Cupcakes: Potential terrorist weapons. Hummus: Perfectly safe.
Tag Archives | Security
Security researcher Dan Rosenberg says that most of the hubbub over Carrier IQ is overblown–but there’s still reason to be concerned.
Based on my research, CarrierIQ implements a potentially valuable service designed to help improve user experience on cellular networks. However, I want to make it clear that just because I do not see any evidence of evil intentions does not mean that what’s happening here is necessarily right. I believe the following points need to be addressed. Note that most of the burden in this situation falls not on CarrierIQ but on the handset manufacturers and carriers, who are ultimately responsible for both collecting this information and establishing service agreements with consumers.
The controversy over the nature of Carrier IQ’s phone-monitoring application is deepning, with Minnesota Senator Al Franken demanding answers over what the company is doing with the information it collects. Carrier IQ’s code is apparently on millions of devices, and is known to be currently used by at least one manufacturer, HTC, and two carriers, AT&T and Sprint.
Apple chimed in, and says it used Carrier IQ in “most” of its pre-iOS 5 products. It says the code will be removed completely in a future software update, and the submission of diagnostic data is opt-in.
Franken asks Carrier IQ to provide details on what exactly the software records, where the data is transmitted to, and whether or not protections are in place to protect the security of those affected. He is also calling upon the company to give consumers a method of opting out of the process.
Android developer Trevor Eckhart says that Carrier IQ, a piece of software preinstalled on millions of smartphones to help wireless carriers monitor the quality of their service, secretly monitors users’ activities, records keystrokes, and transmits them to the company. I’m not a security expert, so I can’t judge the accuracy of his claims. But I do know this: The Carrier IQ folks need to clearly and honestly explain what’s going on. So far, their response has consisted mostly of threatening Eckhart and releasing a defensive-sounding statement that’s rife with buzzwords.
How about a calm, plain-English FAQ on what the software does and doesn’t do?
My recent TIME.com column on Android fragmentation didn’t provide an exhaustive list of reasons to be frustrated by the degree to which the Android ecosystem is dominated by old versions of the software. In fact, I didn’t mention one of the biggest ones: Old versions of Android don’t have the newest security fixes, and are therefore potentially dangerous.
Now a security company called Bit9 has released what it calls the Dirty Dozen List of insecure smartphones. They’re all Android models running old versions:
- Samsung Galaxy Mini
- HTC Desire
- Sony Ericsson Xperia X10
- Sanyo Zio
- HTC Wildfire
- Samsung Epic 4G
- LG Optimus S
- Samsung Galaxy S
- Motorola Droid X
- LG Optimus One
- Motorola Droid 2
- HTC Evo 4G
Bit9 explains its methodology–which looks pretty serious to me–in this PDF.
Whenever I gripe about Android fragmentation, I hear from people who tell me that I’m all worked up over nothing. (Typical comment: “Mr. McCracken, like so many tech journalists, you have totally missed the point here. Believe it or not, Android “fragmentation” is not the massive problem it’s made out to be.”) But I’d like to hear anyone explain to me why this isn’t anything to be concerned about.
More evidence that Android is the Windows of mobile operating systems: It’s under attack by sleazeware. PCWorld’s Tom Spring reports:
Brandt says that one Android battery app, called both Battery Doctor and Battery Upgrade, is particularly problematic: Not only does it not upgrade a battery or extend a charge, but when it’s installed and unlocked, it harvests the phone’s address book, the phone number, the user’s name and email address, and the phone’s unique identifying IMEI number. With a phone user’s name, IMEI, and wireless account information, an attacker could clone the phone and intercept calls and SMS messages, or siphon money from a user by initiating premium calls and SMS services. Once the battery app is installed the program sends the phone ads that appear in the drop down status bar of the phone at all times – whether the app is running or not. Lastly it periodically transmits changes to the user’s private information and phone-hardware details to its servers.
Well, somebody’s finally done it. Google’s been selling us for quite a while on just how secure Chrome is, and they haven’t really lied to us. Getting into the OS or the browser for that matter has proved pretty darn difficult. But at the Black Hat security conference two researchers with White Hat Security have gotten into Chrome OS.
The flaw is in ScratchPad, a Chrome app that allows users to compose text files and then save them to Google Docs. Through it, the attacker can gain access to a person’s e-mail, contacts, and Google Docs and Voice accounts. Give Google some credit here though, the two redarchers working on this – Matt Johanson and Kyle Osborn — said they spent months looking for a hole, and must have only found one now.
Hot on the heels of Spain’s recent arrest of three members of the hacking group known as “Anonymous,” Turkish police are now claiming to have rounded up an additional 32 members of the group.
According to Security Week:
The Anatolia news agency said today that the suspects were taken into custody after conducting raids in a dozen cities for suspected ties to Anonymous.
The group recently targeted Web sites of the country’s telecommunications watchdog, the prime minister’s office and parliament as a protest to Turkey’s plans to introduce Internet filters.
Spanish authorities arrested three members late last week with alleged ties to the infamous PlayStation Network hacks. The BBC reports that in retaliation to the arrests in Spain, other members of Anonymous apparently knocked Spain’s police website offline for about an hour yesterday.
(This post republished from Techland.)
As this week’s E3 games conference and debut of Nintendo’s Wii successor looms, Nintendo’s admitting that Sony’s not the only victim of hacktivist ne’er-do-wells—yep, Nintendo was hacked, too.
Nintendo acknowledged a security breach in a statement yesterday, explaining that its U.S. servers came under cyber-fire a few weeks ago, but stressed that no personal user data was in breach. By comparison, Sony’s seen troves of sensitive personal data repeatedly stolen (and reportedly distributed) as hackers took turns assaulting the electronics conglomerate’s many corporate facets.
My TIME.com Technologizer column this week is a look at the recent Mac Defender trojan attacks, and how Mac users should respond to the first really meaningful security issue in OS X history.