Feeds

Security flaw creates Android, Palm Pre snoop risk

It's like James Bond! But not

Protecting against web application threats using SSL

Security researchers have uncovered a flaw that creates a means to plant bugging software on Palm Pre devices.

The vulnerability means that the Palm Pre phone might be compromised through the receipt of a maliciously constructed vCard. A doctored electronic business card sent by SMS or exchanged could be used to place a backdoor on compromised devices that surreptitiously records audio and stored data before transmitting it back to hackers.

The flaw was discovered by MWR Labs, the research arm of British security outfit MWR InfoSecurity, a CESG-accredited firm that specialises in penetration testing.

MWR Labs discovered the security bug in May in the course of investigating rumours about smartphone security weaknesses. The firm informed Palm/HP of its findings at the time but is yet to hear back, prompting the decision to release limited details of the bug this week.

Alex Fidgen, a director at MWR, told El Reg that it had decided to withhold details of the flaw pending the availability of a fix.

However on Friday, following the publication of the initial version of this story, a HP/Palm rep got in touch to say “the current version of webOS [version 1.4.5] fixes the security vulnerability reported to Palm.”

An excitable press release from MWR attributes a quote to Fidgen describing the Palm flaw as offering a "James Bond scenario" for spying. Fidgen said the quote was a case of MWR's PR bods "getting carried away" rather than a genuinely held view.

MWR researchers separately discovered a flaw in the browser on Android handsets that might allow the harvesting of stored username and password data.

In a statement, Google said the vulnerability was not particular to its phones and had already been patched.

This is a bug which is not exclusive to Android and that can only be triggered if users visit a malicious website or access a malicious wifi network via their mobile phone.

We are not aware of any users having been affected by this bug to date, and it has been fixed in the latest version of our Android software. As always, mobile phone users can protect themselves by only visiting websites and using wifi networks they trust.

Fidgen confirmed the flaw had been addressed, adding that MWR's ability to find a brace of nasty bugs over just two days of research provided evidence that smartphone security was generally lacking.

Independent commentary of MWR's research can be found in a blog post by Sophos here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.