Friday, April 23 2010
while going through my morning RSS feeds I stumbled across this simple but cool SMS-based attacks
against WebOS (Palm's PRE). The attacks are
based on simple SMS text messages that contain iframes. The bugs where
found in WebOS 1.3.5 and are fixed in the current version. Read the full details
on the blog of /intrepidus group the researchers who found these bugs. I especially like
the phone dialing stuff where they inject so-call GSM codes in order to switch of the GSM radio. Nice. Too bad I was a little behind with WebOS :-(
Conferences: SourceBoston 2010: Attacking WebOS by Chris Clark and Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux) by Tyler Shields.
As usual I call for hints and tips on interesting papers/slides/website on mobile security.
There seems to be another mobile security related talk at SourceBoston. We Found Carmen San Diego by Don Bailey, iSec Partners & Nick DePetrillo. Reading the abstract this looks like Locating Mobile Phones using Signalling System #7 by Tobias Engel at 25C3 in 2008. He also didn't have direct access to SS7 but used a web-based interface to some parts of SS7.
I just got an email from Michael he discovered that WindowsMobile 6.5 is also vulnerable to
about the Palm Pre stuff. His advisory is here: XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp.