Ryan Smith Vice President and Chief Scientist Accuvant

Accuvant, the authoritative source for enterprise information security, disclosed at Black Hat USA 2014 details of security vulnerabilities that are exposing mobile phone users to risk. Research scientists Mathew Solnik and Marc Blanchou, both members of the respected Accuvant LABS team, demonstrated the attacks in order to better educate the community on the seriousness of the risks. The vulnerabilities discovered by the pair impact Android, Blackberry and a small number of iOS-based devices, with risk varying by carrier and device make and model.

Mobile phone users should make sure their devices are up to date with the latest patches. If no recent patches have been issued for a device, users should contact their carriers to find out if they are impacted and if a fix is available or has already been implemented. Organizations should leverage their MDM platforms to ensure users adopt the latest version of software for their phones.

“Carriers embed control software into most mobile devices so that they can configure phones for their networks and push over-the-air firmware updates,” said Ryan Smith, Accuvant vice president and chief scientist. “Our researchers – Mathew Solnik and Marc Blanchou – found serious security vulnerabilities in the carrier control software used in a large number of cell phones across platforms and carriers.”

Accuvant has been working diligently to properly disclose its findings to service providers to mitigate the risk. The company that makes the software has issued a fix that solves the problem; baseband manufacturers have written code to implement the fix; and carriers are in the process of distributing the fix to existing phones.

“Security threats have become a daily issue for billions of technology users around the world, so it’s critical to find vulnerabilities of this nature and fix them before they can become a big public concern,” said Christina Richmond, program director, security services, IDC. “Having specialized experts with the capabilities to conduct this kind of security research and educate organizations and consumers on how to fix these issues is essential.”

Dependent upon device and carrier, when exploited the vulnerabilities in this control software may enable attackers to install malicious software; access data; add, delete and run applications; wipe a device; and remotely change the PIN for the screen lock, among other items.

About Accuvant           
Accuvant, a Blackstone (NYSE: BX) portfolio company, is the leading provider of information security services and solutions serving enterprise-class organizations across North America. The company offers a full suite of service capabilities to help businesses, governments and educational institutions define their security strategies, identify and remediate threats and risks, select and deploy the right technology, and achieve operational readiness to protect their organizations from malicious attack. Founded in 2002, Accuvant has been named to the Inc. 500|5000 list of fastest growing companies for the last seven consecutive years. The company is headquartered in Denver, Colo., with offices across the United States and Canada.