With the increasing convergence of phone and network aware devices, come new and often unnoticed threats. Features such as built-in cameras, wireless networking, Bluetooth, calendars, phone books, all present their own particular problems, and associated risks. My Take: Some claim that mobile devices are developed with less security in mind than any desktop OS ever was and that this will bite back users in a few years when the “mobile platform” becomes less diverse and instead more compatible.
The invisible threat from mobile devices
Submitted by LogError 2005-04-06 Bugs & Viruses 6 Comments
AS we have seen with the Paris Hiltons Blackberry being hacked and all the information stolen from it. Thats just the ones you hear about it would be interesting to see just how often it happens especially with Identity theft being out of control. I agree with you Eugenia just like no one predicted the boom of the internet and the unique security issues it created with legacy systems in regards to security. For example windows is just now getting the security it needs to be only minimally protected against attacks derived from being connected to the internet(albiet most of the time imporperly).
As I recall, BT devices could only transmit up to 10 meters. They must be pretty buff to be plowing through masonry or all the way to the car behind you. Especially when 10 meters is the theoritical max; we all know real-world usage never reaches a theoritical value.
Bluetooth devices can only transmit ten meters and be picked up reliably by a puny little device’s miniscule antenna, that is. Check out this article on how to make a BT sniper rifle to hack bluetooth devices from blocks away.
first to the paris hilton thing: that was a server hack, not a device hack.
as for that bluetooth thingy: there are two classes of bluetooth, one have a max range of 10 meter (most often found in handheld devices) and one have a range of 100 meters (usb plugs and similiar often have this one). but as bluetooth is a 2-way connection your often limited to the range of the smaller.
some of the trouble with bluetooth would not be if the user could turn on or off the diffent bluetooth functions of a device, like say turning of file transfer while leaving the handfree support on and being able to toggle the modem support as needed without having to turn of the whole bluetooth system to protect themselfs.
allso, its just recently that a variant of that symbian virus got bluetooth active. before that it was only over sms/mms that it could transfer (and its in fact a better way as you can hit a larger group of targets that way, the users entire addressbook ). and i still wonder who leaves a display unit on with bluetooth active? and yes i have seen that happen irl. some n-gage was displayed so that people could try a game, and in a bored mood i had my phone scan for local bluetooth units. the phone had bluetooth turned on. but i could not get access to it as it had a key set (most likely 1234 as that seems to be default most of the time. dont recall if i tryed it).
the other thing is that symbian runs stuff native, unlike say java. this leads to apps that dont have to ask for access to any ability in the phone. any java app that wants to use say wap on my phone shows me a query and then i have to say “yes/no/ask again every time”. still, there could be a bug in the java sandbox on some phone that allows the app to access stuff without the user knowing. but the phone would still be showing the java icon every time something was running.
the problem is basicly this, multitasking os that runs code with no sandbox so that any app can access any feature of the phone without user intervention. its activex all over again. the problem is, can one walk the tightrope of usability vs security?
bt devises are already a problem! Just last week I read a report that the boyfriend of Charlotte Church set his phone day for a moment. Within a short time naughty pictures of Charlotte that someone snatched from it were across the ‘net. A British tabloid said they would not run the photos “to save her further embarrasement”. Gee maybe it had more to do with the fact that she’s only 16. Give her two more years and if that happend they’d run the story and pics without blinking.
and this is why i wish that one could turn of file access while still allowing handsfree connections. hell, who needs browsing anyways? you allready have a features called push that allows you to send stuff independently of browsing.
one discovery that i just thought about kinda scared me a bit. a friend of mine had one of those early nokia phones with bluetooth and camera. when i tryed to pair it with mine i had to input a code at my end and he had to mirror that code at his end. but when he tryed the same with his phone he was fully allowed to pair it without a code! why on earth did they let a vital piece like that be handled by the sender?