Hackers Can Control Your Phone Using a Tool That’s Already Built Into It

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/

By Kim Zetter
Threat Level
Wired.com
07.31.14

A lot of concern about the NSA’s seemingly omnipresent surveillance over 
the last year has focused on the agency’s efforts to install back doors in 
software and hardware. Those efforts are greatly aided, however, if the 
agency can piggyback on embedded software already on a system that can be 
exploited.

Two researchers have uncovered such built-in vulnerabilities in a large 
number of smartphones that would allow government spies and sophisticated 
hackers to install malicious code and take control of the device.

The attacks would require proximity to the phones, using a rogue base 
station or femtocell, and a high level of skill to pull off. But it took 
Mathew Solnik and Marc Blanchou, two research consultants with Accuvant 
Labs, just a few months to discover the vulnerabilities and exploit them.

The vulnerabilities lie within a device management tool carriers and 
manufacturers embed in handsets and tablets to remotely configure them. 
Though some design their own tool, most use a tool developed by a specific 
third-party vendor—which the researchers will not identify until they 
present their findings next week at the Black Hat security conference in 
Las Vegas.  The tool is used in some form in more than 2 billion phones 
worldwide. The vulnerabilities, they say, were found so far in Android and 
BlackBerry devices and a small number of Apple iPhones used by Sprint 
customers. They haven’t looked at Windows Mobile devices yet.

[...]

--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/