Share

Smartphone flaws put users at risk

Vienna - Security researchers have revealed two separate threats this week they say could put up to 90% of the world's two billion plus smartphones at risk of password theft, stolen data and in some cases let hackers take full control of devices.

One vulnerability involves flaws in the way scores of manufacturers of Apple, Google Android and Blackberry devices, among others, have implemented an obscure industry standard that controls how everything, from network connections to user identities, are managed.

The threat could enable attackers to remotely wipe devices, install malicious software, access data and run applications on smartphones, Mathew Solnik, a mobile researcher with Denver-based cyber security firm Accuvant, said in a phone interview.

A separate threat specifically affecting up to three-quarters of devices running older Android software has been unearthed by researchers at Bluebox Security of San Francisco.

Dubbed "Fake ID", the vulnerability allows malicious applications to trick trusted software from Adobe, Google and others on Android devices without any user notification, the company said on Wednesday.

"Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability," Bluebox said in a statement referring to devices built before Google updated its core software late last year.

These risks could not be independently verified by Reuters.

Solnik stressed that the threat to smartphone management software identified by Accuvant remained remote to average users and said that only a few dozen mobile communications experts in the world would currently be able to replicate the technique. But by publicising the risks, his company hopes to avert this becoming a danger on a global scale.

Fixing flaws

The global smartphone industry has been scrambling for the past few years to respond to an increasing number of vulnerabilities uncovered in mobile technology.

Both research groups will present their findings at next week's Black Hat hacking conference in Las Vegas, which is highlighting research on mobile technology, among other themes.

An Apple spokespeople declined immediate comment.

Blackberry said it was aware of Accuvant's findings and was seeking more details.

"BlackBerry has been working closely with Accuvant. Internal and external security researchers serve a critical role in improving industry security standards," a spokesperson said.

A Google spokesperson declined to comment on the general vulnerability raised by Accuvant about many smartphone devices. He confirmed that Google had quickly distributed a patch to Android phone makers on learning of the issue from Bluebox.

In general, Android's open software development process encourages individuals and security firms to report security issues, allowing the company to push patches to manufacturers, which in turn must implement the fixes.

The spokesperson said it has scanned all apps in Google Play, Android's application market place, and elsewhere and have found no risks to users. "We have seen no evidence of attempted exploitation of this vulnerability," he said.

Christina Richmond, a security services analyst with research firm IDC said detecting these vulnerabilities is positive in that the phone industry has a chance to act on these findings before they can be exploited by bad actors.

"These security threats have become everyday issues for billions of smartphone users worldwide," she said. "Mr and Mrs end user needs to understand the risk of not updating their phone's software."

The disclosures come as market share statistics released on Thursday by mobile research firm Strategy Analytics show Android capturing a dominant 85 percent share of smartphones shipped worldwide in the second quarter. All major rivals from Apple iOS to Microsoft to Blackberry lost market share.

Security researchers say Android's rapid growth and dominant market share has come with an Achilles heel.

Until late last year, successive versions of Android were distinct creatures, making it hard, if not impossible for developers to update products for each software release, and meaning most Android security features could not be back-dated.

The "Fake ID" vulnerability is widespread in Android phones dating back to the January 2010 release of Android 2.1 software and affects all devices not patched by Google, Bluebox said.

We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
19.01
-0.4%
Rand - Pound
24.13
-0.1%
Rand - Euro
20.62
-0.1%
Rand - Aus dollar
12.38
+0.3%
Rand - Yen
0.13
+0.5%
Platinum
901.05
-0.2%
Palladium
999.00
-0.7%
Gold
2,149.87
-0.5%
Silver
24.84
-0.8%
Brent Crude
86.89
+1.8%
Top 40
65,953
-0.5%
All Share
72,165
-0.4%
Resource 10
53,256
-0.1%
Industrial 25
99,523
-1.0%
Financial 15
16,664
+0.3%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders