The folks over at Zero Day Initiative (ZDI) have discovered a vulnerability in the software that processes .jpg images on a Motorola RAZR mobile phone. The vulnerability allows an attacker to execute arbitrary code on the phone.
This illustrates how the area of mobile device security is evolving. Simply the fact that people are researching ways to compromise mobile phones is a new development. Given the underground economy fueling the hacking community someone must have come up with an business model for compromised mobile devices. In the case of a RAZR, it might not be much more than a platform for SMS or Bluetooth spam, but someone probably found a monetary driver for the research. Time will tell if they came up with something more interesting than spam.
Another interesting evolution is that the bad guys are aware of the value of the data on mobile devices. I'm not sure that the mobile device owners have the same insight. Most people probably fail to realize the value of the information stored in their cell phone.
I think that many people would be amazed at the information I could glean from their mobile phone. A few things I would check include:
Things get even more interesting if the compromised device is a smartphone. Now there is the possibility of using the smartphone as a point of entry into corporate networks. As smartphones become more powerful, they become just as dangerous as a PC or laptop. We need to start thinking about how much we trust these devices and what kind of data it is acceptable to store on them.
I don't think that this RAZR vulnerability will amount to much. F-Secure seems to agree with me. However, it is a signal that the bad guys are starting to consider our mobile devices as legitimate targets of value. We need to start considering them in the same manner.
ZDNet's Zero Day also has a discussion of this one. They're focusing on the screwed up process for updating and fixing the issue rather than to big picture stuff, but it's still an interesting read.
This illustrates how the area of mobile device security is evolving. Simply the fact that people are researching ways to compromise mobile phones is a new development. Given the underground economy fueling the hacking community someone must have come up with an business model for compromised mobile devices. In the case of a RAZR, it might not be much more than a platform for SMS or Bluetooth spam, but someone probably found a monetary driver for the research. Time will tell if they came up with something more interesting than spam.
Another interesting evolution is that the bad guys are aware of the value of the data on mobile devices. I'm not sure that the mobile device owners have the same insight. Most people probably fail to realize the value of the information stored in their cell phone.
I think that many people would be amazed at the information I could glean from their mobile phone. A few things I would check include:
- Who is #2 on your speed dial? (#1 is usually 911)
- Who is in your address book?
- What are the numbers in your call logs?
- Do you have any voice memos?
- What pictures do you have in your cell phone?
- Do you have a calendar and what items are listed?
Things get even more interesting if the compromised device is a smartphone. Now there is the possibility of using the smartphone as a point of entry into corporate networks. As smartphones become more powerful, they become just as dangerous as a PC or laptop. We need to start thinking about how much we trust these devices and what kind of data it is acceptable to store on them.
I don't think that this RAZR vulnerability will amount to much. F-Secure seems to agree with me. However, it is a signal that the bad guys are starting to consider our mobile devices as legitimate targets of value. We need to start considering them in the same manner.
ZDNet's Zero Day also has a discussion of this one. They're focusing on the screwed up process for updating and fixing the issue rather than to big picture stuff, but it's still an interesting read.
