[ISN] Mobile phone hacking set to spread: AU experts

From: InfoSec News (isnat_private)
Date: Wed Feb 26 2003 - 22:58:28 PST

  • Next message: InfoSec News: "[ISN] Disaster recovery taken to heart"

    By Patrick Gray
    ZDNet Australia
    26 February 2003
    United States-based security company @stake (atstake.com) has released
    a security advisory detailing a Denial of Service (DoS) vulnerability
    in the Nokia 6210 GSM mobile phone, and although the flaw isn't
    serious it could be a sign of worse things to come.
    The advisory, posted to the bugtraq security mailing list, describes
    how a prankster could use the vulnerability to crash a potential
    victim's phone.
    "There is a vulnerability which allows an attacker to send a malicious
    vCard to a handset, causing [it] to crash," the advisory said.
    If an attacker has been successful in crafting the malicious vCard and
    sending it to the handset, the phone may behave strangely, freeze or
    stop accepting vCards.
    "This is a good example of why all newly introduced product
    functionality should be reviewed to ensure that no new security
    vulnerabilities will also be introduced. A cursory source code audit
    would find an error of this type," the advisory said.
    The vulnerability is not serious - affected users can simply "reboot"  
    their phones, but the flaw has sparked renewed interest in the issue
    of security vulnerabilities in increasingly complicated mobile phones.
    Even though similar vulnerabilities have been found in the past, the
    increasing complexity in mobile handsets means this latest discovery
    is more relevant than ever, according to John Papandriopoulos, a
    Melbourne based wireless communications researcher.
    "As these handsets get more complex, it's hard to have no faults at
    all," he told ZDNet Australia .
    "I think the number of [exploits] will increase over time," he added.
    Papandriopoulos says that current generation handsets are not
    necessarily a popular target because there's little that can be done
    even if an attacker is able to compromise them.
    "I think it's more likely that the motivation would be to
    inconvenience people," he said.
    As for a mobile phone worm, spreading by sending itself to phonebook
    entries, John says this isn't likely to happen for some time.
    "At this stage, that's not realistic, but who knows in five years'
    time?" he said.
    However as standardised client software becomes a standard feature on
    mobile handsets it's only a matter of time before malicious hackers
    start paying more attention to wireless worms, according to
    Sydney-based security consultant Daniel Lewkovitz.
    "The wider the deployment of any given software, the proportionally
    larger attention certain people pay to breaking it," Lewkovitz said.
    Lewkovitz also says that the rush to get wireless software into the
    marketplace may result in deficient security testing regimes being
    passed off as acceptable.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 01:22:04 PST