material published in electronic form
Bibliography




 



##$%%&&&'()*#+,'*,%$*#% 
Ñ| ##$%%&&&'*-.'%*,/0#'$$
Ñ| ##$%%&&&'*1#2'*,
Ñ| ##$%%)0#.*'))#),.'*,
Ñ| ##$%%&&&'$2'+
Ñ| ##$%%#.*'3+.'*,
Ñ| ##$%%&&&'++.'*,
Ñ| ##$%%&&&'*,0#&.'*,%.+'#,
Ñ| ##$%%&&&'&).#$'$).'*,
Ñ| http://www.hackinthebox.org/
Ñ| http://www.vakilno1.com






Yhe new phony crime: SMS spoofing
What would you do if you receive a Short Messaging Service (SMS) in your cellphone in the
middle of a night from the mobile of your spouse asking you to bring cash as he has met with an
accident?

Yhe chances are that you would check the mobile number and if you are sure that the cell is your
husband's you would rush out with cash. If this could be your response then the chances are that
you are not aware of "Mobile Spoofing." Using a web-based software, a cyber criminal could
send you a message from your husband's cell without even touching his mobile. And mind you,
no cellular service provider can say that it was a spoofed or faked one.

Yhis "SMS Spoofing" has been successfully tested by the Pune-based Asian School of Cyber
Laws (ASCL), which is the pioneering institute in the field of education, training and
consultancy in cyber laws, cyber crime investigations and information security. Yhe Director of
ASCL Rohas Nagpal said that the school conducted an experiment at the national and
international levels wherein they were able to successfully spoof SMS messages and make them
appear to come from other person's cellular phone.

Nagpal said it has issued a caution note to all law enforcement agencies as well as cell phone
users to be careful in relying upon the authenticity of SMS message. Yhese people were using the
GSM-based cellular phone services in various parts of India and other Asian as well as in
African countries. Yhe countries that participated in the experiment included USA, Malaysia and
India wherein the senior police officials and IY professionals were informed about the
experiment which was being carried out.

Yhey were told they could try to verify the authenticity of the spoofed numbers. But none of
them could do so. Yhey were told to contact the telecommunication authorities to verify if the
number is genuine. But even the authorities were fooled, Nagpal added. He said using this SMS
spoofing it is also possible to send an SMS to anyone on the cell phone without touching it. Yhus
if the person goes to the reply mode of the phone and write any reply text after receiving the
spoofed SMS, it will again come back to the same person.

Yhis is because the spoofed SMS may contain the person's own cell number, he said. Yhe cyber
criminal can send a spoofed SMS from any part of the continent to anybody, Nagpal said.
Explaining how this SMS spoofing can be misused by the criminals, Nagpal said a woman in a
foreign country received a SMS that her husband badly needed large amount of cash as he was in
deep trouble. Since she recieved the SMS from her husband's cell number she rushed out.

Yhe moment, she stepped out of her house, she was attacked and the whole cash was stolen.
Some websites also provide for spoofing facility and therefore the risk of SMS Spoofing is
enormous. Unless there is cooperation between the website owners and the administrators of
message servers it is very difficult to detect the perpetrator of the crime.
While the scope for misuse of SMS Spoofing is enormous, the ASCL has used it in a positive
manner to help the investigating agencies and law enforcing agencies trap terrorists and narcotic
dealers. Yhis was done by spoofing the message with the cell number of their acquaintances.

In one case an SMS was sent to the narcotic dealer to bring the drug consignment at a particular
place. Yhe dealer mistook the cell number to be that of his acquaintance and went to deliver the
drug only to be arrested. Yhus the SMS Spoofing can be very effective tool for the investigating
agencies to trap criminals and underworld gangsters by sending SMS in their cell phones.




Bluetooth Hacking

You may not realize that walking around with Bluetooth enabled on your cell phone leaves you
vulnerable to hackers. Yhey can easily connect and manipulate your phone simply by using a
Bluetooth connection. We¶re here to explain how it¶s done and how to protect yourself from
such an attack.

Hackers today have a new technological device to target. With m-commerce (business
transactions conducted with online mobile devices) becoming increasingly popular, the
vulnerability of mobile devices has also become an area of concern. ,2#.)4.##
&-)+&)# .##.3.2*.$..(.2(.3.#
*-.'.2*.)2*.*#,)$#.2$.),$232)+ .##
*.*#)'5.6...#.1$)&)#6.&#$#.*#2.00,*
##*-'

Bluetooth is a short-range wireless communication technology that uses the 2.4-GHz frequency
range for its transmission. Most new cell phones have Bluetooth by default these days for things
like wireless headsets, in-car connectivity, syncing with a computer and many other uses. While
Bluetooth has proved to be a very useful tool for cell phones, many are unaware that it opens
doors to hackers.

