Researcher says security defect puts Galaxy S III and other cell phones using Android at risk.
Cellphones using Google's Android operating system are at risk of
being disabled or wiped clean of their data, including contacts, music
and photos because of a security flaw that was discovered several months
ago but went unnoticed until now.
Opening a link to a website or a mobile application
embedded with malicious code can trigger an attack capable of destroying
the memory card in Android-equipped handsets made by Samsung, HTC,
Motorola and Sony Ericsson, rendering the devices useless, computer
security researcher Ravi Borgaonkar wrote in a blog post Friday. Another
code that can erase a user's data by performing a factory reset of the
device appears to target only the newly released and top selling Galaxy S
III and other Samsung phones, he wrote.
Borgaonkar informed Google of the vulnerability in June,
he said. A fix was issued quickly, he said, but it wasn't publicized,
leaving smartphone owners largely unaware that the problem existed and
how they could fix it.
Google declined to comment. Android debuted in 2008 and
now dominates the smartphone market. Nearly 198 million smartphones
using Android were sold in the first six months of 2012, according to
the research firm IDC. About 243 million Android-equipped phones were
sold in 2011, IDC said.
Versions of Android that are vulnerable include
Gingerbread, Ice Cream Sandwich and Jelly Bean, according to Borgaonkar.
He said the Honeycomb version of Android, designed for tablets, needs
to be tested to determine if it is at risk as well.
Samsung, which makes most of the Android phones, said
only early production models of the Galaxy S III were affected and a
software update has been issued for that model. The company said it is
conducting an internal review to determine if other devices are affected
and what, if any, action is needed. Samsung said it is advising
customers to check for software updates through the "Settings: About
device: Software update" menu available on Samsung phones.
Borgaonkar, a researcher at Germany's Technical
University Berlin, said the bug works by taking advantage of functions
in phones that allow them to dial a telephone number directly from a web
browser. That convenience comes with risk, however. A hacker, or anyone
with ill intent, can create a website or an app with codes that
instruct the phones linking to those numbers to execute commands
automatically, such as a full factory reset.
The phone's memory card, known as a subscriber identity
module, or SIM, can be destroyed remotely in the same way, Borgaonkar
said. "Vulnerability in Android can be exploited to kill the SIM card
permanently by clicking a single click," he wrote. "After the successful
attack, the end user has to go to the mobile network operator and buy a
new SIM card."
While Borgaonkar has drawn attention to the problem, it's
unclear how useful the vulnerability would be to cybercriminals who are
primarily interested in profits or gaining a competitive advantage,
said Jimmy Shah, a mobile security researcher at McAfee. "There's no
benefit to the attacker if they can't make money off it or they can't
steal your data," Shah said. "It's really not that useful."
But the technique could cause huge headaches if it were
harnessed to issue outbound phone calls, said Mikko Hypponen, chief
research officer at F-Secure, a digital security company in Helsinki,
Finland. "If that would be doable, we would quickly see real world
attacks causing phones to automatically dial out to premium-rate
numbers," he said.
Find Below the Link to the Researcher's Post.
___
Online:
Ravi Borgaonkar's blog post: http://www.isk.kth.se/~rbbo/ussdvul.html
3 comments → Galaxy S III and Android Phones at risk
Very good post! I was recently looking online for used android phones when i came across your post. I'm so happy I did because I never heard about the security defect, thank you for sharing this with us!
You should take part in a contest for one of the best sites online.
I am going to highly recommend this site!
my blog: 0
Very informative and well written post! Quite interesting and nice topic chosen for the post.
Lenovo - Yoga Ultrabook Convertible 11.6" Touch-Screen Laptop - 4GB Memory - 128GB Solid State Drive - Silver (YOGA 11S - 59370505)
Lenovo - ThinkPad 14" Laptop - 4GB Memory - 500GB Hard Drive - Black
Post a Comment