http://www.zdnet.com.au/newstech/security/story/0,2000024985,20272408,00.htm By Patrick Gray ZDNet Australia 26 February 2003 United States-based security company @stake (atstake.com) has released a security advisory detailing a Denial of Service (DoS) vulnerability in the Nokia 6210 GSM mobile phone, and although the flaw isn't serious it could be a sign of worse things to come. The advisory, posted to the bugtraq security mailing list, describes how a prankster could use the vulnerability to crash a potential victim's phone. "There is a vulnerability which allows an attacker to send a malicious vCard to a handset, causing [it] to crash," the advisory said. If an attacker has been successful in crafting the malicious vCard and sending it to the handset, the phone may behave strangely, freeze or stop accepting vCards. "This is a good example of why all newly introduced product functionality should be reviewed to ensure that no new security vulnerabilities will also be introduced. A cursory source code audit would find an error of this type," the advisory said. The vulnerability is not serious - affected users can simply "reboot" their phones, but the flaw has sparked renewed interest in the issue of security vulnerabilities in increasingly complicated mobile phones. Even though similar vulnerabilities have been found in the past, the increasing complexity in mobile handsets means this latest discovery is more relevant than ever, according to John Papandriopoulos, a Melbourne based wireless communications researcher. "As these handsets get more complex, it's hard to have no faults at all," he told ZDNet Australia . "I think the number of [exploits] will increase over time," he added. Papandriopoulos says that current generation handsets are not necessarily a popular target because there's little that can be done even if an attacker is able to compromise them. "I think it's more likely that the motivation would be to inconvenience people," he said. As for a mobile phone worm, spreading by sending itself to phonebook entries, John says this isn't likely to happen for some time. "At this stage, that's not realistic, but who knows in five years' time?" he said. However as standardised client software becomes a standard feature on mobile handsets it's only a matter of time before malicious hackers start paying more attention to wireless worms, according to Sydney-based security consultant Daniel Lewkovitz. "The wider the deployment of any given software, the proportionally larger attention certain people pay to breaking it," Lewkovitz said. Lewkovitz also says that the rush to get wireless software into the marketplace may result in deficient security testing regimes being passed off as acceptable. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 01:22:04 PST