MS seeks malware, bust phones after SPV security crack

And won't we all be surprised when it doesn't find any?

A quite bizarre CNET report reveals that Microsoft's Security Response Center began investigations into the circumvention of security on the SPV smartphone on Tuesday, searching - so says CNET, anyway - for reports of rogue programs on the network and damaged phones.

Furthermore, says an anonymous source "familiar with the situation," unlocking an SPV "is a difficult process that sometimes involves taking the phone apart." Oh really? One hazards a guess that this particular source is familiar with the situation as they would like it to be, and as it no doubt will be by version 2.0 or 3.0 - security hard-wired into the silicon, and the client irretrievably controlled/owned by somebody out there, not you.

The difficult process sometimes involving taking the phone apart has now been FAQed by MoDaCo, and you can find a backup explanation here. We've also been contacted by one UK user who claimed the French method, which is even simpler, worked for him, so it's possibly worth giving that a shot first.

But rewind to CNET and the MS pitch on the subject. The circumvention instructions had been around for a little while before El Reg got to them on Tuesday, and we're told they've even appeared in one of Microsoft's own smartphone newsgroups. So if you were cynical you'd maybe reckon that some people regard security as an issue when enough people know about the breach, rather than when they first hear about it.

And although the press bears some responsibility for pushing its quest for the first mobile phone-based network hack (NB, we're no better than we should be, we'll be right there salivating with them when it happens), it is extremely convenient for Microsoft and the networks if the security 'issue' obscures the reality.

Will they find any broken phones? Nope, the best they'll be able to come up with is the odd dope who brings his phone in because he nuked his settings and therefore needs a grown up to reset it for him. Will they find evil hackers unlocking their handsets in order to unleash devil's spawn on the network?

That is a more complex question. Today, the answer is probably not, not yet. There aren't that many SPV users, only a proportion (but likely a higher proportion than usual for handsets) are techies, and a vanishingly small proportion of them are going to be twistedly malicious. But when you've got hundreds of millions of clients out there and people developing DiY malware kits for mobile phones, then yes, if you're relying on compromised client security you most certainly are going to find the devil's spawn. So long term, it's an issue, and long term, if they rely on "security" as transparent as this, they're toast.

They will not however find anything today, presuming that's what they're looking for, so they will shortly be in a position to make a complacent announcement to that effect. What, though, is it that's there, that they're not looking for, but that they should be?

Well, this search wouldn't be particularly hard, because it's the communities who came up with the circumvention routines in the first place. They consist of developers and enthusiasts who'd like to produce and use software for the SPV, and who really would like the phone to succeed. They are not evil malicious hackers, although stupid laws in an increasingly number of countries might now deem them to be lawbreakers. They want to unlock their phones because they've been on hold since Orange switched on certification, and now they're happy because they don't need to wait for Orange to come up with some kind of 'official' route.

But if you were cynical, you might say their big mistake is they don't have money. The 'certified app only' route allows whoever owns the distribution channel to tithe the developers, and they're probably more interested in the 'few developers, big bucks' model from the games console industry than in small and solo developers who often will make very little, or even - horror - give the stuff away. Playing the security card therefore comes in handy if you see dealing with these guys as unprofitable, more trouble than it's worth, and if you're using the PC industry as an example of what you definitely don't want the mobile phone industry to become, well, you're maybe going to see unfettered development on an open platform as a bad thing in itself, aren't you? And you're unlikely to listen to people who tell you that's one of the reasons the PC industry was a success. ®

Related stories:
Orange SPV MS smartphone cert security cracked

Sponsored: 10 ways wire data helps conquer IT complexity