...stuff I do and things I like...

Friday, April 23 2010

Mobile Security News April 2010

while going through my morning RSS feeds I stumbled across this simple but cool SMS-based attacks against WebOS (Palm's PRE). The attacks are based on simple SMS text messages that contain iframes. The bugs where found in WebOS 1.3.5 and are fixed in the current version. Read the full details on the blog of /intrepidus group the researchers who found these bugs. I especially like the phone dialing stuff where they inject so-call GSM codes in order to switch of the GSM radio. Nice. Too bad I was a little behind with WebOS :-(

Conferences: SourceBoston 2010: Attacking WebOS by Chris Clark and Blackberry Mobile Spyware - The Monkey Steals the Berries (Part Deux) by Tyler Shields.

As usual I call for hints and tips on interesting papers/slides/website on mobile security.


There seems to be another mobile security related talk at SourceBoston. We Found Carmen San Diego by Don Bailey, iSec Partners & Nick DePetrillo. Reading the abstract this looks like Locating Mobile Phones using Signalling System #7 by Tobias Engel at 25C3 in 2008. He also didn't have direct access to SS7 but used a web-based interface to some parts of SS7.

Update 2:

I just got an email from Michael he discovered that WindowsMobile 6.5 is also vulnerable to SMS messages that contain HTML and JavaScript. He posted a small advisory yesterday after reading about the Palm Pre stuff. His advisory is here: XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp.