Palm Pre At Centre Of Bugging Concern

A security specialist claims to have uncovered a flaw that could turn the humble mobile phone into a listening device that could literally bug its owners.

The flaw was discovered in two leading mobile phone operating systems, namely HP/Palm’s webOS and Android, and was uncovered by MWR Labs, the research arm of British security firm MWR InfoSecurity.

Android And Palm Pre Flaw

MWR warns that the latest mobile phones are wide open to attack, with two phones in particular giving considerable cause for alarm. This includes the Palm Pre smartphone, which has a flaw that would allow hackers to listen in on conversations anywhere in the world, by  turning the handset into a bugging device and using its onboard microphone to pick up conversations.

MWR Labs warns that the second problem lies with the Google Android operating system (it is not clear at this time which version) which allows the theft of user passwords from the phone via its Internet connection.

“This is one of the most serious implications in mobile technologies to date and calls into question fundamental assumptions about mobile phone security,” said MWR’s Alex Fidgen. “The flaws could have been ‘fixed’ when the mobile phone companies issued new operating software recently but they did nothing.”

MWR said that it actively looks to locate and research new risks in technology. It said that after vulnerabilities were reported during its quarterly conference, it began a research project to investigate the rumours. It then uncovered the risks. It made no mention of whether it informed the vendors concerned.

The Palm Pre flaw is with the operating system, which when it receives a crafted message, allows for the attacker to upload a back door and then force the phone to transmit and/or record audio and stored data.

MWR said that this vulnerability is especially dangerous, as the exploit can be triggered from anywhere in the world and the data can be harvested via the normal carrier networks. “This effectively turns the phone into a mobile bugging device with the user completely unaware,” said the company.

The second flaw found by MWR Labs allows the harvesting of all username and password data stored by the Google Android operating system within its installed phone browser. The implications of this flaw, especially if the device is used to do online banking, are clear.

Ongoing Investigations

“The more investigations we undertake the more problems we are uncovering and this is almost certainly the tip of the iceberg,” said Fidgen. “It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”

As a result of the findings the company has now expanded its mobile research programme and started work to identifying the breadth of the problem in multiple phone platforms.

“The current version of webOS fixes the security vulnerability reported to Palm,” said the handset maker in an emailed statement to eWEEK Europe UK.

There have been reports around for a number of years now of phones being opened up to attack to allow the third-party to eavesdrop on any phone conversation and retrieve data.

In September last year, a SMS hijacking attack on Windows Mobile phones was demonstrated at the Black Hat USA 09 conference. The researchers felt that other phone operating systems could also be vulnerable. A video of that attack can be found here.

Back in December, the Global System for Mobile Communications Association (GSMA) downplayed concerns over the security of GSM-based mobile phone calls, after researchers cracked and published the encryption code that protects 80 percent of the world’s mobile phones.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Is the Digital Transformation of Businesses Complete?

Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…

16 hours ago

Craig Wright Faces Contempt Claim Over Bitcoin Lawsuit

Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…

16 hours ago

OpenAI Adds ChatGPT Search Features

OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…

17 hours ago

Google Maps Steers Into Local Information With AI Chat

New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…

17 hours ago

Huawei Sees Sales Surge, But Profits Fall

US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…

18 hours ago

Apple Posts China Sales Decline, Ramping Pressure On AI Strategy

Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…

18 hours ago