Major vulnerabilities in the Palm Pre and Android smartphones have been detected that could allow data to be stolen.
Research by MWR Labs has revealed a major flaw in the Palm Pre that would allow conversations to be intercepted, while a flaw in the Android operating system from 2.0 onwards exists in the browser and allows login credentials and cookies to be harvested.
A spokesperson demonstrated that sending a Vcard to the Palm Pre allows an attacker to compromise the phone and intercept all audio close to the phone. They said that this is a completely focussed attack that targets a specific user. Alex Fidgen, director at MWR Labs told SC Magazine that this represents industrial espionage and if this was done over a carrier network it would be breaking the law.
The Android flaw involved the use of a login page that can be intercepted over a publicly shared wireless network. The spokesperson said that as the phone is configured to save passwords, any user who connects to a rogue WiFi point can have their credentials stolen.
Fidgen said: “The vulnerability is in the browser, the attacker is able to execute arbitrary code within the browser and access all settings stored within the phone. The user could put in the login data weeks ago, but it is still stored and a user would not delete their passwords on the device.”
He called for operators and manufacturers to implement security more practically at the development stage, and claimed that these vulnerabilities call into question fundamental assumptions about mobile phone security.
Both flaws were reported to the respective companies at the end of May and another flaw has already been fixed but these specific vulnerabilities remain unpatched.
Fidgen said: “This is just the tip of the iceberg as it is embedded into the operating system, so it is not something that can be changed easily. It takes time to get it right and that is why this is such a serious issue, this is not a two week fix like with desktop patches, it can take months.”
In terms of what users can do to protect themselves, MWR Labs encouraged the installation of updates and advised users to take the battery out (when possible) before entering critical meetings or conversations and use 3G connections, as they are much more secure and it is harder to tamper with.
It also encouraged users not to store any sensitive information on the phone, not to connect to suspicious networks or open messages or emails from unknown sources.
Simeon Coney, VP of business development and strategy at AdaptiveMobile admitted that these vulnerabilities could pose a problem, and the ease of attack with the Palm Pre Vcard there could be many trying this attack.
He said: “Another problem is with the way that the iPhone logs on to a WiFi connection over anything else, it is an interesting and capable attack, and as people just want to get connected they are not always aware of the threat. I can see that people are concerned about what threat means to them, but they give permission and it is very serious.”