A security specialist claims to have uncovered a flaw that could turn the humble mobile phone into a listening device that could literally bug its owners.
The flaw was discovered in two leading mobile phone operating systems, namely HP/Palm’s webOS and Android, and was uncovered by MWR Labs, the research arm of British security firm MWR InfoSecurity.
MWR warns that the latest mobile phones are wide open to attack, with two phones in particular giving considerable cause for alarm. This includes the Palm Pre smartphone, which has a flaw that would allow hackers to listen in on conversations anywhere in the world, by turning the handset into a bugging device and using its onboard microphone to pick up conversations.
MWR Labs warns that the second problem lies with the Google Android operating system (it is not clear at this time which version) which allows the theft of user passwords from the phone via its Internet connection.
MWR said that it actively looks to locate and research new risks in technology. It said that after vulnerabilities were reported during its quarterly conference, it began a research project to investigate the rumours. It then uncovered the risks. It made no mention of whether it informed the vendors concerned.
The Palm Pre flaw is with the operating system, which when it receives a crafted message, allows for the attacker to upload a back door and then force the phone to transmit and/or record audio and stored data.
MWR said that this vulnerability is especially dangerous, as the exploit can be triggered from anywhere in the world and the data can be harvested via the normal carrier networks. “This effectively turns the phone into a mobile bugging device with the user completely unaware,” said the company.
The second flaw found by MWR Labs allows the harvesting of all username and password data stored by the Google Android operating system within its installed phone browser. The implications of this flaw, especially if the device is used to do online banking, are clear.
“The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg,” said Fidgen. “It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”
As a result of the findings the company has now expanded its mobile research programme and started work to identifying the breadth of the problem in multiple phone platforms.
““The current version of webOS fixes the security vulnerability reported to Palm,” said the handset maker in an emailed statement to eWEEK Europe UK.
There have been reports around for a number of years now of phones being opened up to attack to allow the third-party to eavesdrop on any phone conversation and retrieve data.
In September last year, a SMS hijacking attack on Windows Mobile phones was demonstrated at the Black Hat USA 09 conference. The researchers felt that other phone operating systems could also be vulnerable. A video of that attack can be found here.
Back in December, the Global System for Mobile Communications Association (GSMA) downplayed concerns over the security of GSM-based mobile phone calls, after researchers cracked and published the encryption code that protects 80 percent of the world’s mobile phones.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…