Security hole in Sony Ericsson mobiles
Adrian Nowak and Karsten Sohr, research scientists at Bremen university, have discovered a vulnerability in Sony Ericsson phones which gives applications read and write access to the device's system files. This could, for example, be exploited to replace the certificates confirming the origin of programs to be installed. While attackers could use it to install arbitrary software on the devices, users could replace the logos and ring tones installed for "branding" purposes.
For the installation of malicious software, the user only needs to confirm that the software is allowed to read and write user data. According to the scientists this is also standard practice with trusted applications and doesn't, therefore, raise any suspicion. Affected are many of the models sold between 2005 and 2007, for example K750i, K800i, K810i, T650i and W880i. These models don't run the Symbian OS but a proprietary Sony Ericsson operating system.
Nowak and Sohr used a Java program to demonstrate the flaw. It is still unclear whether the hole is located in the operating system itself or in the Java VM. The scientists didn't want to release any details to allow Sony Ericsson to fix the vulnerability. No statement has so far been received from the vendor.
In September, scientists at the Fraunhofer Institute for IT security (SIT) discovered a hole in Sony Ericsson's password program "Code Memo". The hole allows attackers to crack stored passwords. (jk/c't)
source
For the installation of malicious software, the user only needs to confirm that the software is allowed to read and write user data. According to the scientists this is also standard practice with trusted applications and doesn't, therefore, raise any suspicion. Affected are many of the models sold between 2005 and 2007, for example K750i, K800i, K810i, T650i and W880i. These models don't run the Symbian OS but a proprietary Sony Ericsson operating system.
Nowak and Sohr used a Java program to demonstrate the flaw. It is still unclear whether the hole is located in the operating system itself or in the Java VM. The scientists didn't want to release any details to allow Sony Ericsson to fix the vulnerability. No statement has so far been received from the vendor.
In September, scientists at the Fraunhofer Institute for IT security (SIT) discovered a hole in Sony Ericsson's password program "Code Memo". The hole allows attackers to crack stored passwords. (jk/c't)
source
And they claim themselves as scientists...
ReplyDeleteWhat a joke