Help! I got hijacked!

From time to time, I receive mails from people asking for help as their systems got compromised.

As the symptoms, analysis, countermeasures and solutions are always almost the same, I thought I should put this down here.

What are possible symptoms?

  • If you are experiencing odd things on your computer or mobile device such as:
  • mails got marked read even though you didn’t read them
  • you try to open a certain website but end up on another website
  • very slow network performance even though you have a good signal
  • high network traffic (e.g. data allowance used up real quick)
  • you see more advertisements than usual
  • you see unusual error messages
  • you can’t start a program or app that used to work before
  • weird mouse or keyboard behavior
  • suddenly opening or closing windows or programs

then, your system might be compromised.

But there is much more that might indicate that your system got compromised. However, each of these points could also have other reasons and simple causes, including software bugs and misconfigurations.

So these symptoms or any other unusual behavior of your network devices can only warn you but can’t be taken as 100% proof for a compromised system. Further investigation is needed.

What could have happened?

There is a wide range of possibilities for a compromised system. Let’s break it down by the following five categories:

  1. The mobile device
    • an iPhone or iPad could have been jailbroken
    • an Android phone could have been rooted
    • a configuration profile could have been installed that may redirect all traffic
    • a bad App might gather user data and location information
  2. The computer (Mac or PC)
    • it could run malware such as a virus, trojan or keylogger
  3. The RouterUsually, on your network, there is a Router which contains a DSL or Cable modem which connects your network to the internet. The Router can also include a WiFi access point so that you can connect to your network with your mobile devices and it can include a switch which allows you to connect a LAN cable to it for your desktop PC or any other non-WiFi devices. All of these three parts (modem, WiFi access point, switch) can also be separate devices and must not necessarily be included in one box. However, each of these network devices can have the following issues:
    • it could run malware
    • it could have been re-configured remotely
    • it could have been compromised (others know WiFi or other credentials)
    • it could have security flaws and/or backdoors
  4. External accountsFor each external account such as Mail, iCloud (Apple ID), Google Play, Facebook, Twitter etc. it might have happened that your credentials have been stolen.
  5. Network
    • an unknown network device (or known device with malware or security flaws) is attached (via cable or WiFi) to the network and captures traffic or allows intruders to get network access from outside
    • traffic is being intercepted (man-in-the-middle)

What could NOT have happened?

Of course, as computer systems are using software, anything could happen. However, there are a few things that are at least extremely unlikely:

  • getting hijacked or compromised via Bluetooth or NFC.
  • Cell network (3G, 4G, LTE) man-in-the-middle attacks
  • iPhone or iPad virus
  • Remote access to an un-jailbroken iPhone or iPad without user consent

Also, in general, it is harmless, if you can see many WiFi devices in your surrounding even on the same channel/frequency.

So where to start?

So there are many possibilities how a system might have been compromised. It could even be a combination of possibilities or one possibility that lead into another. For instance, a virus or trojan could have revealed passwords to an attacker.

However, there are a few easy to do things you can start with, especially by using my Network Toolbox App:

  1. Perform a network scan
    • use your iPhone/iPad on your local network by using WiFi, not Cell
    • Start Network Toolbox
    • open the Network scan tool
    • using the [=] button right to IP-from select Local IP
    • enable “Advance scanning” and “Check for web interface”
    • start the scan
    • when the scan has been completed, tap the refresh button at the top for another scan
    • You may notice that additional devices will appear on the list (green background) which might have been woken up by the first scan. If that’s the case, repeat refreshing until there is no new device.

    At this point, you will have a list of all devices connected to your network which can be discovered. There may be more which are hiding itself but at least it’s worth to double check the discoverable devices.

    Now, you need to go trough every single entry on the list to find out if this is a network device you know about. This might be easy or difficult depending on the information provided by a device. Sometimes a name or other information is already displayed in the list which helps to identify the device. Another possibility is to open the web-interface if that particular device offers a web-interface. For this, just tap on the entry in the list, then tap on the web-interface menu on the detail screen. Sometimes this web-interface reveals the name of the device. Finally, if the device supports UPnP or Bonjour, you can drill down that information on the device detail screen to find out more about that particular device.

