Mobile phone hacking set to spread: AU experts

[InfoSec News <isn () c4i org>]

http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272408,00.htm

By Patrick Gray
ZDNet Australia
26 February 2003
    
United States-based security company @stake (atstake.com) has released
a security advisory detailing a Denial of Service (DoS) vulnerability
in the Nokia 6210 GSM mobile phone, and although the flaw isn't
serious it could be a sign of worse things to come.

The advisory, posted to the bugtraq security mailing list, describes
how a prankster could use the vulnerability to crash a potential
victim's phone.

"There is a vulnerability which allows an attacker to send a malicious
vCard to a handset, causing [it] to crash," the advisory said.

If an attacker has been successful in crafting the malicious vCard and
sending it to the handset, the phone may behave strangely, freeze or
stop accepting vCards.

"This is a good example of why all newly introduced product
functionality should be reviewed to ensure that no new security
vulnerabilities will also be introduced. A cursory source code audit
would find an error of this type," the advisory said.

The vulnerability is not serious - affected users can simply "reboot"  
their phones, but the flaw has sparked renewed interest in the issue
of security vulnerabilities in increasingly complicated mobile phones.

Even though similar vulnerabilities have been found in the past, the
increasing complexity in mobile handsets means this latest discovery
is more relevant than ever, according to John Papandriopoulos, a
Melbourne based wireless communications researcher.

"As these handsets get more complex, it's hard to have no faults at
all," he told ZDNet Australia .

"I think the number of [exploits] will increase over time," he added.

Papandriopoulos says that current generation handsets are not
necessarily a popular target because there's little that can be done
even if an attacker is able to compromise them.

"I think it's more likely that the motivation would be to
inconvenience people," he said.

As for a mobile phone worm, spreading by sending itself to phonebook
entries, John says this isn't likely to happen for some time.

"At this stage, that's not realistic, but who knows in five years'
time?" he said.

However as standardised client software becomes a standard feature on
mobile handsets it's only a matter of time before malicious hackers
start paying more attention to wireless worms, according to
Sydney-based security consultant Daniel Lewkovitz.

"The wider the deployment of any given software, the proportionally
larger attention certain people pay to breaking it," Lewkovitz said.

Lewkovitz also says that the rush to get wireless software into the
marketplace may result in deficient security testing regimes being
passed off as acceptable.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.