Reuters/Vienna

 

 

Security researchers have revealed two separate threats this week they say could put up to 90% of the world’s 2bn plus smartphones at risk of password theft, stolen data and in some cases let hackers take full control of devices.

One vulnerability involves flaws in the way scores of manufacturers of Apple, Google Android and Blackberry devices, among others, have implemented an obscure industry standard that controls how everything from network connections to user identities are managed.

The threat could enable attackers to remotely wipe devices, install malicious software, access data and run applications on smartphones, Mathew Solnik, a mobile researcher with Denver-based cyber security firm Accuvant, said in a phone interview.

A separate threat specifically affecting up to three-quarters of devices running older Android software has been unearthed by researchers at Bluebox Security of San Francisco.

Dubbed “Fake ID”, the vulnerability allows malicious applications to trick trusted software from Adobe, Google and others on Android devices without any user notification, the company said on Wednesday.

“Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability,” Bluebox said in a statement referring to devices built before Google updated its core software late last year.

These risks could not be independently verified by Reuters.

Solnik stressed that the threat to smartphone management software identified by Accuvant remained remote to average users and said that only a few dozen mobile communications experts in the world would currently be able to replicate the technique. But by publicising the risks, his company hopes to avert this becoming a danger on a global scale.

The global smartphone industry has been scrambling for the past few years to respond to an increasing number of vulnerabilities uncovered in mobile technology.

Both research groups will present their findings at next week’s Black Hat hacking conference in Las Vegas, which is highlighting research on mobile technology, among other themes.

An Apple spokesmen declined immediate comment. Blackberry said it was aware of Accuvant’s findings and was seeking more details.

“BlackBerry has been working closely with Accuvant. Internal and external security researchers serve a critical role in improving industry security standards,” a spokeswoman said.

A Google spokesperson declined to comment on the general vulnerability raised by Accuvant about many smartphone devices. He confirmed that Google had quickly distributed a patch to Android phone makers on learning of the issue from Bluebox.

In general, Android’s open software development process encourages individuals and security firms to report security issues, allowing the company to push patches to manufacturers, which in turn must implement the fixes.

The spokesperson said it has scanned all apps in Google Play, Android’s application market place, and elsewhere and have found no risks to users. “We have seen no evidence of attempted exploitation of this vulnerability,” he said.

Christina Richmond, a security services analyst with research firm IDC said detecting these vulnerabilities is positive in that the phone industry has a chance to act on these findings before they can be exploited by bad actors.

“These security threats have become everyday issues for billions of smartphone users worldwide,” she said. “Mr. and Mrs. end user needs to understand the risk of not updating their phone’s software.”

Security researchers say Android’s rapid growth and dominant market share has come with an Achilles heel.

 

Related Story