    If the aforementioned turns out that you are aware about all the devices revealed by the network scan, good! Except for hidden devices, it’s a good sign that there is nothing attached to your network that is unknown.

    If not, and if there are devices where you have absolutely no idea what it could be, you can try to physically disconnect everything from your router (unplug the cable) and try again. If there are still unknown devices, you can change your WiFi password on your router and enter the new password only on your iPhone/iPad and scan again. If that device then disappeared, it must have been connected via WiFi.

  2. Check your network for public-facing open ports
    To find out if and which ports can be accessed from outside, just follow these steps:
    • use your iPhone/iPad on your local network by using WiFi, not Cell
    • Start NetworkToolbox
    • Select the Devices tool
    • Tap on Network
    • Tap on Public IP Address
    • Take down this IP Address manually
    • Leave the App and start the settings icon of your device
    • Switch off (disable) WiFi mode completely
    • Ensure that NetworkToolbox is enabled under Cellular Data in Settings – Cellular in your iPhone/iPad settings
    • Reopen NetworkToolbox
    • open the Scan portscan tool
    • enter the IP address you have taken down before
    • tap on scan

    After this procedure, you will see which ports of your local network are open to the public. Usually, there should be none or only 5060 SIP if you are using VOIP. If there are more ports open, this could have the following reasons:

    • You intentionally manually opened this port in your router settings
    • Your router has a security flaw (often the case for old and not updated routers)
    • Your router has been compromised
  3. Check for issues on your iPhone/iPad
    • use your iPhone/iPad on your local network by using WiFi, not Cell
    • Start NetworkToolbox
    • Select the Devices tool
    • Tap on Network
    • Take down or notice the “Local IP Address”
    • Scroll down to interfaces
    • Locate the interface which uses the same IP Address. This should be an interface starting with “en”.
    • Do the same with your iPhone connected to Cell

    If the interface name doesn’t start with “en”, your connection is using a VPN. This might be what you want but if not, this is an issue.

    In addition, or especially if the interface doesn’t start with “en” do the following:

    • Go to Settings on your Device
    • look if you have a menu called “VPN”. If you have not setup a VPN, this should either not exist or empty.
    • Tap on “General” on the Settings screen
    • scroll down and check just above the “Regulatory” menu, if you can see a “VPN” menu here. Again, this should normally not exist or be empty.
    • At the same location, check if you can see a “Profiles” menu. This should also not exist or be empty if you haven’t setup or used local configuration profiles.

    Now, finally check if your iPhone/iPad might be jailbroken by the following steps:

    • Check if an App called “Cydia” exists on your device. If it does, the phone is jailbroken. You can search for Cydia using the search bar (Spotlight), or you can just look for it by searching through the iPhone manually. If the Cydia app isn’t present, you will see only “Search Web” and “Search Wikipedia” suggestions at the top of the screen.
    • In the same way, search for “Installer” and then “Icy”. If either of these are found, the device is jailbroken.

What next?

The aforementioned scans and tests may help to track down or delimit some common network security issues.
In case you identified the cause of your issues and found a good and obvious reason for it or even fixed the issues so no further action is necessary.
Otherwise, if you are still unsure or even found more indications for a possible intruder or compromise of your network, you now need to decide:

  1. If you want to involve local authorities
    This makes sense if chances are, that your accounts might be compromised resulting in identity theft or losing money. In that case, you should not take any further action on your devices or network in order to allow further analysis and forensic research by specialists.
    or
  2. you just want to clean your network and re-gain security
    In that case, you can start with the steps described in the following section.

How to clean my network?

To reliably clean your network, a lot of work is involved. You may also loose some data or information and you may also need to invest some money. However, it is important to follow these steps exactly in the right order. If not, the whole cleaning process was obsolete and needs to be repeated.

