Computing

Hijacking Mobile-Phone Data

(Page 2 of 2)

  • Friday, April 17, 2009
  • By Erica Naone

Once a phone has been configured to route data through the attacker's server, this could reveal the user's login credentials or cookies. The researchers say that it may also be possible for an attacker to add unwanted content, such as unsolicited advertisements, to the Web pages that a user views on her phone. By combining this technique with other vulnerabilities, they say that an attacker might even be able to use the mobile device to target resources normally protected within the carrier's network.

David Wagner, an associate professor of computer science at the University of California, Berkeley, who has studied wireless security, cautions that more work needs to be done to identify what conditions are required to exploit the vulnerability and how widespread the problem may be. "I did see in the paper a number of caveats that raised questions in my mind about the degree to which this vulnerability would affect consumers, even if the vulnerability can be exploited," Wagner says. In particular, he notes, it is unclear whether some cell-phone providers may block fake messages or if others would stop an attacker from redirecting Internet traffic. Also, many users may not be fooled by the attack. "If any of these conditions are not met, the attack might be blocked," Wagner says.

The researchers concede that mobile operators could prevent the attack by implementing proper security measures. For example, operators could watch for text messages that show telltale signs of a configuration protocol and check that they originate from an authorized source. Other measures, such as showing the user how her device has been adjusted or monitoring Internet traffic that's being directed out of the carrier's network, might also help.

Mune says that the attack "could be feasible on quite a large number of networks and handsets," and that his team has successfully tested it with a variety of common handsets on large networks in Europe. Although the researchers aren't working with any mobile operators to resolve the vulnerability, they say that they have given notice to relevant parties and are open to helping with the issue if needed.

Print

Related Articles

Researchers Hack Mobile Data Communications

The encryption protecting mobile-device data transmission is permeable.

Eye Tracking for Mobile Control

"EyePhone" lets users browse through mobile phone menus at the blink of an eye.

How Android Security Stacks Up

An Android phone's approach to security is radically different from an iPhone's--but is it better?

Close Comments

To comment, please sign in or register

Forgot my password

mitchell.musarra

2 Comments

  • 1031 Days Ago
  • 04/19/2009

Reply

Honey Bee

4 Comments

  • 818 Days Ago
  • 11/18/2009

Re: Phone hijjacking

It is amazing, I agree with you completely

Reply

Guest (famulla)

  • 1030 Days Ago
  • 04/20/2009

CELL PHONE STEALING

If I am not mistaken the cell software in India have come up with the software that track down your cellophane. You may try this in the www.celltracker.com PDF]
CellTracker Stand 2261.023 ITU Telecom World 2003 Exhibition ...
File Format: PDF/Adobe Acrobat - View as HTML
Celltracker Ltd. provides the world's leading software solution of choice (CellTracker) for the management of network roll-outs and deployments (GSM,2G ...
www.itu.int/TELECOM/scripts/exhibition_catalogue/web_catalogue/entries/8853.pdf -
Tech Track 100 detailsCellTracker. Telecoms software developer. Sales growth ... Now his company, CellTracker, supplies this software to operators and equipment makers such as ...
www.fasttrack.co.uk/Fasttrack2002/migration/dbDetails.asp?siteID=3&compID=94&yr=2002 - 11k - Cached - Similar pages
I thank you
Firozali A. Mulla  

Reply

s.selvaratnam@gmail.com

1 Comment

  • 1030 Days Ago
  • 04/20/2009

IMSI signed setting will make it more difficult to send phishing configuration sms.

Hi All,
To add more security, the configuration sms's(like wap setting) are signed by using the IMSI value. This IMSI value is known only to the operator. If its singed by the wrong IMSI, then the mobile will not install the settings. Therefore its difficult to send the phishing configuration sms's.

Reply

Honey Bee

4 Comments

  • 818 Days Ago
  • 11/18/2009

Re: IMSI signed setting will make it more difficult to send phishing configuration sms.

THIS makes me feel better lol

Reply

Advertisement

MAGAZINE

Can We Build Tomorrow's Breakthroughs?

Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.

Sponsored Content

Technologies from National Instruments

Adding Data Logging
Log measured data to a file and open it in Microsoft Excel

> Click here for more National Instruments Videos <
Whitepaper

Temperature Measurements with Thermocouples: How-To Guide

This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.

View full PDF > Listen to story >
Find us on Youtube

Videos

A Robot Recruit that Can Do It All

More

Newsletters

Click here to subscribe to Technology Review newsletters

Computing feed

Advertisement

Technology Review Lists

TR50

Our list of the 50 most innovative companies, including the following:

Joule Unlimited

Suntech

Nissan

Roche

More

Advertisement

Facebook

Advertisement