Wi-Fi Direct Vulnerable, iOS Gets an Update, BlackPhone Gets Patched – Mobile Security Weekly
How different companies take sometimes very different approaches when addressing security issues is the main focus of this week’s post. On one hand, we have an Android vulnerability that Google might not even deal with.
On the other, a “secure” mobile device that just isn’t secure enough and which needs patching. Finally, Apple has again temporarily addressed Jailbreaking. But if history has taught us anything, the hackers will regain the lead in this never-ending race very soon.
Android Wi-Fi Direct Vulnerability Left Open
A bug in Android OS, which was reported to Google last September and published on Monday, is one that Google seems reluctant to deal with because it’s too minor. The flaw is found in Wi-Fi Direct, a standard adopted in Android which allows devices like smartphones, games consoles, and laptops to connect to each other directly. An attacker could use this exploit vulnerable Android devices while they scan for other Wi-Fi Direct devices, with a successful attack potentially enabling a reboot or ‘denial of service’.
http://www.theregister.co.uk/2015/01/27/some_androids_can_be_hosed_by_wifi_direct_vuln/
Why is this significant?
The vulnerability, which has been confirmed to affect a large number of Android devices including the Nexus 4 and 5 running Android 4.4.4 KitKat, was deemed “not severe” by Google. In this case, the researchers who discovered the vulnerability decided to publish it anyway, but this chain of events goes to show that in some cases, users might not know about all of the vulnerabilities putting them at risk.
Apple Releases iOS 8.1.3 Update
Apple has released the newest version of iOS8 which patches over 30 security vulnerabilities that existed in iOS 8.1.2. It also includes logistical improvements like minor bug fixes and reducing the amount of space needed to perform an update.
This update addresses a wide variety of security issues, including flaws in WebKit, the iTunes Store and the iOS Kernel. For the time being, it also stops iOS being jailbreak-able, which for enterprises with BYOD policies is a highly important issue.
http://support.apple.com/en-us/ht204245
Why is this significant?
It goes without saying that iOS security updates are important to both personal and business users. Although no major new features were released, the fixes and security improvements should be enough to convince everyone to update with the next couple of days, once the release has stabilized.
Simple SMS Bug Potentially Cripples ‘Super-secure’ BlackPhone
The maker of BlackPhone, a mobile which has marketed itself as offering especially high levels of security, has just patched a critical vulnerability that allowed hackers to run malicious code on the devices. Triggered by sending a carefully crafted text message to a victim, it could also be coupled with a privilege escalation exploit to gain full control of the vulnerable device. (Although, this isn’t required to run arbitrary code as an unprivileged user.)
Before the issue was patched, successful exploitation could yield remote code execution with the privileges of the Silent Text application. This app runs as a regular Android app, but with additional system privileges required to perform its SMS-like functionality like access to contacts, access to location information, the ability to write to external storage.
Why is this significant?
The impact of this issue is exacerbated by the fact that BlackPhone attracts what attackers see as “high-value” victims. Those willing to invest a substantial sum (£415, $630) in a phone that claims to place security before form or looks, and is more than likely used by people who have confidential calls and texts to hide from eavesdroppers.