August 17, 2011

A new piece of Android software, which installs itself as “Google++”, is a true bundle of joy. Not only does it steal data from the phone, it is also capable of answering phone calls from a predetermined number (after setting the handset to silent and turning on the speakerphone) to allow the attacker to eavesdrop on the surrounding environment.

Much as I chafe at the restrictive nature of the Apple App Store, it really is a model that makes sense for an appliance like a phone. It’s nice to have the added flexibility of a platform like Android, but it also imports all of the security problems of a general computing device along with the capabilities.

iOS Encryption Cracked

May 26, 2011

Elcomsoft, the well-known Russian security company, has released a new tool that allows users to brute-force the encryption keys used by iOS 4 devices. Apparently the usual time to crack an iPhone or iPad is about forty minutes.

Google AuthToken Vulnerability

May 18, 2011

Remember Firesheep? The software plugin for Firefox that allowed users to take advantage of authentication tokens being transmitted in cleartext across a shared medium, like a wireless network?

Apparently Google doesn’t.

Researchers at ULM have discovered a remarkably similar flaw in the communication between Android smartphones and Google web services – if you’re updating your calendar or contacts from a public wifi hotspot, eavesdropping and impersonating attacks are trivial. (This includes the automatic synchronization that is on by default on most handsets) Apparently a patch is available; and if the history of Android is any indication, it might even be available to end users in a few months. Maybe.


April 26, 2011

I assume that you’ve heard at least some of the wailing and gnashing of teeth about iDevices caching location information, allowing for the use of an iPhone or the computer that it syncs to as a record of the owner’s physical movement.

Well, if you would like to see how thorough it is, check out iPhoneTracker. This is a simple application for OS X that will search the hard drive of your computer, find the cached information from an iDevice that’s synced to that computer, and build a map of where you’ve been with it. Ta-da! If you’re using a Windows machine, check out the Linux port iPhoneMap under Cygwin instead.

Android DHCP Issue

April 20, 2011

Having trouble with misbehaving DHCP client behavior from Android devices? You are not alone. Check out this entry over at the Google bug tracker.

One of the possible culprits is a DHCP lease timer that’s tied to system clock; unfortunately, system clock stops advancing and simply jumps forward when a machine wakes from sleep, so the renewal request is never generated. Nice.

Disabling GSM Phones With SMS

March 11, 2011

Researchers at CanSecWest gave a presentation this week on disabling various GSM phones using only SMS messaging. OpenBSC, an open source toolkit, was used to build a custom GSM network and the SMS messages were generated using it. Phones could be frozen, rebooted, locked, even completely bricked.

From one of the comments on the article:

It’s actually pretty well known –has been known for a while, too– that handsets are mostly tested against the few types of base stations Out There and, er, that’s it. Malicious input checking? Never needed; all the base stations are made by just a few manufacturers, right? Right?

Well, that’s what OpenBSC changed. Phones are still back where computers were back in the eighties. And now we can poke at them. There’s more where this came from. Far more.

Wells Fargo BYOH

March 8, 2011

At the end of January, I wrote about the current trend in allowing users to bring their own hardware into an enterprise environment. Some companies are allowing personally owned smartphones and tablets, for example, to connect to their enterprise network. This both makes employees happy and saves the company money.

Other companies are not allowing this. Wells Fargo, for one.

From the article:

“I carry two phones. One for personal, and one for work,” says Martin Davis, executive vice president and head of Wells Fargo’s technology integration office. “I’ve got two iPads in my briefcase, for personal and work. We keep it separate.”

I like the way he thinks.

Applications Pulled from Android Market

March 2, 2011

Google has just removed 21 malicious applications from the Android market – they were all pirated knock-offs of other software, loaded with malware and intended to compromise the handset they were installed upon. Despite their quick action, 50,000 copies had already been downloaded.

New Android Spyware

February 27, 2011

Two new pieces of spyware for the Android smartphone platform have shown up this week – unlike past threats, these are spreading in the US and not just in the Chinese market.

SW.SecurePhone looks especially nasty, recording both data within in the phone and sounds in the physical environment and uploading them to a remote server every twenty minutes.

Android Trojan

February 18, 2011

Another trojan for the Android smartphone platform was discovered earlier this week. This is apparently being included in repackaged wallpaper packages and used in the Chinese market. It essentially uses the phone’s data connection in the background to perform search engine queries and click on results; I imagine that click fraud revenue is a motivator.