Remember a few weeks ago when we got the Android OS Update for a Security Fix but no details were provided? Well… I think now we know what that was all about. At the Black Hat Security Conference in Las Vegas, Charlie Miller and Collin Mulliner spoke about vulnerabilities in mobile platforms like Android, iPhone, and Windows Mobile.
The two researchers created a layer, called the injector, just above the bottom of the telephony stack that performs a man-in-the-middle attack by intercepting communication between a mobile device’s modem and multiplexer.
The pair state that they found multiple SMS vulnerabilities on Android and iPhone systems and are still working on Windows Mobile systems.
Uhohs! The problem is pretty severe, too. Check out how it effects the iPhone:
“This bug can be utilized for a serious denial-of-service attack since the victim can be effectively barred from making and receiving phone calls,” the researchers claim.
And the problem in Android is more permanent:
“The bug is similar to the second iPhone bug in the way that it kills the telephony process (com.android.phone) and thus kicks the Android device from the mobile phone network,” the pair state in their paper. “On Android the bug is a little more interesting since it will permanently kick the target device off the network if the SIM card residing in the phone has a PIN set.”
Apparently the iPhone problem still exists, leading some journalists to suggest you turn off your iPhone if you get weird text messages. Google on the other hand has already patched the problem for Android. And it couldn’t have been patched if they didn’t push the update to mobile phones, so we’re guessing that is EXACTLY what happened when making the update seen below:
Props to Google and the Android team for staying on top of things. And if you’ve got an iPhone… *golf clap*