Did anyone review this article before it was published? The term "smart phone" is not Microsoft-specific, and yet the attack launches Internet Explorer. Huh? Last time I checked, my Blackberry doesn't use IE as a browser, and neither does Nokia, nor Apple.
So the article was probably referring ONLY to those phones running Microsoft's Windows Mobile OS. And what is Microsoft's market share for smart phones? Less than 10%?
A more fair and reasonable headline would have been "2 Simple Steps to Hack a Microsoft Smartphone". But that wouldn't have been very newsworthy, would it?
#1 was it informative?
#2 can you do it?
#3 the example was to open explorer as an example of a browser side attack. They could have done the same with pix on an iphone. STOP HATING... this is just an example. I get so tired of people in these forums bashing the distribution of information. Go out there and make a difference yourself. If you want it to be more comprehensive... please make a video of you doing it on all the other types of OS'es so comment flamers around the world have nothing to complain about. The root of this article is to show that it CAN be done, not all the tech. This is CSO... not MAKE or a HAckerspace... Please frame your comments in a light that could be beneficial to the community instead of nit picking to look good.
I think you missed the point. The article suggests that ALL smartphones are vulnerable to these attacks, but the demonstrations are only shown on a Windows Mobile device which only represents a small portion of the market.
I think the burden should be on the guest and author to back up their claim that these vulnerabilities exist for all smartphones. For example, let's see a modern Blackberry give up its entire contacts list using an sms. If you were trying to show that this is broad problem, wouldn't you choose the most popular device you could find? But without even a simple statement such as "We tested on the Blackberry model xxx and Nokia yyy and found the same weakness..." it appears that the author either didn't realize the narrowness of the scope of the issue, or perhaps ignored it.
Either way, the article suggests that this type of attack is a greater problem than it probably is.
What you need is a slipcase or holder for the cellfone that is a Faraday shield. It is possible that the existing pouches for protecting film from airport scanning may work equally well for cellfones.
My complaint regarding the content of this article/video is that it demonstrates a serious problem, without providing any information regarding how prevalent the problem really is, nor what actions are necessary to make a device vulnerable to or safe from the attack.
The attacked device in the video was clearly an AT&T Tilt / HTC Kaiser / TyTn II. I use one of these phones (not running AT&T software, but yes running Microsoft WindowsMobile v6.1). I have MMS disabled. To my knowledge, SMS on my device can't launch a web browser or issue control commands to the device ... but is my knowledge faulty? The video didn't tell me, so it raised concerns without giving any useful guidance on how to handle them. This is not good journalism, CSO magazine.
Jay Libove, CISSP, CIPP
Barcelona, Spain
It's not just a Microsoft issue. He also hacked a Iphone which is a Apple product. It makes no difference which brand name he attacked. They all have to use the same standards otherwise they can't communicate with one another. Don't blame MS just to blame MS.
His true message is "Pay us so this doesn't happen to you." They are the new Anti-Virus companies of this century. He and other like him will make a ton of money because people don't know/Understand how to protect themselves from people like him.
I have to agree with Jay Libove. And I'm not so woried about as Ron. How do we know he did what he claimed in video ? I haven't seen any idea haw it is done and haven't seen any proof or guidance how to try it by my own hands nor any tip how to protect myself. I can realy navigate my cell phone to my previously prepared web page saying "U R Hacked" and then show my phon to camera and declare "right now i hacked this phone". Or delete all my content from phone by y hand and then state I hacked it and deleted by SMS or whatever technology (except carrier pigeons, they are too slow :). And THAT IS WHAT I EXACTLY SAW ON VIDEO, without any background info about used technology, how to make proof or just anything else related. This article is nothing more than yellow press.
Given the iPhone hack announced this week at BlackHat, this article seems more and more prescient. It can be done -- and likely will be more prevalent. So what are companies doing to protect us from hacks like this? It might be A/V all over again, but that doesn't diminish the problem of viruses or in this case of SMS hacks.
3 Simple Steps to Hack a Smartphone (Includes Video)
Security firm Trust Digital demonstrates how easy it is to steal data and push nasty stuff to a mobile device with nothing more than a phone number.
