Q&A: How we sliced open Palm and Android security
MWR Labs' Alex Fidgen reveals how his researchers exposed serious flaws in the Palm Pre and Android handsets
A pair of intriguing flaws found in the Palm Pre and Google Android handsets have thrust the spotlight on the security problems faced by smartphones.
Basingstoke-based MWR Labs uncovered the pair of vulnerabilities, which could let hackers use the Pre as a bugging device and crack Google Android handsets to steal passwords.
We spoke to Alex Fidgen, director of MWR Labs, to find out why he believes smartphones are inherently insecure.
Q. Why did you decide to test the security of these two systems?
A. We’d heard rumours for a little while that smartphones were vulnerable. And we decided, just for a little fun, to throw a couple of phones at the research team for three or four days to see if there was anything in it.
Within about two days we got so much stuff, which was so serious, that we realised we were onto something bigger than just a fun project
Within about two days we got so much stuff, which was so serious, that we realised we were onto something bigger than just a fun project.
We chose the Palm simply because we wondered, because of the speed at which it had come out, whether or not the security had been incorporated. We chose Android because it was obviously one of the up-and-coming phone operating systems. So it was two almost random choices, if you like, with a little bit of reasoning behind it.
Q. What did you find?
A. In terms of what we found, the Palm vulnerability is staggering. You can send a text message with a business card attached to it, and upon receipt of that and opening it, the phone is completely compromised, to such a level that the back door is installed and we can then take control of everything that phone does, no matter where it is in the world.
That means the ability to record any audio or video within the vicinity of that phone, and it’s happening without the user being aware if it’s in standby. That is very serious.
Q. Has Palm fixed the issue?
A. We reported this in May. As one of Europe’s leading security companies, we have to follow the responsible disclosure rule. So both were reported at the end of May.
Palm never really came back and let us know anything, and it doesn’t appear as if it's done anything to fix it. So that’s why we thought “okay, we’ve given them enough time”. It’s fair now that the user community understands there are vulnerabilities which might be exploited by other, less responsible groups.
Q. And what about Google Android?
A. The Google Android [flaw] revolves around the WebKit [browser engine]. The browser stores every single username and password entered throughout its lifetime.
We were able to find a vulnerability that allowed us to injecting some code into the browser and compromise it, and then harvest the usernames and passwords.
Now Google has fixed that in [Android] 2.2, but the earlier versions are vulnerable.