Another Mobile Threat

So, we now know that “hackers” have been doing a ton of vulnerability research on the new iPhone since it was released. That research has turned up a couple of interesting vulnerabilities. The first is a flaw in the Safari web browser that could allow an attacker to take complete control over the phone by tricking the phone’s owner into following a link to a malicious website that would exploit a buffer overflow in the browser. The attacker could then listen to the room’s audio or steal SMS logs, the address book, email passwords, and much more. The other interesting issue that was found is the possibility of crashing the phone by doing some bluetooth fuzzing against it.

None of the revelations are new to security professionals or penetration testers. This is all just normal, run of the mill stuff that we see and deal with every day. What’s interesting to us is how quickly these issues were found and what it could mean, in the grand scheme of things. I’m not really interested in what will become of the iPhone. Mostly because I don’t have any plans on paying $600 for a phone. What does interest me is the consideration of how this is just one more piece of the “perfect storm” that mobile technology is going to bring to our lives.

For several months, maybe even a couple of years, MSI has been telling our clients and our friends how we believe mobile technology is going to lead to major problems for companies and individuals, alike. We all love the convenience that our newly acquired mobile devices provide. In some countries (look for it to make its way here soon) it’s not even necessary to carry plastic or cash anymore. Take for example, in some parts of Europe and Asia, its now possible to pay for your McDonald’s, or your soda from a vending machine, or buy your clothes at the retail store with a bluetooth enabled phone and a PayPal account. How about using that same bluetooth enabled phone and PayPal account that can be used to associate with the nearest pay day loan boutique, while you sit in the bar, for a quick loan to continue your happy hour. Or consider that certain cell phone companies are now making it possible to pay all your bills from your cell phone. Not to mention the accepted risk of laptops coming in and out of an enterprise. Or how about unnoticed wireless access points in your enterprise?

What many people don’t understand is what attackers are already doing to take advantage of the lack of security of these convenient technologies. People were going gaga over the iPhone before it came out. People in this country will LOVE the idea of being able to pay for things with their cell phone. What the consumer won’t be told is that there are already attackers setting up fake bluetooth ID’s for your phone to associate with. Imagine that Coke machine that has a bluetooth ID of “Coke”. Now imagine my laptop that is sitting on top of the Coke machine with a bluetooth ID of “CokeMachine”. How are you going to know which one to associate with? Will your phone even give you the option of choosing? What if it chooses the first one it sees. Ok, so I get your 75 cents and you don’t get the coke. What I also get is your PayPal account information. This is just one of the many examples that we could give.

The point of this post is not to discuss stealing 75 cents from a thirsty consumer. What we are concerned about is how the lack of security in these devices is being completely ignored because of the convenience they bring to the consumer. There will always be people out there that try to take advantage of the unsuspecting consumer. Occasionally, they will be successful. A little bit of education could go a long way towards teaching these same consumers how to remain vigilant and protect their identity, as well as their bank accounts. At the same time, the same educational programs need to be put into place in the corporate enterprise to ensure that these insecure mobile devices are not being brought into the enterprise, increasing the risk of compromise. We’d like to see much more information being distributed to consumers about the technologies they are using and how they could be inadvertently endangering their financial future.

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply