Security : Fraud : :
Accuvant Discloses Cellular Phone Software Vulnerabilities
Provides End User Guidance
Accuvant, the authoritative source for enterprise information security, disclosed at Black Hat USA 2014 details of security vulnerabilities that are exposing mobile phone users to risk. Research scientists Mathew Solnik and Marc Blanchou, both members of the respected Accuvant LABS team, demonstrated the attacks in order to better educate the community on the seriousness of the risks. The vulnerabilities discovered by the pair impact Android, Blackberry and a small number of iOS-based devices, with risk varying by carrier and device make and model.
Mobile phone users should make sure their devices are up to date with the latest patches. If no recent patches have been issued for a device, users should contact their carriers to find out if they are impacted and if a fix is available or has already been implemented. Organizations should leverage their MDM platforms to ensure users adopt the latest version of software for their phones.
“Carriers embed control software into most mobile devices so that they can configure phones for their networks and push over-the-air firmware updates,” said Ryan Smith, Accuvant vice president and chief scientist. “Our researchers – Mathew Solnik and Marc Blanchou – found serious security vulnerabilities in the carrier control software used in a large number of cell phones across platforms and carriers.”
Accuvant has been working diligently to properly disclose its findings to service providers to mitigate the risk. The company that makes the software has issued a fix that solves the problem; baseband manufacturers have written code to implement the fix; and carriers are in the process of distributing the fix to existing phones.
“Security threats have become a daily issue for billions of technology users around the world, so it’s critical to find vulnerabilities of this nature and fix them before they can become a big public concern,” said Christina Richmond, program director, security services, IDC. “Having specialized experts with the capabilities to conduct this kind of security research and educate organizations and consumers on how to fix these issues is essential.”
Dependent upon device and carrier, when exploited the vulnerabilities in this control software may enable attackers to install malicious software; access data; add, delete and run applications; wipe a device; and remotely change the PIN for the screen lock, among other items.