Sunday, July 19 2009
SexyView a Symbian Virus/Worm or bot(net)? I
really don't care too much about viruses, so until this thing has a
real control channel and can auto-update it is nothing. The one thing that
I find interesting about it is the fact that it seems to be signed. This
more or less proofs that signatures don't buy you any security. One can
always somehow obtain a signature for a piece of malware. This is as good
as having no signatures at all - well not exactly it still puts the bar
a little higher.
The Windows Mobile HTC OBEX path traversal bug is interesting. Not because
it is new but rather that this kind of bug made it once again into a device.
So I guess no quality control at HTC. Alberto, the guy who found and
reported the bug, told me that HTC was not really interested in communicating
with him. This is sad since HTC will also be building their own Android
devices soon. I just read that HTC seems to offer a hotfix
for the issue.
On a personal note. As I wrote before I'll be going to Black Hat and Defcon in Vegas. Directly after Vegas I'll travel to the Valley (Los Altos and Mountain View). Before going to Montreal for USENIX I will spend some time around Santa Barbara. So if anybody is up for some mobile phone security stuff contact me.
Otherwise see you in VEGAS!
Monday, July 06 2009
Bernhard Mueller from SEC Consult posted this fine work on Symbian
security to the full disclosure list. His white paper Pwning Symbian looks interesting (I haven't actually read it completely yet).
Friday, July 03 2009
I guess it is time again for a news update. I actually wanted to write
one for June but I somehow forgot.
Let's start with the most recent stuff. Charlie Miller partially disclosed
what we are going to talk about at Black Hat at the end of the month. Sadly some reporter over hyped his story. This sucked btw! Here are the original (over hyped) and
the actual facts stories.
The HAR2009 program is out and there will
be some mobile phone security related talks. Public transport SMS ticket hacking seems to talk
about how to hack a SMS-based ticketing systems. cracking a5 gsm encryption will do a state
of the art talk. There will also be a OpenBSC talk that will show how to build and run a GSM
network based on opensource software an hardware everybody can buy. All in
all HAR seems to be quite some fun. Sadly I wont be able to go due to time
conflicts.
Fun find on BugTraq: Multiple Flaws in Huawei D100. The Huawei D100 is a
small home 3G router (product page) that seems to be given out by some ISPs.
A personal side note: I now own/have-full-access-to a BS-11 Abis GSM base station and will soon start to play around with it. Happy happy fun fun.