'Jester' boasts of QR code-based smartphone hack

An alleged hacker calling himself 'The Jester' claims to have exploited security vulnerabilities on smartphones to spy on members of terrorist organisation Al-Qaeda and activist network Anonymous. On closer examination, however, the story turns out to be bluff and bluster.

The Jester claims to have compromised hundreds of smartphones using a link distributed via a QR code and to have stolen address books, text logs and emails from targeted victims. The hack is alleged to make use of a security vulnerability in the WebKit engine used in the browsers in iOS and Android. The 'hacker' claims to have compromised the phones of 500 out of 1,200 visitors to a crafted webpage over a five day period and to have stolen personal data from a significant number of activists.

The technical details of the hack given are, however, not credible. The security vulnerability he claims to have exploited, CVE-2010-1807, has been in the public domain since autumn 2010 and was fixed in most browsers shortly thereafter. That does not sit well with his claimed success rate of 40 per cent of visitors. Similarly, he claims that a single exploit was able to bypass the security mechanisms present in multiple versions of iOS and Android. A more likely explanation is that The Jester is playing mind games with his enemies.

Security expert Georg Wicherski also has his doubts saying that "exploit cannot work on Android 2.3 as he claims and I doubt it worked reliably anywhere else", pointing out NX protection. Furthermore, he notes that the exploit code published by The Jester is a copy of a publicly available, but non-functional, demo.

Despite this case being a hoax, the increasing reach of QR codes means that they are likely to become increasingly attractive to criminals. Cases of QR codes being used to spread an Android trojan (dubbed in some quarters 'attagging') were seen last autumn.

(ehe)