Automatic updates (was: Nokia 7110 Wap Browser Hole)

[Bluefish <11a () GMX NET>]

> Well, the 7110'a are flash upgradable, from remote, so your objection seems
> to be invalid, although I don''t know what's worse.....

Errm... automatic upgrades may not be the ultimate solution, no. The
obvious attack is to try forging an update. However, given reasonable
secure authentication maybe it is good enough.

I guess the big question is how much money attackers are ready to spend on
attacking the authentication key (whith the growth of e-commerce via
phones, we have to assume attackers to spend a lot of efforts and money on
it, IMHO).

Or, what kind of people who have access to the authentication key, how
secure is the updating scheme itself etc etc.

But honestly I don't think automatic updates must be less secure than
simply pointing your browser to windowsupdate.microsoft, or worse, totally
unauthenticated updates like red hat's rpm. Unless I'm missing something,
software updates via the internet isn't very secure today. At best you
recieve an e-mail with md5-checksums to verify yourself.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team