  1. Preparation
    As mentioned before, you may lose some data or information by following this process. For this reason, try to gather as much as possible before starting. For instance:
    • Take down all your passwords you are using on various platforms and devices, including your Mail, Router and WiFi passwords. Also take down possible security questions where possible.
    • Create backups where possible even though some of these backups should never be used again since they might also have been infected but just in case.

    Also and obviously, detach all devices you might have identified as problematic in the previous steps.

  2. Clean your iPhone or iPad
    • On your iPhone or iPad, enable Flight Mode (so that no Cell or WiFi connection is available)
    • Do to Settings -> General -> Reset
    • Select Erase All Content and Settings

    After this is done, your device will be in the same state as right after the purchase. All possible jailbreaks have been wiped. Just follow the screen with the setup instructions, enter your Apple ID and password. Try to use Cell only as long as possible and only enter your Wifi password if there is no other choice.

    • Let your device download and install the latest iOS Version

    After this, your iPhone and iPad is the only device on your network you can trust. Any possible previous issue on the device should be cleaned. For this reason, the next steps should be performed by only using your iPhone or iPad.

  3. Change your Apple ID password
    • Change the password of your Apple ID on https://appleid.com
    • Change the same password on your device under Settings -> iTunes & App Store
    • Setup your iCloud account under Settings -> Accounts * Passwords and enable Email (even though you don’t plan to use your iCloud email account in the future)

    Now, you even have a secure Email address (your Apple ID @icloud.com) which can be used for further steps, if necessary.

  4. Change your Router and WiFi passwords
    These steps depend on the type of router you are using but is essential. You need to consult the manual if necessary. In doubt, buy and use a new router.
    • Physically restart your Router (power cycle)
    • Use Safari on your iPhone/iPad to access your router configuration page
    • Check for updates
    • Change the password for accessing your routers web-interface and your WiFi credentials
    • Enable all possible router security measures (e.g. disable UPnP, don’t allow router configuration over the internet, don’t open any port)
  5. Change all other passwords
    Now, use Safari on your iPad/iPhone to change all other password for instance for your email account if you are using another email account other than icloud. Don’t forget Facebook, Twitter, Amazon, ebay or wherever you have an account.
  6. Fix your PC(s)
    If your PCs were infected or even if in doubt, the best would be to completely re-setup your PC from scratch.
    From my experience, there is no reliable way to clean an infected PC by using one of the available Virus software. Even though they claim to, they fail in several situations.
    Ideally, physically remove your old hard drive and buy another Hard drive or SSD and setup the Operating system from scratch. Ensure you finish the installation by installing all available updates for the operating system and drivers.
    Later, you can (temporary) re-connect your old hard-drive to CAREFULLY copy data (NOT PROGRAMS) back to the new hard drive.
    If you decide to avoid this drastic step, keep in mind that a virus or trojan could have been the root of all your problems. At least let a new (up-to date) virus scanner scan your PC. In this case, it’s not enough to install or update a virus scanner. You need to purchase a virus scanner on a physical media (CD / DVD) and run it by booting from this media. Otherwise, viruses, trojans or keyloggers can hide from virus scanners started from the hard drive.
    For MACs, no virus scanner is needed. There are just a few viruses available and most of them can either be detected and cleaned by using the most recent OS update or regular Apple tools.

What else and how to prevent this from happening again?

In addition to obvious things, probably not worth to mention again here, you should:

  • Always update anything. This is the most important point. Even though some issues might be cause especially by installing updates. The risk to get security issues is way higher by not updated compared to the risk of other issues caused by updates.
  • Throw away devices that can not be updated. For instance, if you are using a Router where there are no Firmware updates available. Don’t use it any longer and throw it away.
  • Always change default passwords. If devices come with default passwords, change them immediate.
  • Avoid using insecure services such as Yahoo (they have been hacked) or even services you don’t really need.
  • Try to use 2-factor authentication wherever possible. At least never use the same password for different services.
  • If you want or have to use an Android device on your network, keep in mind they are less secure than Apple devices. Use Android devices running at least Android Version 7. Be careful when assigning rights to Apps. Think twice if you really need a certain App or access to a certain account from an Android device.