The phone hacking situation and phone security

**zwiswoo** · 05-26-2013, 11:38 AM

The phone hacking story and discussion is great, but can we take a step back in this thread from the specifics of the SAS issue? It sounds frighteningly easy to gain certain kinds of control of someone's phone if you have access to some ID, but it's not clear to me how much and who can do it. I obviously don't want other game players to have such access, but more to the point I don't want anyone to have this kind of power over MY phone.

Can someone in the know (don't disclose how to do the attack obviously!) explain
a) What control precisely is gained? Is it over the CC app alone, or does it include e-mail/address book/browser etc? What about access to the phone hardware itself - calling, camera, GPS...
b) Is this issue iOS or Android specific? Is a Bluestacks app safe? In principle it should be sandboxed, but the consequences of a breach are that much more severe.
c) Is it possible (depending on whether the phone is rooted or jailbroken or as bought) to change permissions etc to limit the risk?

Depending on the answer to a) - c) I am considering uninstalling and cleaning Crime City from my phone/computer. Obviously Gree employees will have access/change rights over my game stats, but there's no way I'd want them or anyone else to be able to take over my phone.

Edit:
1. I would really like for some Gree admin to make clear what/how severe any security vulnerability is, and whether there's a patch upcoming. Cheating and hacking game stats is one thing; losing control of the phone to strangers is a whole 'nother level of dangerous.
2. What precisely is this ID? Is it a phone ID or something generated in-game? Why on earth is it being transmitted in plaintext in every support email if it can be misused?
3. I really hope Gree can do *much* better than their usual tardy response on this one. Most people, even (especially?) heavy spenders, won't want a dangerous application running on their phone.

**the_dude** · 05-26-2013, 11:50 AM

If you send a ticket to gree that info is in the header. Do not post tickets sent or received, this is against policy anyway.

**Beardy** · 05-26-2013, 11:55 AM

Don't panic..

It's only possibly to gain access to your Crime City account. Everything else on your phone is safe.

Just don't give out/show people your UDID and your be OK.

Edit:
1.
The only thing in danger is your Crime City account (or other games you might play on that phone). But your phone's picture, contacts, etc are fine.

2.
The ID is the UDID, which is your phone's ID. Looks something like this: db72cb76a00cb81675f19907d4ac2b298628d83 (No, it's not mine.)
Yeah, Gree should really be encrypting this in the emails. But it shouldn't be a problem unless you give it out to people.

3.
Don't count on it.

**madawgg** · 05-26-2013, 12:35 PM

Originally Posted by Beardy

Don't panic..

It's only possibly to gain access to your Crime City account. Everything else on your phone is safe.

Just don't give out/show people your UDID and your be OK.

Edit:
1.
The only thing in danger is your Crime City account (or other games you might play on that phone). But your phone's picture, contacts, etc are fine.

2.
The ID is the UDID, which is your phone's ID. Looks something like this: db72cb76a00cb81675f19907d4ac2b298628d83 (No, it's not mine.)
Yeah, Gree should really be encrypting this in the emails. But it shouldn't be a problem unless you give it out to people.

3.
Don't count on it.

From an SAS member! It must be true!
Lolz jk bro

**dudeman** · 05-26-2013, 12:42 PM

I've heard a rumour that someone with the right combination of skills and knowledge can use a udid to clone a device. The implication here is that everything that is stored on your device will be visible to someone who clones your device because the clone is essentially an identical copy of your entire device.

From my understanding, however, this does not give someone "remote access" to your device. So your camera/mic/GPS can't be viewed/used by "whoever".

**camper killer** · 05-26-2013, 12:53 PM

Ok here are the straight facts from someone who has seen this done....

by obtaining your device details the "hacker" can take over your entire game.

it's as if the device the account is ported to is the device the game is meant to be on.

they can act as the owner of the account in all manners. they can even transfer the account fully to another device and it would never go back to original owner..... unless Gree reassigned it, which takes weeks to do.

as well, the "hacker" can buy, sell, use, get rid of everything and anything.... if they are really a "hacker" they can add units and delete them at will. they could modify the account in ways you would not imagine.

**Alex_** · 05-26-2013, 01:09 PM

So is it your phones identification number what links your phone with your crime city account? Say for instance when you uninstall crime city and wipe all the data and cache, and then when you reinstall the game it remembers your account on your phone. If someone gets your identification number can they basically create another phone with a fake id number which is the same as yours install the game so that it recognises it as you?

**dudeman** · 05-26-2013, 01:12 PM

Originally Posted by Alex_

So is it your phones identification number what links your phone with your crime city account? Say for instance when you uninstall crime city and wipe all the data and cache, and then when you reinstall the game it remembers your account on your phone. If someone gets your identification number can they basically create another phone with a fake id number which is the same as yours install the game so that it recognises it as you?

Correct.

10

**gambet1234** · 05-26-2013, 02:40 PM

From my understanding they could access all data that is stored in the cloud, identified by your phone and not password protected. They would still need to log into your google account, for example (bad example because of the password needed, but google's servers might think that their phone is yours after they replace their phones UDID with yours)

I'm pretty sure that this UDID info was given freely so that a team-mate could play while they were out of the game for a while. Someone Could start randomly changing their phone's ID numbers until they stumbled upon a CC player, but it would take the life time of the universe to find the person you are TRYING to find.

This isn't like running a password cracker on a web login that doesn't stop you after 10 wrong tries.
This process would take human intervention and couldn't be run at blindingly fast speeds. They might be able to check 100 UDID's and any associated CC accounts per day if they were dedicated. There are...
800000000000000000000000000000000000000000000000(4 7 [forty seven] 0's) x 16 (? 0-9,a-f ?) combinations to try!

The Worst case scenario if you don't give out any information: Someone is changing their UDID randomly and then starting CC. They FINALLY (after 1000 years of trying for 8hrs a day) stumble upon a player that is better than themselves, transfer the account, and are now that person. They change their UDID back, change their real accounts name to the name of the person they FINALLY found to hack, change their new, stolen account name to their original name and no one but GREE is the wiser (except their friends who noticed the crazy changes to their account). Now the player that got hacked logs into the game to find that their name is right, their mafia code is wrong and they are playing with a crappy account. GREE would fix this eventually as they would have the logs of the transfer (without a transfer, both devices would still be playing the same account). The account would be reverted to it's previous state as of the initial date, 1 day before the transfer.

P.S. before you accuse me of spreading game hacking information please remember that this process would take about 1000yrs - 1million yrs to have a decent chance of stumbling upon a good UDID to hack. The hacker would be better off just playing the game.

tl;dr - stop worrying and just keep your phone's info private if you play CC

**Angel6ix6ix6** · 05-26-2013, 04:17 PM

Hey it's crime city! When crime city gets real. Now go find out where they live and put some taps on them. Use your skills that you have learned, and stop crying.!!

Lol.

**Nacho!** · 05-26-2013, 05:17 PM

Another post so I can meet the stupid minimum and create my own posts.

**Sandukan** · 05-26-2013, 07:47 PM

So if they can remotely do this with other people's accounts just imagine what they can do with theirs.
Probably create a syndicate of "top" players.

Anyway all home movies are now off my phone.

**montecore** · 05-26-2013, 08:16 PM

Originally Posted by 932

So monte are you staying in the syn with the account hackers?? Since your mr righteous and is against all hackers??

A remedial english course would do you well.

**sister morphine** · 05-27-2013, 01:54 AM

Originally Posted by ($$$) snowman

That has to be a new level of hacking that gree is not prepared for authorities should get in and scope these types of hacks

Would it be a "glitch" if Solo did it, lol

**evj** · 05-27-2013, 03:00 AM

Originally Posted by gambet1234

I'm pretty sure that this UDID info was given freely

tl;dr - stop worrying and just keep your phone's info private if you play CC

Follow his advice and you're safe.

The truth is only how its presented!

Thread: The phone hacking situation and phone security

Thread Tools

Search Thread

Display

The phone hacking situation and phone security

UDID

Posting Permissions