...stuff I do and things I like...

Sunday, July 19 2009

Mobile Security News July 2009

SexyView a Symbian Virus/Worm or bot(net)? I really don't care too much about viruses, so until this thing has a real control channel and can auto-update it is nothing. The one thing that I find interesting about it is the fact that it seems to be signed. This more or less proofs that signatures don't buy you any security. One can always somehow obtain a signature for a piece of malware. This is as good as having no signatures at all - well not exactly it still puts the bar a little higher.

The Windows Mobile HTC OBEX path traversal bug is interesting. Not because it is new but rather that this kind of bug made it once again into a device. So I guess no quality control at HTC. Alberto, the guy who found and reported the bug, told me that HTC was not really interested in communicating with him. This is sad since HTC will also be building their own Android devices soon. I just read that HTC seems to offer a hotfix for the issue.

On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.

Otherwise see you in VEGAS!

Monday, July 06 2009

Pwning Nokia phones (and other Symbian based smartphones)

Bernhard Mueller from SEC Consult posted this fine work on Symbian security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).

Friday, July 03 2009

Mobile Security News June/July 2009

I guess it is time again for a news update. I actually wanted to write one for June but I somehow forgot.

Let's start with the most recent stuff. Charlie Miller partially disclosed what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and the actual facts stories.

The HAR2009 program is out and there will be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM network based on opensource software an hardware everybody can buy. All in all HAR seems to be quite some fun. Sadly I wont be able to go due to time conflicts.

Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a small home 3G router (product page) that seems to be given out by some ISPs.

A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.