HTC phone can be used as bugging device

Powered by SC Magazine
 

Palm Pre and Android flaws also discovered.

A flaw in the HTC smartphone can allow an attacker to use it as a remote bugging device.

After it warned of flaws in the Palm Pre and Google Android platform, MWR InfoSecurity has now discovered that a HTC phone can also be compromised and used as a remote bugging device.

Revealing its findings at this week's Black Hat Security Conference in Dubai, principal information security researcher at MWR InfoSecurity ‘Nils' said that mobile phone users globally are open to exactly the same risks as a user of a poorly secured desktop computer and the more it was testing devices, the more security flaws it was finding.

The first flaw in the Palm Pre phone allows the complete compromise of the operating system via the receipt of a crafted message, resulting in the ability to upload a back door and then force the phone to transmit and/or record audio and stored data.

The impact of this vulnerability is magnified, as the exploit can be executed from anywhere in the world and the data can be harvested via the normal networks.

Nils said: “It is not just the manufacturers that are to blame, it is also the mobile network providers who are not doing enough to protect their customers. Mobile phone manufacturers have a responsibility to the end-user to be ensuring security. They are clearly not doing it and thus are allowing the release of insecure builds and applications onto the market, putting users at ever increasing risk of cyber attack.

“Mobile phone and network providers have got to ensure security is a central component of the design and software provided. The situation is serious enough for MWR to recommend that users should review what personal information, bank details, passwords and identity information is stored on their phone.”

He also claimed that a major issue is the inability of phone manufacturers and network providers to ‘push' security fixes to the end-users when available.

“A user would never know that every word they were saying was being recorded and transmitted back to the attacker and the attack (once executed) would be trivial to perform,” said Nils.

“The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg. It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”

As a result of its initial findings, the company expanded its mobile research programme and is identifying the breadth of the problem in multiple phone platforms. It is sharing its information with manufacturers and network providers but says that some are not paying attention.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


HTC phone can be used as bugging device
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1869

Vote
Do you support the abolition of the Office of the Information Commissioner?