Security flaw creates Android, Palm Pre snoop risk

John Leyden, The Register, 8/13/2010

Security researchers claim to have uncovered an unpatched flaw that creates a means to plant bugging software on Palm Pre devices.

The vulnerability means that the Palm Pre phone might be compromised through the receipt of a maliciously constructed message. This message would place a backdoor on compromised devices that surreptitiously records and transmits audio and stored data.

The flaw was discovered by MWR Labs, the research arm of British security outfit MWR InfoSecurity, a CESG-accredited firm that specialises in penetration testing.

MWR Labs discovered the security bug in May in the course of investigating rumours about smartphone security weaknesses. The firm informed Palm/HP of its findings at the time but is yet to hear back, prompting the decision to release limited details of the bug.

Alex Fidgen, a director at MWR, told El Reg that it had decided to withhold details of the flaw pending the availability of a fix. HP/Palm is yet to return our request for comment.

An excitable press release from MWR attributes a quote to Fidgen describing the flaw as offering a “James Bond scenario” for spying. Fidgen said the quote was a case of MWR’s PR bods “getting carried away” rather than a genuinely held view.

MWR researchers separately discovered a flaw in the browser on Android handsets that might allow the harvesting of stored username and password data.

In a statement, Google said the vulnerability was not particular to its phones and had already been patched.

This is a bug which is not exclusive to Android and that can only be triggered if users visit a malicious website or access a malicious wifi network via their mobile phone.We are not aware of any users having been affected by this bug to date, and it has been fixed in the latest version of our Android software. As always, mobile phone users can protect themselves by only visiting websites and using wifi networks they trust.

Fidgen confirmed the flaw had been addressed, adding that MWR’s ability to find a brace of nasty bugs over just two days of research provided evidence that smartphone security was generally lacking. ®

Share

Related posts:

  1. Security flaw puts iPhone users at risk of phishing attacks (Updated) Chris Foresman, Ars Technica, 2/4/2010 When Apple introduced iPhone OS 3.0, it attempted to beef up the security of over-the-air...
  2. Potentially nasty new iPhone security flaw discovered Greg Kumparak, TechCrunch, 2/4/2010 Considering its popularity and the number of handsets floating around out there compared to the number...
  3. iPad jailbroken already, using leftover security flaw Casey Johnston, Ars Technica, 4/5/2010 The iPad, scarcely two days out of the gate, has already been jailbroken. By Sunday...
Posted on August 13, 2010 at 10:01 am by lesliemanzara · Permalink
In: Android, Mobile Technology, Palm (HP) · Tagged with: ,

2 Responses

Subscribe to comments via RSS

  1. Written by MobileInternetS
    on August 13, 2010 at 3:01 pm
    Permalink

    Security flaw creates Android, Palm Pre snoop risk http://is.gd/eg6pJ

  2. Written by MobileInternetS
    on August 17, 2010 at 3:33 pm
    Permalink

    Security flaw creates Android, Palm Pre snoop risk http://bt.io/Fpmk

Subscribe to comments via RSS

Leave a Reply