Dragan on Security

Gábor Török, senior mobile software engineer who has been involved in S60 platform development since 2000, posted interesting article on his blog. Title of this post is “Symbian Platform Security - hacked?” and it links to another couple blogs and Web pages with related resources.

With couple of not so complex steps (if you are familiar with programming and Symbian), you can change firmware and flash your phone. Then you have such a phone (software) that allows you to give so powerful rights to any 3rd party application that they can do basically anything on the device. It uses great S60 program, Y-Browser with added AllFiles capability to the program so that he could explore the entire file system, which he hadn’t been able to do until then.

Gábor says that it is not clear why did Symbian publish such a confidential information that is useful solely for phone manufacturers? Also he says that the documentation of Software Installation Policy is a very internal thing. You can see that it’s enough if one talented person stumbles upon that documentation and uses it. Also, why is a firmware package in such a format that anyone can edit it?

There is also interesting article at Antony’s Mobile Blog. It confirms that hack solution works. Manko from Symbaali has demonstrated how he can access protected folders on the phone. Antony believes that Symbian or Nokia will come with a counter-hack pretty soon. It is going to be very interesting to watch next steps.

Hopefully, this will be fixed with another firmware update that we will not wait too long. Also, this shows that mobile phones and other PDA devices is new arena for security battles.

Remark: Thanks to Robert B. for pointing me to this excellent article.

This sounds unbelievable but document marked as strictly confidential, Ericsson Interception Management System Manual is available for free download from Internet. I don’t know is that obsolete document or valid, but anyway it is very surprising that you can obtain document from Internet. I learned about this through an article in IEEE Spectrum related to Greek telephone tapping scandal.

In IEEE Spectrum, July 2007 issue, there is interesting article how some extremely smart hackers pulled off the most audacious cell-network break-in ever. It is still unknown who pulled off the most audacious network hack ever, but here’s (IEEE Spectrum: The Athens Affair) how they did it. This article gives a technical insight.

The illegally wiretapped cellphones in the Athens affair included those of the prime minister, his defense and foreign affairs ministers, top military and law ­enforcement officials, the Greek EU commissioner, activists, and journalists.

The Wikipedia article http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005 contains additional links to press stories and background material.

Ericsson’s Interception Management System user manual (marked confidential) is available on the Web through a Google search: http://www.google.com/search?q=IMS+ericsson+manual or at http://cryptome.org/ericsson-ims.htm. 

Seems interesting if it is true - Tutorial: “Unlock” your iPhone with SuperSim - Hackint0sh.

At present time many people talk about possibility of eavesdropping their phone conversations, including voice, data transfers and SMS/MMS messages.

On the “Systems exposition” in Germany, Mr Wilfired Hafner - general manager SecurStar, demonstrated how easy it is to listen on everybody’s mobile telephone conversation and spy on every sent /received telephone message. Read articles at itwire.com, here and here.

He found and demonstrated a new cellular phone vulnerability that allows infecting any cellular phone with a Trojan horse (RexSpy). This Trojan is sent to the victim using a special SMS that automatically starts itself on the target phone. SecurStar has developed and distributes free of charge a small utility that will remove the “RexSpy” Trojan from infected phones. You can download it from download section of their Web site (requires registration, of course). In the next weeks a removal utility for Symbian, Palm and Blackberry devices will be provided, according SecurStar web site.

Also, SecurStar produces security software PhoneCrypt for mobile phones. They claim: with PhoneCrypt, SecurStar offers the ultimate security solution for mobile phones. With this software, every telephone call will be 100% encrypted and nobody will be able to listen your phone conversations. PhoneCrypt also patches the Smartphone operating system (windows mobile) and eliminates vulnerabilities such as the one used by RexSpy and others, so that your phone can no longer be infected. More information about PhoneCrypt here.

I haven’t tried SecurStar software yet, so I can’t say personal experience about this. If you did, send your opinions, please.