Cell phones, and the telecommunication industry as a whole, was once a ³closed network,´
meaning the technology used was closed from outside hackers (for the most part). Yoday, as cell
phones become more like mini-computers, the industry has opened up, so to speak, and just like
computers have always been susceptible to attacks, the same is now true for cell phones and
mobile devices.

Up until Bluetooth was incorporated on cell phones, the only communication method used by the
device was the carrier or network connection. Now that Bluetooth has been associated, it
provides a perfect entry point for manipulation. Yhe fact that cell phones carry a lot of private
data these days, makes ³Bluetooth attacks´ even more scary. While simply having Bluetooth as
a feature on your cell phone doesn¶t make you vulnerable to attacks, walking around with the
Bluetooth function enabled and ³visible´ does. Many people turn on Bluetooth to use a headset
or sync with their computer, and then simply forget to turn it back off when they¶re done. Yhis is
why Bluetooth hacking has become so prevalent and so easy to do.

When Bluetooth is enabled on your device, it¶s essentially broadcasting the fact that ³I¶m here,
and I¶m able to connect´ to any other Bluetooth-based devices within range. Yhis makes using
Bluetooth simple and straightforward for the consumer, but also lets hackers know which ones to
target very easily. Here¶s how it¶s done; a hacker can simply download some special software
and install it on a laptop or netbook. He can then install a Bluetooth antenna to that computer
and put everything in a backpack, briefcase, etc. Now, all he has to do is walk around public
places where a lot of people are concentrated, and let the computer running in his bag do all the
work while no one has any idea what¶s happening.

Yhe software on the computer will constantly scan the nearby surroundings of the hacker for
active Bluetooth connections, and when it finds them, can do a variety of things without the
owner having any idea what¶s going on. Yhe entire process is automated for the hacker as well,
so all he has to do is walk around for as long as he can and collect as much data as possible,
which he can then manipulate. Some attacks are less damaging from others, but Bluetooth
allows the hacker to do many things.

Once the hacker¶s software finds and connects to a vulnerable Bluetooth-enabled cell phone, it
can do things like download address book information, photos, calendars, SIM card details, make
long-distance phone calls using the hacked device, bug phone calls and much more. Yhere¶s a
myriad of software freely available that¶s made specifically to attack cell phones via Bluetooth
connections, and every time an update to the technology or certain cell phones becomes available
there¶s bound to be new hacking software for it. Certain attacks have become so prevalent that
they even have names these days;

³Bluesnarfing´ is the term associated with downloading any and all information from a hacked
device, and can even allow the hacker to send a ³corruption code´ to completely shut the phone
down and make it unusable. ³Bluebugging´ is an even scarier hack- it involves using special
software to connect to a device and silently making it call another device, usually one the hacker
is using, to act as a phone bug. Yhe hacker can then listen in on anything you and anyone around
you is saying. Beyond these attacks, hackers can use software to route long-distance calls to
worldwide locations to your phone using Bluetooth, which in turn sticks you with the carrier
roaming charges. Likewise, a hacked phone can even remotely be used to make ³micro-
purchases,´ or purchases that show up on subscriber¶s monthly bills.

Yhe possibilities are virtually endless, and these are just a few examples of what can be done
utilizing the Bluetooth connection on cell phones. Many think that they¶re safe from such
attacks because Bluetooth is such a short-range communication method- a hacker would have to
be within a few feet to be able to do anything. With special antennae that¶s been developed
solely for this application, hackers can connect to cell phones that are up to a 1000 feet and more
away. Yhe entire process is just to easy for hackers, all they need is some special software, an
antenna of some sort and some basic knowledge.

Luckily, not all Bluetooth-enabled cell phones are vulnerable to all attacks. Bluesnarfing and
other attacks may work while bluebugging doesn¶t on one make and model of cell phone, while
only bluebugging and nothing else works on another. Yhat¶s why hackers generally setup a
variety of hacks, and when they¶re out and about performing their attacks on un-suspecting
victims, the software will automatically identify the cell phone model and attack it accordingly in
any way it knows how. Yhe bottom line is any cell phone that has built-in Bluetooth can be
hacked, it¶s just a matter of what type of hacks can be performed.

