funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Mobile phones face hacking threat, experts say

From: Vitaly Osipov <vosipov () hutchison com au>
Date: Thu, 04 Jun 2009 21:29:14 +1000


This is just so theoretical... for starters they cannot really hijack an APN
without a lot of work, APN name is resolved by closed-off pseudo-DNS system
under operator's control. Often phone's traffic simply cannot get out to the
Interned without the help of an operator's proxy, that is what the proxy is
there for. All this attack will achieve is to disable the phone's data
connection, unless the operator has put in specific measures to make the
exploit work :)

Bank accounts? SSL anyone? The phones are much more picky about fake
certificates than any Windows box, so even if an attacker manages to pull
all of the above, they need to pull off a MITM with a phone screaming "bad
cert".

Finally, they say "Proper filtering of OMA Provisioning messages
would entirely block the attack" - I believe this is a simple filter on
SMSC, same as with the last December's Nokia "email message" bug that turned
out to be a non-event, partly because it was so easy to filter out.

V.


On 4/06/09 8:00 PM, "Juha-Matti Laurio" <juha-matti.laurio () netti fi> wrote:


"Accessing your bank account using your mobile phone might seem safe,
but security experts say would-be hackers can access confidential information
via a simple text message
seemingly from your service provider.
People in the industry aware of the risk see it as extremely small,
as only a few people use handsets to access their bank accounts, but it is
growing as mobile Internet usage rises.
In April, the flaw -- which enables criminals to access a cellphone data
connection, steal data or install or remove programmes --
gained wider attention at the BlackHat Europe security conference.
"The hacker does not have to be especially skilled to do this," said Jukka
Tuomi,
chief technology officer at Finnish software firm ErAce Security Solutions.
ErAce said that in some phones using Microsoft's Windows software, users
cannot block the attack,
while Symbian phone users can block malicious messages."
--clip--

More at
http://www.guardian.co.uk/business/feedarticle/8535233

Juha-Matti
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: