Security flaws uncovered in two leading mobile phone operating systems could put users at serious risk. The most serious of these allows an attacker to take complete control and use it as a bugging device, even when it’s on standby.
The flaws were uncovered by MWR Labs, the research arm of British security firm MWR InfoSecurity, who specialises in researching and finding new risks in technology and who are warning that the latest mobile phones are wide open to attack.
After investigating the consistent but unconfirmed rumours that many mobile phones are at risk, MWR uncovered serious security flaws across the industry with two new phones giving considerable cause for alarm.
A flaw in the Palm Pre allows the bugging of a conversation anywhere in the world while the Google Android system allows the theft of user passwords from the phone via its Internet connection. Alex Fidgen from MWR said: “This is one of the most serious implications in mobile technologies to date and calls into question fundamental assumptions about mobile phone security.” He added: “The flaws could have been ‘fixed’ when the mobile phone companies issued new operating software recently but they did nothing.”
The first flaw in the Palm Pre phone allows the complete compromise of the operating system via the receipt of a crafted message, resulting in the ability to upload a back door and then force the phone to transmit and/or record audio and stored data. The impact of this vulnerability is magnified as the exploit can be executed from anywhere in the world and the data can be harvested via the normal carrier networks. This effectively turns the phone into a mobile bugging device with the user completely unaware.
The second flaw allows the harvesting of all username and password data stored by the Google Android operating system within its installed phone browser. The impact of this vulnerability is to potentially allow highly sensitive credential information to be stolen from users, including those credentials used to access online financial portals, e-mail and other commonly used facilities.
“Whilst it is unusual for a genuine and accurate James Bond scenario to be uncovered during research, that is exactly what this represents” said Alex Fidgen. “This is one of the most serious implications in mobile technologies and really does call into question fundamental assumptions about mobile phone security.
“A user would never know that every word they were saying was being recorded and transmitted back to the attacker, and the attack (once executed) would be trivial to perform. The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg. It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”
Of key concern is the increasingly linked nature of business and mobile working over which the traditional security models are becoming blurred. With mobile phones now capable of receiving e-mails, recording conversations and taking pictures they represent the perfect medium for fast and accurate data recording, a perfect target for an attacker. Even more significant is the move to provide mobile banking solutions via mobile solutions.