» View Article
Did anyone review this article before it was published? The term "smart phone" is not Microsoft-specific, and yet the attack launches Internet Explorer. Huh? Last time I checked, my Blackberry doesn't use IE as a browser, and neither does Nokia, nor Apple.
So the article was probably referring ONLY to those phones running Microsoft's Windows Mobile OS. And what is Microsoft's market share for smart phones? Less than 10%?
A more fair and reasonable headline would have been "2 Simple Steps to Hack a Microsoft Smartphone". But that wouldn't have been very newsworthy, would it?
This is in resp to the last comment...
#1 was it informative?
#2 can you do it?
#3 the example was to open explorer as an example of a browser side attack. They could have done the same with pix on an iphone. STOP HATING... this is just an example. I get so tired of people in these forums bashing the distribution of information. Go out there and make a difference yourself. If you want it to be more comprehensive... please make a video of you doing it on all the other types of OS'es so comment flamers around the world have nothing to complain about. The root of this article is to show that it CAN be done, not all the tech. This is CSO... not MAKE or a HAckerspace... Please frame your comments in a light that could be beneficial to the community instead of nit picking to look good.
I think you missed the point. The article suggests that ALL smartphones are vulnerable to these attacks, but the demonstrations are only shown on a Windows Mobile device which only represents a small portion of the market.
I think the burden should be on the guest and author to back up their claim that these vulnerabilities exist for all smartphones. For example, let's see a modern Blackberry give up its entire contacts list using an sms. If you were trying to show that this is broad problem, wouldn't you choose the most popular device you could find? But without even a simple statement such as "We tested on the Blackberry model xxx and Nokia yyy and found the same weakness..." it appears that the author either didn't realize the narrowness of the scope of the issue, or perhaps ignored it.
Either way, the article suggests that this type of attack is a greater problem than it probably is.
What you need is a slipcase or holder for the cellfone that is a Faraday shield. It is possible that the existing pouches for protecting film from airport scanning may work equally well for cellfones.
Dave
My complaint regarding the content of this article/video is that it demonstrates a serious problem, without providing any information regarding how prevalent the problem really is, nor what actions are necessary to make a device vulnerable to or safe from the attack.
The attacked device in the video was clearly an AT&T Tilt / HTC Kaiser / TyTn II. I use one of these phones (not running AT&T software, but yes running Microsoft WindowsMobile v6.1). I have MMS disabled. To my knowledge, SMS on my device can't launch a web browser or issue control commands to the device ... but is my knowledge faulty? The video didn't tell me, so it raised concerns without giving any useful guidance on how to handle them. This is not good journalism, CSO magazine.
Jay Libove, CISSP, CIPP
Barcelona, Spain
It's not just a Microsoft issue. He also hacked a Iphone which is a Apple product. It makes no difference which brand name he attacked. They all have to use the same standards otherwise they can't communicate with one another. Don't blame MS just to blame MS.
His true message is "Pay us so this doesn't happen to you." They are the new Anti-Virus companies of this century. He and other like him will make a ton of money because people don't know/Understand how to protect themselves from people like him.
I have to agree with Jay Libove. And I'm not so woried about as Ron. How do we know he did what he claimed in video ? I haven't seen any idea haw it is done and haven't seen any proof or guidance how to try it by my own hands nor any tip how to protect myself. I can realy navigate my cell phone to my previously prepared web page saying "U R Hacked" and then show my phon to camera and declare "right now i hacked this phone". Or delete all my content from phone by y hand and then state I hacked it and deleted by SMS or whatever technology (except carrier pigeons, they are too slow :). And THAT IS WHAT I EXACTLY SAW ON VIDEO, without any background info about used technology, how to make proof or just anything else related. This article is nothing more than yellow press.
Given the iPhone hack announced this week at BlackHat, this article seems more and more prescient. It can be done -- and likely will be more prevalent. So what are companies doing to protect us from hacks like this? It might be A/V all over again, but that doesn't diminish the problem of viruses or in this case of SMS hacks.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK