Feeds

MS seeks malware, bust phones after SPV security crack

And won't we all be surprised when it doesn't find any?

  • alert
  • submit to reddit

Designing a Defense for Mobile Applications

A quite bizarre CNET report reveals that Microsoft's Security Response Center began investigations into the circumvention of security on the SPV smartphone on Tuesday, searching - so says CNET, anyway - for reports of rogue programs on the network and damaged phones.

Furthermore, says an anonymous source "familiar with the situation," unlocking an SPV "is a difficult process that sometimes involves taking the phone apart." Oh really? One hazards a guess that this particular source is familiar with the situation as they would like it to be, and as it no doubt will be by version 2.0 or 3.0 - security hard-wired into the silicon, and the client irretrievably controlled/owned by somebody out there, not you.

The difficult process sometimes involving taking the phone apart has now been FAQed by MoDaCo, and you can find a backup explanation here. We've also been contacted by one UK user who claimed the French method, which is even simpler, worked for him, so it's possibly worth giving that a shot first.

But rewind to CNET and the MS pitch on the subject. The circumvention instructions had been around for a little while before El Reg got to them on Tuesday, and we're told they've even appeared in one of Microsoft's own smartphone newsgroups. So if you were cynical you'd maybe reckon that some people regard security as an issue when enough people know about the breach, rather than when they first hear about it.

And although the press bears some responsibility for pushing its quest for the first mobile phone-based network hack (NB, we're no better than we should be, we'll be right there salivating with them when it happens), it is extremely convenient for Microsoft and the networks if the security 'issue' obscures the reality.

Will they find any broken phones? Nope, the best they'll be able to come up with is the odd dope who brings his phone in because he nuked his settings and therefore needs a grown up to reset it for him. Will they find evil hackers unlocking their handsets in order to unleash devil's spawn on the network?

That is a more complex question. Today, the answer is probably not, not yet. There aren't that many SPV users, only a proportion (but likely a higher proportion than usual for handsets) are techies, and a vanishingly small proportion of them are going to be twistedly malicious. But when you've got hundreds of millions of clients out there and people developing DiY malware kits for mobile phones, then yes, if you're relying on compromised client security you most certainly are going to find the devil's spawn. So long term, it's an issue, and long term, if they rely on "security" as transparent as this, they're toast.

They will not however find anything today, presuming that's what they're looking for, so they will shortly be in a position to make a complacent announcement to that effect. What, though, is it that's there, that they're not looking for, but that they should be?

Well, this search wouldn't be particularly hard, because it's the communities who came up with the circumvention routines in the first place. They consist of developers and enthusiasts who'd like to produce and use software for the SPV, and who really would like the phone to succeed. They are not evil malicious hackers, although stupid laws in an increasingly number of countries might now deem them to be lawbreakers. They want to unlock their phones because they've been on hold since Orange switched on certification, and now they're happy because they don't need to wait for Orange to come up with some kind of 'official' route.

But if you were cynical, you might say their big mistake is they don't have money. The 'certified app only' route allows whoever owns the distribution channel to tithe the developers, and they're probably more interested in the 'few developers, big bucks' model from the games console industry than in small and solo developers who often will make very little, or even - horror - give the stuff away. Playing the security card therefore comes in handy if you see dealing with these guys as unprofitable, more trouble than it's worth, and if you're using the PC industry as an example of what you definitely don't want the mobile phone industry to become, well, you're maybe going to see unfettered development on an open platform as a bad thing in itself, aren't you? And you're unlikely to listen to people who tell you that's one of the reasons the PC industry was a success. ®

Related stories:
Orange SPV MS smartphone cert security cracked

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Scotland's BIG question: Will independence cost me my broadband?
They can take our lives, but they'll never take our SPECTRUM
Bring back error correction, say Danish 'net boffins
We don't need no steenkin' TCP/IP retransmission and the congestion it causes
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
NBN Co adds apartments to FTTP rollout
Commercial trial locations to go live in September
Samsung Z Tizen OS mobe is post-phoned – this time for good?
Russian launch for Sammy's non-droid knocked back
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
What FTC lawsuit? T-Mobile US touts 10GB, $100 family-of-4 plan
Folks 'could use that money for more important things' says CEO Legere
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.