Feeds

MS seeks malware, bust phones after SPV security crack

And won't we all be surprised when it doesn't find any?

  • alert
  • submit to reddit

High performance access to file storage

A quite bizarre CNET report reveals that Microsoft's Security Response Center began investigations into the circumvention of security on the SPV smartphone on Tuesday, searching - so says CNET, anyway - for reports of rogue programs on the network and damaged phones.

Furthermore, says an anonymous source "familiar with the situation," unlocking an SPV "is a difficult process that sometimes involves taking the phone apart." Oh really? One hazards a guess that this particular source is familiar with the situation as they would like it to be, and as it no doubt will be by version 2.0 or 3.0 - security hard-wired into the silicon, and the client irretrievably controlled/owned by somebody out there, not you.

The difficult process sometimes involving taking the phone apart has now been FAQed by MoDaCo, and you can find a backup explanation here. We've also been contacted by one UK user who claimed the French method, which is even simpler, worked for him, so it's possibly worth giving that a shot first.

But rewind to CNET and the MS pitch on the subject. The circumvention instructions had been around for a little while before El Reg got to them on Tuesday, and we're told they've even appeared in one of Microsoft's own smartphone newsgroups. So if you were cynical you'd maybe reckon that some people regard security as an issue when enough people know about the breach, rather than when they first hear about it.

And although the press bears some responsibility for pushing its quest for the first mobile phone-based network hack (NB, we're no better than we should be, we'll be right there salivating with them when it happens), it is extremely convenient for Microsoft and the networks if the security 'issue' obscures the reality.

Will they find any broken phones? Nope, the best they'll be able to come up with is the odd dope who brings his phone in because he nuked his settings and therefore needs a grown up to reset it for him. Will they find evil hackers unlocking their handsets in order to unleash devil's spawn on the network?

That is a more complex question. Today, the answer is probably not, not yet. There aren't that many SPV users, only a proportion (but likely a higher proportion than usual for handsets) are techies, and a vanishingly small proportion of them are going to be twistedly malicious. But when you've got hundreds of millions of clients out there and people developing DiY malware kits for mobile phones, then yes, if you're relying on compromised client security you most certainly are going to find the devil's spawn. So long term, it's an issue, and long term, if they rely on "security" as transparent as this, they're toast.

They will not however find anything today, presuming that's what they're looking for, so they will shortly be in a position to make a complacent announcement to that effect. What, though, is it that's there, that they're not looking for, but that they should be?

Well, this search wouldn't be particularly hard, because it's the communities who came up with the circumvention routines in the first place. They consist of developers and enthusiasts who'd like to produce and use software for the SPV, and who really would like the phone to succeed. They are not evil malicious hackers, although stupid laws in an increasingly number of countries might now deem them to be lawbreakers. They want to unlock their phones because they've been on hold since Orange switched on certification, and now they're happy because they don't need to wait for Orange to come up with some kind of 'official' route.

But if you were cynical, you might say their big mistake is they don't have money. The 'certified app only' route allows whoever owns the distribution channel to tithe the developers, and they're probably more interested in the 'few developers, big bucks' model from the games console industry than in small and solo developers who often will make very little, or even - horror - give the stuff away. Playing the security card therefore comes in handy if you see dealing with these guys as unprofitable, more trouble than it's worth, and if you're using the PC industry as an example of what you definitely don't want the mobile phone industry to become, well, you're maybe going to see unfettered development on an open platform as a bad thing in itself, aren't you? And you're unlikely to listen to people who tell you that's one of the reasons the PC industry was a success. ®

Related stories:
Orange SPV MS smartphone cert security cracked

High performance access to file storage

More from The Register

next story
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.