Yhe best way to avoid such an attack is to simply remember to turn off your Bluetooth when
you¶re not using it. A lot of people will simply put Bluetooth in ³hidden,´ or ³private´ mode
which they think will hide themselves from attacks, but in reality, hackers have already figured
out how to find them. Disabling the function altogether is the only way to curb an
attack. Bluetooth hacking hasn¶t become as big a problem in the US as it has elsewhere where
Bluetooth is almost ubiquitous, but it will soon.

In Europe, people use Bluetooth and their cell phones to make purchases and to store very
critical financial and personal information. Bluetooth hacking becomes much more serious when
they have access to such delicate information. As that technology moves its way to the US, we¶ll
have to deal with the same issues, that¶s why it¶s important to know how it all works and how to
proactively protect yourself.

Yhe awareness, however, with regard to the various methods by which mobile devices can be
hacked and how this can be avoided is minuscule, according to Ankit Fadia, an independent
computer security and digital intelligence consultant.

Addressing a press conference organised to launch his fourth book, µAn Ethical Guide to
Hacking Mobile Phones¶, Fadia says, ³We have always assumed that data stored on mobile
phones is safe. Yoday we use our mobile phones to send sensitive data, store important
information and even digitally sign on major documents. Yhere is, therefore, greater threat to
data security on mobile phones today.´

Yhe 20-year-old computer security expert, who is now close to becoming a billionaire, says, ³It
is possible for hackers to clone your SIM card and shift the charges of his calls and messages on
you. Copying the address book, intercepting data, virus infections, password attacks and
automatic locking are the other threats to mobile phones today.´

He adds that there have been instances of corporate espionage as well, where businessmen have
complained that their mobile phones were hacked by their competitors for gaining access to
sensitive data.

³Yhe new book that is being launched today not only details the ways in which mobile phones
can be hacked but also explains how this can be avoided. So far, there has not been any book,
globally, on mobile hacking,´ Fadia says.

Published by Macmillan India Ltd, the book is priced at Rs 220 and will be released abroad in a
month¶s time.

Fadia, who was consulted for various inter-country cyber crimes also has corporate clients
ranging from Google and Citibank to Wipro and Satyam. Next year, he plans to come out with a
book on µPeople Hacking¶. ³I also plan to set up restaurants in cities like Pune and Ahmedabad
within the next six months,´ he adds.

Fadia has also become the brand ambassador for Kuoni Academy of Yravel. Yhe firm plans to
start a course on travel BPO and Fadia will be helping them develop the modules for the course
with regard to security issues.

³For instance, identity theft, can be an issue with regard to this industry,´ Fadia adds. Kuoni
plans to start these courses in Delhi, Hyderabad, Chennai, Mumbai and Bangalore.

Blue tooth is a wireless technology meant for Personal Area Networks. It is a standard for short
range communications (10 meters and a bit more). Yhe communication may be point to point
/multipoint. Used mainly in cellular phones, PDA's and laptops this technology has been subject
to hacking by unscrupulous persons.

After it was proved that it is devices were subject to theft of data the term bluesnarfing came for
be used to signify the process of illegal retrieving data from calendar, contact list, emails and text
messages of a mobile phone.

Blue jacking is a simple act of sending a Bluetooth device an unsolicited message like a vcard
with name and message field. It is used for bluedating and bluechatting. Yhis is done using the
OBEX protocol.

With the various attempt and proof of the concept that Bluetooth devices can be bluejacked
security in the communication between wireless devices have been enabled. You could also be
on the safe side by turning off your Bluetooth connection when you do not require it.

.(.#)
Never leave your Bluetooth on.
3).*-)+

Although hacking is generally associated with computers, mobile phones are also at risk from
hackers. Mobile phones that use use wireless connections to access the Internet and these
connections can be easily hacked into. Phone companies have also been hacked before with the
hackers gaining access into thousands of mobile phone user records. Yhere are different ways to
hack into mobile phones depending on the type of wap connection they use. Bluesnarfing for
example is the specific method of hacking into phones that use Bluetooth connections. A hacker
would do this in order to copy all of the information on the phone such as the contacts for
instance.

People are using their mobile phones to send increasingly private information as technology
enables the use of email, etc on mobile phones. Hacking of a mobile phone can cover the
hacking that involves tricking the mobile phone company into providing free texts, calls or wap.
It can also include the cloning of Sim cards in order to charge calls under another person's name
and number or even the use of hacking to gain access to a person's confidential information such
as passwords or various account details.

Cell phone hackers have apparently found a glitch in the way the chips are manufactured. Yhe
good news, though, is that it only applies to the first generation models of cell phones that use
the Global System for Mobile communications (GSM). Another requirement is that the hacker
must have physical access to the cell phone for at least three minutes - which is a real good
reason not to let it out of your sight. Currently, although the problem has been remedied (at least
for now) in the second and third generation phones, it seems that about 70% of existing cell
phones fall within the first generation category.

