Feeds

MS seeks malware, bust phones after SPV security crack

And won't we all be surprised when it doesn't find any?

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A quite bizarre CNET report reveals that Microsoft's Security Response Center began investigations into the circumvention of security on the SPV smartphone on Tuesday, searching - so says CNET, anyway - for reports of rogue programs on the network and damaged phones.

Furthermore, says an anonymous source "familiar with the situation," unlocking an SPV "is a difficult process that sometimes involves taking the phone apart." Oh really? One hazards a guess that this particular source is familiar with the situation as they would like it to be, and as it no doubt will be by version 2.0 or 3.0 - security hard-wired into the silicon, and the client irretrievably controlled/owned by somebody out there, not you.

The difficult process sometimes involving taking the phone apart has now been FAQed by MoDaCo, and you can find a backup explanation here. We've also been contacted by one UK user who claimed the French method, which is even simpler, worked for him, so it's possibly worth giving that a shot first.

But rewind to CNET and the MS pitch on the subject. The circumvention instructions had been around for a little while before El Reg got to them on Tuesday, and we're told they've even appeared in one of Microsoft's own smartphone newsgroups. So if you were cynical you'd maybe reckon that some people regard security as an issue when enough people know about the breach, rather than when they first hear about it.

And although the press bears some responsibility for pushing its quest for the first mobile phone-based network hack (NB, we're no better than we should be, we'll be right there salivating with them when it happens), it is extremely convenient for Microsoft and the networks if the security 'issue' obscures the reality.

Will they find any broken phones? Nope, the best they'll be able to come up with is the odd dope who brings his phone in because he nuked his settings and therefore needs a grown up to reset it for him. Will they find evil hackers unlocking their handsets in order to unleash devil's spawn on the network?

That is a more complex question. Today, the answer is probably not, not yet. There aren't that many SPV users, only a proportion (but likely a higher proportion than usual for handsets) are techies, and a vanishingly small proportion of them are going to be twistedly malicious. But when you've got hundreds of millions of clients out there and people developing DiY malware kits for mobile phones, then yes, if you're relying on compromised client security you most certainly are going to find the devil's spawn. So long term, it's an issue, and long term, if they rely on "security" as transparent as this, they're toast.

They will not however find anything today, presuming that's what they're looking for, so they will shortly be in a position to make a complacent announcement to that effect. What, though, is it that's there, that they're not looking for, but that they should be?

Well, this search wouldn't be particularly hard, because it's the communities who came up with the circumvention routines in the first place. They consist of developers and enthusiasts who'd like to produce and use software for the SPV, and who really would like the phone to succeed. They are not evil malicious hackers, although stupid laws in an increasingly number of countries might now deem them to be lawbreakers. They want to unlock their phones because they've been on hold since Orange switched on certification, and now they're happy because they don't need to wait for Orange to come up with some kind of 'official' route.

But if you were cynical, you might say their big mistake is they don't have money. The 'certified app only' route allows whoever owns the distribution channel to tithe the developers, and they're probably more interested in the 'few developers, big bucks' model from the games console industry than in small and solo developers who often will make very little, or even - horror - give the stuff away. Playing the security card therefore comes in handy if you see dealing with these guys as unprofitable, more trouble than it's worth, and if you're using the PC industry as an example of what you definitely don't want the mobile phone industry to become, well, you're maybe going to see unfettered development on an open platform as a bad thing in itself, aren't you? And you're unlikely to listen to people who tell you that's one of the reasons the PC industry was a success. ®

Related stories:
Orange SPV MS smartphone cert security cracked

Providing a secure and efficient Helpdesk

More from The Register

next story
Sea-Me-We 5 construction starts
New sub cable to go live 2016
Vodafone to buy 140 Phones 4u stores from stricken retailer
887 jobs 'preserved' in the process, says administrator PwC
BT claims almost-gigabit connections over COPPER WIRE
Just need to bring the fibre box within 19m ...
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
EE buys 58 Phones 4u stores for £2.5m after picking over carcass
Operator says it will safeguard 359 jobs, plans lick of paint
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.