Vulnerability Development mailing list archives
Automatic updates (was: Nokia 7110 Wap Browser Hole)
From: Bluefish <11a () GMX NET>
Date: Sun, 23 Jul 2000 02:04:59 +0200
Well, the 7110'a are flash upgradable, from remote, so your objection seems to be invalid, although I don''t know what's worse.....
Errm... automatic upgrades may not be the ultimate solution, no. The obvious attack is to try forging an update. However, given reasonable secure authentication maybe it is good enough. I guess the big question is how much money attackers are ready to spend on attacking the authentication key (whith the growth of e-commerce via phones, we have to assume attackers to spend a lot of efforts and money on it, IMHO). Or, what kind of people who have access to the authentication key, how secure is the updating scheme itself etc etc. But honestly I don't think automatic updates must be less secure than simply pointing your browser to windowsupdate.microsoft, or worse, totally unauthenticated updates like red hat's rpm. Unless I'm missing something, software updates via the internet isn't very secure today. At best you recieve an e-mail with md5-checksums to verify yourself. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Automatic updates (was: Nokia 7110 Wap Browser Hole) Bluefish (Jul 23)
- Re: Automatic updates (was: Nokia 7110 Wap Browser Hole) Thierry Mallard (Jul 23)