Tuesday, February 24 2009
Thursday, February 12 2009
SIMKO2 is the new super secure smart phone for German government
officials. According to heise.de
the device is based on HTC touch pro and runs a hardened version of Windows Mobile. The device and all it's communication with the outside is going to be
encrypted using a micro-sd smartcard (see here). Also the SIMKO2 devices
seem far from being deployed since they seem to have some performance
issues with the encryption, see here, also heise.de reports that the SIMKO2 devices are
faster then the original touch pro. If you can read german you should check out these three links: 1 2 3.
Sexy View is the first signed Symbian worm (makes it the first effective worm for S60 3rd edition).
The worm spreads through simple social engineering, it sends a SMS to every contact in the contact list of an infected phone. The SMS simply contains a URL to
the worm's SIS file on the internet. What I find interesting is the payload of the worm, since it doesn't seem to send any premium rate SMS or MMS but collects information about the phone (IMEI) and the SIM card (probably IMSI and MSISDN).
This makes me wonder what these information are being used for or maybe used for
in the future. Fortinet thinks that the worm could be the first step of a mobile botnet, also there is no proof yet that the worm contains any update or remote control
mechanism. This could be a really interesting thing in the near future.
The mobile bug of the week is a XSS attack against a HSDPA router using SMS, see
here. Like most routers
the Huawei E960 is controlled via a web interface. The interesting feature of the
victim would need to load the router configuration page in his web browser in order to trigger the
attack. Never the less this is a great attack!
Friday, February 06 2009
This year's CanSecWest will have a good amount of smart phone security
related talks besides the earlier announced mobile pwn2own contest. Talks seem to be focused on the iPhone
and the Android platform. 1) Alfredo Ortega and Nico Economou - Multiplatform Iphone/Android Shellcode, and other smart phone insecurities 2) Jon Oberheide - A Look at a Modern Mobile Security Model: Google's Android and 3) Sergio 'shadown' Alvarez - The Smart-Phones Nightmare. I suppose Sergio Alvarez
is also going to talk about the iPhone since Apple fixed multiple bugs that he submitted in the iPhone 2.2 update.
I'm a bit sad that I can't attend CanSecWest.
At BlackHat Europe Jeroen van Beek will show his NFC-phone-based e-Passport cloning tools. Maybe there is even more mobile security stuff
going on there since the speaker list is not yet complete.
Done with conferences for this post. The guys from the Mobile Security Lab just launched their poc site where people can test their phones
using exploits developed by the mobile security lab. Nice idea!
Last weekend at ShmooCon Charlie Miller released details on a vulnerability in Android's audio player. Some links:
Related news: Palm has finally killed PalmOS. I really waited a long time for this to happen. PalmOS was just
way past its time. This a good and sad thing but now its over.
Did I miss anything?
Here is my iodine (DNS tunnel) package for Android. It includes the
tun kernel module, the iodine client, and a shell script to make it
all work. Have fun.
Get it from my Android section.