At the Black Hat Europe conference this week, a group of researchers are claiming to have found a way to hijack data transmissions going to and from mobile phones. With ever-increasing web-based functions now performed on handsets, such an assertion can mean huge implications on personal data security.
The new vulnerability relies on a protocol used by some mobile operators for providing a device the correct settings for SMS messages. When configuring a user’s phone, many operators send an SMS with instructions and a PIN code to reconfigure the handset. Potential attackers will mimic these messages, often citing network upgrades or service problems as a reason for the change.
Once received, the user must enter the PIN in order to complete the update, which means savvier users probably aren’t likely to make the mistake. With the amount of online phishing incidents reported, however, my confidence in the majority of handset owners isn’t all that great.
If the fake message ruse works, the attacker can create any kind of setting they want on the device. Data sent from the handset can then be easily routed into a compromised server, for instance. Web pages viewed from the user’s phone can be padded with all sorts of content, including viruses, advertisements and other malicious software.
The researchers further claim that the attack “could be feasible on quite a large number of networks and handsets.” According to the group, they’ve been able to test the attack on many common cell phones among many large mobile networks in Europe.
If you would like to make a comment, please fill out the form below.