Bluetooth wireless technology is a short-range communications technology intended to replace the cables connecting portable and/or fixed devices while maintaining high levels of security. The key features of Bluetooth technology are robustness, low power, and low cost. The Bluetooth specification defines a uniform structure for a wide range of devices to connect and communicate with each other.

Bluetooth technology has achieved global acceptance such that any Bluetooth enabled device, almost everywhere in the world, can connect to other Bluetooth enabled devices in proximity. Bluetooth enabled electronic devices connect and communicate wirelessly through short-range, ad hoc networks known as piconets. Each device can simultaneously communicate with up to seven other devices within a single piconet. Each device can also belong to several piconets simultaneously. Piconets are established dynamically and automatically as Bluetooth enabled devices enter and leave radio proximity.

A fundamental Bluetooth wireless technology strength is the ability to simultaneously handle both data and voice transmissions. This enables users to enjoy variety of innovative solutions such as a hands-free headset for voice calls, printing and fax capabilities, and synchronizing PDA, laptop, and mobile phone applications to name a few.

But Bluetooth technology raised some security and privacy issues and concerns. If you want to know more about these i.e. about bluejacking, bluebugging, bluesnarfing and other related stuff, visit official Bluetooth SIG (Special Interest Group) web site and its security section (here).

That is one side of medal. There are many papers that desribe how pairing in a public location potentially introduce a security risk.

Pairing in a public place, such as a point of sale, is discouraged when using the pairing procedure from the Bluetooth Baseband specification, as there is much greater risk that a subversive unit may intercept the keys. Note that such risk only occurs if a low-entropy Bluetooth passkey value is used.

For the highest level of security when using the pairing procedure from the Bluetooth Baseband specification, random long Bluetooth passkey values must be used. The maximum (useful) length of a passkey is 128 bits. An alternative approach for secure pairing is to provide a physical serial port interface between the Audio Gateway (AG) and the Headset (HS) to transfer sufficiently strong link keys directly.

Read this and this.

Can mobile / cellular phone be used for remotely eavesdropping? Maybe yes, maybe no – who knows.

Read interesting Schneier’s post and find out more about this.

You are probably overwhelmed with lot of new and various words and acronyms that you can hear or read everywhere. Here is one more: SMiShing. McAfee Avert Labs Blog in its post (I saw this word for first time there), considers SMiShing as an emerging threat vector. Some cell phone users have started receiving SMS messages that call them to visit various web sites or that are fake confirmation about signing to various online services.

This is version of phishing by SMS and yet another indicator that cell phones and mobile devices are becoming increasingly used by perpetrators of malware, viruses and scams. SMiShing will certainly require more attention in future.

Market surveys performed in USA suggest that unwanted mobile spam continues to grow with as many as 10 percent of all U.S.-based mobile-phone subscribers having already received and been annoyed by SMS spam, according to Jupiter Research.

According to joint study conducted by Intrado, Switzerland’s University of St. Gallen and the International Telecommunication Union, more than 80 percent of Europe’s mobile-phone users received at least one unwanted spam message cloaked as a short messaging service (SMS) transmission during 2004. Moreover, the results indicate that 83 percent of all mobile users responding to the survey expect mobile spam to become a critical issue for them within the next one to two years.

Although the U.S. lags far behind Europe with respect to the prevalence of SMS technology, at least 75 percent of the mobile phones used in North America today are SMS-capable. This percentage will rise to 100 percent by the end of 2006, predicts IDC senior research analyst Lewis Ward. In addition, by the end of 2005 there will be 65 million subscribers to SMS services, or 36 percent of all wireless subscribers, Ward said.

Given the technology’s increasing traction in the U.S. mobile marketplace, is it likely that North America will become the next big battleground for mobile spam? The short answer is “no,” said Jim Manis, the global chairman of the Mobile Marketing Association (MMA).

According local news in some countries, there is SMS spam that has been happening from time to time. These messages sometimes could be boring at least, but also very annoying and disturbing, by its nature and contents. This is warning that SMS spam appeared here in very bad and annoying way and mobile / wireless operators should be ready for fight with this kind of attacks.