Your Mobile Phone May Be Bugging You, Hackers Warn
OTHER THAN POLITICS, 16 August 2010
by Stephen Foley – The Independent
A British internet security company has demonstrated how to turn the Palm Pre into a secret bugging device, ideal for corporate espionage, and issued a warning that many other popular smartphones are also vulnerable to hackers.
In-house hackers at Basingstoke-based MWR InfoSecurity have created a bug hidden in an electronic business card, or vcard, which enabled them to use the Pre to record conversations and send the audio file back to them, whenever it is connected to a WiFi or 3G network – all without the user being aware anything at all is happening.
The company’s 26-year-old principal security researcher – who gives his name only as Nils, and who was hired by MWR last year after having been a freelance hacker since his teens – demonstrated the security flaw in the Pre to journalists and IT specialists this week, saying the phone was “easy” to break into.
Hewlett-Packard acquired Palm two months ago, in part so it could use the Pre operating system on future smartphones.
Nils also revealed that MWR found a serious security flaw in Google’s Android software, used as the operating system for a growing number of popular smartphones. The flaw allows a hacker to harvest all the usernames, passwords and browser history saved in an Android phone’s web browser.
The vulnerabilities in the two operating systems took just two days for the determined hacker to discover, Nils told The Independent, and just three more to learn to exploit. “The Android phone does have some security built in, but the Palm system seems unprotected and extremely vulnerable,” he said.
Hackers, both operating for their own amusement and for technology security firms, are engaged in an ongoing war to reveal vulnerabilities in the latest software and hardware – before unscrupulous hackers do the same.
MWR said that it had passed details of its discoveries on to Google and Palm, and would not publish them to the public until after they had been fixed. MWR said it would release the details later for educational purposes.
The MWR spokesman Alex Fidgen said that the Palm Pre vulnerabilities in particular raised serious concerns. “Whilst it is unusual for a genuine and accurate James Bond scenario to be uncovered during research, that is exactly what this represents. This calls into question fundamental assumptions about mobile phone security,” he said.
“It asks some fundamental questions about whether security has really been considered in the rush to release new phones and operating systems.”
This work is licensed under a CC BY-NC 3.0 United States License.
DISCLAIMER: In accordance with title 17 U.S.C. section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. TMS has no affiliation whatsoever with the originator of this article nor is TMS endorsed or sponsored by the originator. “GO TO ORIGINAL” links are provided as a convenience to our readers and allow for verification of authenticity. However, as originating pages are often updated by their originating host sites, the versions posted may not match the versions our readers view when clicking the “GO TO ORIGINAL” links. This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner.