New Mobile Gear? Careful Now…

Weak LinkGet some new toys for Christmas?  I did.  I scored a brand new iPad2 from my lovely wife for being such a nice fella this year.  I was almost certain that I would end up on that OTHER list this year.  So now I’m outfitted like I was back in the ’80s, only instead of a PalmPilot-1, a cellphone and a pager, I can go to interviews with my notebook, iPad and Blackberry.  Technology is becoming more and more portable, powerful, and disposable.  At least one of these devices is going to go the way of that old PalmPilot (I actually still have it, and about a dozen other gizmos.  Don’t tell the wife.  Our little secret.  She never reads this blog anymore.  Boring…).

Access Data, a digital forensics company, recently performed some “informal research” into those old disposed of smartphones and PDAs that most of us don’t give a second thought to after pulling out the SIM card.  A handful of phones were found in the “secondary” market and were examined to show how easy it is to glean information from old or lost phones, even if a factory reset has been performed.

An expert from Access Data gave Dark Reading the skinny on his findings from this informal research, and explained some of the repercussions for both corporations and consumers who don’t pick, manage, or dispose of their phones wisely.  Well worth the read.

Bio-Metric VPN For Android

AuthenTec has introduced a security solution combining a VPN client with a fingerprint reader for Android smartphones and tablets.  The QuickSec Mobile VPN Client 2.0 is a full-featured, IPsec-compliant, VPN solution.  It is more secure, and faster than the native Android VPN client, and improves on the original QuickSec VPN Client for Android with new features, such as IKEv2 with MOBIKE, IPv6 support, and Android 2.3 or later Android OS support.  It also offers improved configuration, security, and interoperability with major VPN gateways.

Highlights: Continue reading

Watch What Your Kids Play With

SoftPedia has translated a Romanian article from Bitdefender, warning users to pay close attention to what their children are accessing on the internet.  Harmless looking games are hiding dangerous malware that could compromise the entire device and all of its information.

According to the head of Online Threat Labs at Bitdefender, “Some of these dangerous games are easily identified by adults – who suspect that something is abnormal about them when they require permission to install various programs in the computer or they redirect to other websites.  A 4-year-old doesn’t understand the concept of online vulnerability.”

Most of the compromised games appear to be Flash based.  The colorful images and playful sounds look innocent enough, but in some cases are hiding applications that could provide a backdoor and surrender control of the device to attackers out to get at your sensitive information.  BetDefender claims that this method of attack is expected to accellerate in the near future, as recent studies show in the USA and UK, more than 40% of children are active in social networking environments.  24% of parents don’t monitor the online activities of their offspring.

HTC Android Data Leakage

The SlashGear blog has recently reported on “the mother of all Android malware”, discovered in the security system of HTC Android-based devices. The report claims that it is leaking huge amounts of users’ private data. According to Slashgear, the flaw has been traced to an application called “HTCLoggers.apk”, in phones with HTC Sense UI package.  The flaw is due to customization that allows any app that asks for the right permission, to access to all sorts of private user data.  The vulnerability is so bad that apparently an attacker could duplicate the phone in its entirety using it.

HTC is investigating the claims.

PoC Trojan Steals Spoken Credit Card Numbers

The age of mobile banking is upon us.  The age of mobile fraud is about to escalate. 

A team of security researchers from 2 universiteis has created a proof-of-concept Trojan for Android smartphones that listens for typed or spoken credit card numbers, and relays them back to the mothership.  They are calling their creation ‘Soundminer’ and its has far reaching implications.  This is the sort of thing that we can expect on the threat horizon for the next few years.  Attacks are going to be moving away from corporate control choke-points, and further towards the end-user where there are likely to be less complex and fewer controls in place.

In order to minimize nefarious activity, software on Android platforms must request permission for each system function accessed.  These requests are grouped into categories and are presented to the user during installation.  The user is expected to make decisions about what to allow and what not to allow.  As is typical when relying on wetware to make security decisions, these are not always WELL INFORMED decisions.  Soundminer takes a novel approach to by-passing these restrictions by justifying its access requests to the ‘Phone calls’ category for reading phone state and identity information, to ‘Your personal information’ to read contact data, and to ‘Hardware controls’ in order to record audio.  These would seem normal enough, and none would set off alarm bells in an app marketed as a voice recording or call optimization tool.

Once installed, Soundminer sits in the background, waiting.  When triggered by the placing or receiving of a call, the application listens for specific keystokes or sounds made during a connection, typically indicating the passing of credit card information or a PIN entry, and silently records the information.  The software works for both spoken numbers, as requested by some IVR systems and human operators, and numbers typed into the dialpad on the phone.

As Soundminer does not have access to the ‘Network communication’ category, it is unable to directly transmit the data that it captures.  Instead, it relies on a second app, called Deliverer, which exists purely to relay the data to the attacker.  Google has tried to make it difficult for two apps to transfer data to each other without the user being aware.  The team found that if they used Soundminer to modify hardware settings such as backlight timeout and ring volume, the Deliverer app could read those settings back without arousing suspicion.  This provides a covert back-channel that makes fooling the user significantly easier.  In the team’s research paper (PDF), they suggest a defence mechanism against Soundminer, making it able to detect and prevent the transmission of credit card numbers by similar Trojans.

Their findings are due to be presented at next month’s Network & Distributed System Security Symposium in San Diego.