Palm Pre At Centre Of Bugging Concern

A security specialist claims to have uncovered a flaw that could turn the humble mobile phone into a listening device that could literally bug its owners.

The flaw was discovered in two leading mobile phone operating systems, namely HP/Palm’s webOS and Android, and was uncovered by MWR Labs, the research arm of British security firm MWR InfoSecurity.

Android And Palm Pre Flaw

MWR warns that the latest mobile phones are wide open to attack, with two phones in particular giving considerable cause for alarm. This includes the Palm Pre smartphone, which has a flaw that would allow hackers to listen in on conversations anywhere in the world, by  turning the handset into a bugging device and using its onboard microphone to pick up conversations.

MWR Labs warns that the second problem lies with the Google Android operating system (it is not clear at this time which version) which allows the theft of user passwords from the phone via its Internet connection.

“This is one of the most serious implications in mobile technologies to date and calls into question fundamental assumptions about mobile phone security,” said MWR’s Alex Fidgen. “The flaws could have been ‘fixed’ when the mobile phone companies issued new operating software recently but they did nothing.”

MWR said that it actively looks to locate and research new risks in technology. It said that after vulnerabilities were reported during its quarterly conference, it began a research project to investigate the rumours. It then uncovered the risks. It made no mention of whether it informed the vendors concerned.

The Palm Pre flaw is with the operating system, which when it receives a crafted message, allows for the attacker to upload a back door and then force the phone to transmit and/or record audio and stored data.

MWR said that this vulnerability is especially dangerous, as the exploit can be triggered from anywhere in the world and the data can be harvested via the normal carrier networks. “This effectively turns the phone into a mobile bugging device with the user completely unaware,” said the company.

The second flaw found by MWR Labs allows the harvesting of all username and password data stored by the Google Android operating system within its installed phone browser. The implications of this flaw, especially if the device is used to do online banking, are clear.

Ongoing Investigations

“The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg,” said Fidgen. “It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”

As a result of the findings the company has now expanded its mobile research programme and started work to identifying the breadth of the problem in multiple phone platforms.

““The current version of webOS fixes the security vulnerability reported to Palm,” said the handset maker in an emailed statement to eWEEK Europe UK.

There have been reports around for a number of years now of phones being opened up to attack to allow the third-party to eavesdrop on any phone conversation and retrieve data.

In September last year, a SMS hijacking attack on Windows Mobile phones was demonstrated at the Black Hat USA 09 conference. The researchers felt that other phone operating systems could also be vulnerable. A video of that attack can be found here.

Back in December, the Global System for Mobile Communications Association (GSMA) downplayed concerns over the security of GSM-based mobile phone calls, after researchers cracked and published the encryption code that protects 80 percent of the world’s mobile phones.