MWR Labs Warn Phones Are Open to Third-Party Attack

New research suggests millions of users worldwide could be open to attack due to unsecured mobile phone operating systems.

It sounds like something from a James Bond movie, but security flaws uncovered in two leading mobile phone operating systems could put countless users worldwide at serious risk, according to the findings of new research into mobile security. The most serious allows an attacker to take complete control of the phone and use it as a bugging device, even when it appears to be on standby.

The flaws were uncovered by MWR Labs, the research arm of security firm MWR InfoSecurity, who specialize in researching and finding new risks in technology and who are warning that the latest mobile phones are wide open to attack. After investigating the consistent but unconfirmed rumors that many mobile phones are at risk, MWR uncovered serious security flaws across the industry with two new phones giving considerable cause for alarm. A flaw in the Palm Pre allows the bugging of a conversation anywhere in the world, while the Google Android system allows the theft of user passwords from the phone via its Internet connection.

After vulnerabilities were reported during its quarterly conference Making Sense of Risk, MWR put in place a research project to investigate the rumors. It then uncovered the risks, which led to general concerns over mobile phone security. "This is one of the most serious implications in mobile technologies to date and calls into question fundamental assumptions about mobile phone security," says Alex Fidgen from MWR. "The flaws could have been ‘fixed' when the mobile phone companies issued new operating software recently, but they did nothing."

The first flaw in the Palm Pre phone allows the complete compromise of the operating system via the receipt of a crafted message, resulting in the ability to upload a back door and then force the phone to transmit and/or record audio and stored data. The impact of this vulnerability is magnified as the exploit can be executed from anywhere in the world and the data can be harvested via the normal carrier networks. This effectively turns the phone into a mobile bugging device with the user completely unaware.

The second flaw allows the harvesting of all username and password data stored by the Google Android operating system within its installed phone browser. The impact of this vulnerability is to potentially allow highly sensitive credential information to be stolen from users, including those credentials used to access online financial portals, e-mail and other commonly used facilities.

"Whilst it is unusual for a genuine and accurate James Bond scenario to be uncovered during research, that is exactly what this represents" says Fidgen. "A user would never know that every word they were saying was being recorded and transmitted back to the attacker, and the attack (once executed) would be trivial to perform. The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg. It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems."

Of key concern is the increasingly linked nature of business and mobile working, over which the traditional security models are becoming blurred. With mobile phones now capable of receiving e-mails, recording conversations and taking pictures, they represent the perfect medium for fast and accurate data recording, a perfect target for an attacker. Even more significant is the move to provide mobile banking solutions via mobile solutions.

Related articles:

A virtual security gateway opens up to the cloud | Facebook – Facing the facts: The real business security threats | Information at your fingertips | Data security breach – don't let your company be named in the next

Like this article? Get the RSS feed: