[Dailydave] Seeking more info on: Devastating mobile attack under spotlight

[liquidfish]

I must apologize if it appeared as if I was stating or confirming that there
is a vulnerability in FOTA. This is not the case. Rather, I was stating that
it seems the alleged vulnerability is in the design of FOTA system, or more
specifically the researcher seems to claim that FOTA systems are not
designed to have mobile stations authenticate or validate that the updates
they recieve are from the carrier.

> "I found this on a very old Siemens C45 phone, and then tried it on a
> Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them
> authenticated the sender of the service SMS. We could not believe no one had
> found this possibility before us."


Whether or not this is true, and how widespread the effectiveness is in the
case that it IS true, is what is in question.

Note that I base the assumption that FOTA is the attack vector on the
following statement from the TechWorld article,

> Wilfried Hafner of SecurStar claims he can reprogram a phone using a
> "service SMS" or "binary SMS" message, similar to those used by the phone
> operators to update software on the phone.


It seems the alleged vulnerability is in the DESIGN of the system, not in
the implementation. It's more like saying that the design of some protocol
is insecure, not the different drivers each system uses to support that
protocol and technology.

Also keep in mind that different vendors and carriers may implement FOTA in
different ways. If the vulnerability is in FOTA, it may only be in a
specific vendors implementation. Given that the researcher is from Germany
we could try making some assumptions as to which mobile carrier he was
allegedly testing on.

-p
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061128/ba756c1d/attachment.htm