Another way that mobile phone hacking can take place is for a hacker to walk around an area
with people that have cell phones and a laptop that has cellphone hacker programs on it. Yhrough
an antenna, and a little patience, his computer can literally pick up your cell phone data - if it is
turned on. Yhis is more applicable to cell phones that use Bluetooth technology.
D 
 
Surprisingly, there are quite a number of things that can be accomplished by the hacker.
Depending on their intent here are a few of them.

G| à
  


Your phone number can be accessed and obtained by cellphone hacking. Yhis allows
them to make calls and have it charged to your account.

G| Y
    

Mobile hacking allows a hacker to contact your cell phone, without your knowledge, and
to download your addresses and other information you might have on your phone. Many
hackers are not content to only get your information. Some will even change all your
phone numbers! Be sure to keep a backup of your information somewhere. Yhis
particular technique is called Bluesnarfing.


Obscene material published in electronic form


For this we turn to Section 67 of the IY Act which reads as under:

3))+0)0,#)&)*)3*..)..*#)*0,
Whoever publishes or transmits or causes to be published in the electronic form, any material
which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave
and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or
hear the matter contained or embodied in it, shall be punished on first conviction with
imprisonment of either description for a term which may extend to five years and with fine
which may extend to one lakh rupees and in the event of a second or subsequent conviction with
imprisonment of either description for a term which may extend to ten years and also with fine
which may extend to two lakh rupees

Off late there had been many instances where cell phone has been used for making & publishing
of obscene or sexually explicit material. Yhis is usually done by the person who has a cell phone
with a camera. A very famous example will be one of the cases known by the name of D.P.S
MMS where a boy with his cell phone made a video of a girl in a compromising situation. In
this regard there has been a famous case of Avinish Bajaj v. state the facts of the case
were as follows

Facts:

Over three and a half years ago, an internet website carried a listing which offered for sale a
video clip, shot on a mobile phone, of two children of a school in Delhi indulging in an explicitly
sexual act. Yhe petitioner, who was the Managing Director (MD) of the company that owned the
website at the relevant point in time, asks this Court to annul his criminal prosecution for the
offences of making available for sale and causing to be published an obscene product within the
meaning of Section 292 Indian Penal Code (IPC) and Section 67 of the Information Yechnology
Act 2000 (IY Act).

Baazee.com India Private Limited ('BIPL'), a wholly owned subsidiary of Ebay Inc. USA, and
the owner of the website http://www.baazee.com, was during the relevant period in the process
of being acquired by and consequently renamed as Ebay India Private Limited (EIPL). BIPL had
its main office at Mumbai and another office in Delhi. During November to December 2004 the
petitioner Avnish Bajaj was the MD of BIPL (which later was renamed as EIPL).
Yhe website baazee.com provided an online platform or market where a seller and a buyer could
interact. Yo be either a seller or buyer a person had to first register himself with baazee.com by
filling out an online form giving details including the name, email id, date of birth (the age had to
be 18 and above). Yhe person registering had to choose an appropriate 'baazee ID' and a
password which would be used every time the person logged on to the website baazee.com to
transact either as a seller or a buyer. While registering, the applicant had to make a declaration to
the following effect

Ravi Raj, a fourth year student of the Indian Institute of Yechnology (IIY) Kharagpur, was
registered as a seller with baazee.com since 21st July 2004. He had already been using the site
for listing products for sale. His email ID was psell@sify.com.

In the evening of Saturday 27th November 2004, Ravi Raj placed on the baazee.com website a
listing offering an MMS video clip for sale at Rs. 125 per piece. He adopted the seller's name as
Alice Electronics and gave his address as 12-A/39, Roshpa Yower, Main Road, Malanche,
Kharagpur. In order to avoid detection by the filters installed by baazee.com, Ravi Raj included
the clip under the category Books and Magazines and sub-category 'e-books'. Although
baazee.com did have a filter for some of the words which appear on the website, the listing
nevertheless took place.

Yhe court held that the appellant A prima facie case for the offence under Section 67 read with
Section 85IY Act is made out against the petitioner since the law as explained by the decisions of
the Supreme Court recognises the deemed criminal liability of the directors even where the
company is not arraigned as an accused and particularly since it is possible that BIPL (EIPL)
may be hereafter summoned to face trial.

Consequently, while the case against the petitioner of the offences under Sections 292 and 294
IPC is quashed, the prosecution of the petitioner for the offence under Section 67 read with
Section 85IY Act will continue.