Like Vegas in August, mobile security is hot at Black Hat


LAS VEGAS--Mobile security is a hot topic at the Black Hat security conference being held this week in Las Vegas.

For example, researchers at Accuvant Labs will be talking about how carrier control software used on over 2 billion mobile devices has security vulnerabilities that hackers could exploit to find out the device password and intercept traffic.

The software is used by carriers to push over-the-air updates, as well as remote lock or wipe the device and perform diagnostics and resetting.

"Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale," the researchers warn in a description of the presentation.

In a pre-brief about the talk, researcher Matthew Solnik tells eWeek that 70 percent of the carriers his research team examined used the same back-end carrier system with the same vulnerable software.

The software uses an insecure public device identifier, opening up the device to attackers who could steal the password, he explains.

In addition, researchers from FireEye will give a talk on a technique that uses advertising technology to take over Android phones.

The researchers call the attack vector the Sidewinder Targeted Attack, which exploits Javascript and dynamic loading vulnerabilities. By exploiting these flaws, attackers could remotely take photos using the phone's camera, call phone numbers, send SMS, and read and write on the clipboard.

"Once intruding into the target, the attackers can exploit several Android vulnerabilities to get valuable privacy information or initiate more advanced attacks," the researchers explain in the summary of their talk.

I am here at Black Hat and will be sharing these and other mobile security insights with you in the coming days. - Fred