[http://news.cnet.com/8301-27080_3-10300536-245.html?part=rss&subj=news&tag=2547-1_3-0-20]
===== July 30, 2009 7:28 PM PDT An SMS can force a URL or app on smartphones by Elinor Mills LAS VEGAS--In one of a handful of SMS-related presentations here at the Black Hat security show, researchers demonstrated on Thursday how they can force certain types of smartphones to visit a malicious URL or install an app without user approval. The vulnerability only affects phones that have been misconfigured by the original equipment manufacturer so that they accept any message sent through WAP Push (Wireless Application Protocol), a service that runs on top of SMS, said researcher John Hering. WAP Push messages should only be accepted when sent by a trusted party such as the mobile operator, said Hering, chief executive of Flexilis, which provides software for protecting mobile phones from attack. The vulnerability spans all Windows Mobile devices including HTC, Motorola, and Samsung, but not all of any one make or model of phone is found to be vulnerable, only random ones, he said. [...] In a presentation earlier in the day, Zane Lackey of ISEC Partners and independent researcher Luis Miras demonstrated how an attacker could spoof an MMS (multimedia messaging service) type of SMS message that appears to be sent from a trusted source and trick the recipient into visiting a malicious Web site. Also on Thursday, Charlie Miller of Independent Security Evaluators and independent researcher Collin Mulliner demonstrated another type of attack in which they can take complete control over an iPhone merely by sending special SMS messages. They proved the attack the night before with a denial of service attack on my non-jailbroken iPhone, which runs OS 3.0. [...] ===== -- Soh Kam Yung my Google Reader Shared links: (http://www.google.com/reader/shared/16851815156817689753) my Google Reader Shared SFAS links: (http://www.google.com/reader/shared/user/16851815156817689753/label/sfas) _______________________________________________ Slugnet mailing list [email protected] http://wiki.lugs.org.sg/LugsMailingListFaq http://www.lugs.org.sg/mailman/listinfo/slugnet
