How state security ministers’ phones could have been cloned

Read time 4min 10sec
State security minister Ayanda Dlodlo.
State security minister Ayanda Dlodlo.

Security analysts are pointing at a possible inside job regarding the cloning of mobile phones belonging to state security minister Ayanda Dlodlo and her deputy, Zizi Kodwa.

The analysts say although details are thin at the moment, the confirmation the phones were cloned leaves a lot to the imagination about what happened, what information was accessed and how it could have happened.

On Wednesday, the country was shocked by news that Dlodlo, Kodwa and several people within the ministry had their phones cloned by unknown suspects.

State Security Agency spokesperson Mava Scott told eNCA that the matter is being dealt with by Gauteng police.

“There are incidents of cloning, particularly of a deputy minister, the minister and several officials. This was discovered a few days ago. The information we have is that the operation is happening around Johannesburg,” said Scott.

Keep it locked

Leon Jacobs, chief technology officer at cyber security consulting firm SensePost, says: “Personally, I would not be particularly worried about phone cloning per se, but rather who knows the passphrase to my device, or has biometrics enrolled to unlock the device. An up-to-date, modern mobile device is at its most vulnerable while it is unlocked and, truthfully, I suspect this may have been the state the devices in question may have been to perform a clone.”

According to Jacobs, ordinarily by design, the security model of modern mobile devices means it should be impossible to clone a locked device.

He explains: “That said, at the very least, physical access is typically required, but I would not completely rule out the fact that it, in theory, could be possible remotely, albeit at the cost of using a sophisticated exploit chain to achieve it.

“In the more likely case of someone having access to an unlocked device (implying physical access), the device could be connected to a computer in an attempt to transfer data, or on some mobile operating systems, a malicious application could be installed to try and steal information from a device.”

However, IT services analyst at Africa Analysis Derrick Chikanga believes the cloning of a device is achieved in various ways that include using software that enables the ‘Bluetooth-like’ transfer of data between two devices.

“Often individuals install software they are unfamiliar with and that has the potential to steal information from their devices. This enables the remote access of the compromised device by the attacker. Another method is through the use of an International Mobile Equipment Identity number to duplicate a SIM card, which can then be used to receive calls and text messages by the attacker. Often this happens without the owner being aware.”

Analysts say cases of cloning of phones in SA are few and far between, as most current cyber attacks are for financial gain rather than tracking an individual’s activities on a mobile device.

Jacobs says: “I am not aware of any evidence that would be able to answer a question about the prevalence of phone cloning in the country. Without details, cloning a phone could mean any number of things, such as cloning a SIM card or exploiting a vulnerability on a device to gain access to information. In its simpler and more plausible form, having access to someone’s device while it is unlocked and copying data off of it as a result could also be considered cloning a phone.”

When clones attack

Chikanga, however, says such cases occur when people install suspicious malware on their devices that has the potential to modify device settings and steal sensitive information.

“People should be vigilant of any possible cyber attacks that might personally compromise their information. However, they should also be more alert towards possible phishing, malware and ransomware attacks as these are expected to become more sophisticated in the current year.”

Similarly, Jacobs cautions that depending on the method and sophistication of how a clone was performed, it may be impossible to tell if a device was cloned.

“The more obvious signs may be abnormal activity while using the device, or other signs that information that would typically only be on your mobile device, was used elsewhere.

”The best advice I can give would be to ensure your device is running the latest operating system, has a sufficiently secure passphrase and that you ensure it is not handed over to someone while in an unlocked state. If at all possible, simply not having sensitive information on your device would also obviously reduce the risk of what could be stolen in any attack.”

See also