HTC phone can be used as remote bugging device, says security firm

HTC users may have reason to be nervous about the safety of their personal information, after security firm MWR InfoSecurity revealed a HTC phone can be used as a remote bugging device.

The alarming discovery was revealed at last week's Black Hat Security Conference in Dubai according to Secure Computing Magazine.

MWR InfoSecurity did not reveal which HTC device is vulnerable and how the security flaw could be harnessed by hackers. But the firm's principal information security researcher, referred to only as 'Nils', said the phone's owner would be completely unaware their device had been compromised. It is implied that the flaw could be exploited remotely, without the need to physically access the phone.

''A user would never know that every word they were saying was being recorded and transmitted back to the attacker and the attack (once executed) would be trivial to perform,'' he said.

In August, MWR revealed that the Palm Pre could also act as a remote bug, with a specially crafted message all that was required to completely compromise the phone's operating system. The firm also pointed out a vulnerability in Google's Android platform that allowed login credentials and cookies to be stolen.

Nils pointed the finger of blame for mobile security flaws at both manufacturers and mobile carriers.

''Mobile phone and network providers have got to ensure security is a central component of the design and software provided. The situation is serious enough for MWR to recommend that users should review what personal information, bank details, passwords and identity information is stored on their phone,'' he said.

He said the situation was being made worse by the inability of manufacturers to ''push'' security fixes to end-users, as would be the case in a desktop computing environment.

Report a problem with article
Previous Story

Review: Logitech K750 solar powered keyboard

Next Story

Google takes on Aussie company over name

19 Comments

Commenting is disabled on this article.

Look out here comes the spooks. . .if they can't see you then at least they may be able to hear you.

Just another day in Orwell's world of "Animal Farm."

Unknown security firm claims unknown phone could be susceptible to unknown security flaw that is earth-shattering and never before seen.

Sounds like someones trying to make a new for themselves with some nifty PR on a vulnerability that is probably well established. If I had to bet I would bet it's a HD2 which can act as a wireless router which is a larger security vector.

Regardless this is a non-story that has no hope of promoting any reasonable discussion. If they were a legitimate security firm they would of notified of the vulnerable and kept their mouth shut OR gone public with it immediately. Not to mention that the firms 'principle information security researcher' has only a nickname, not a name? I could tell you the P-IS of every major security firm out there; this mob is a sham.

ascendant123 said,
Unknown security firm claims unknown phone could be susceptible to unknown security flaw that is earth-shattering and never before seen.

Sounds like someones trying to make a new for themselves with some nifty PR on a vulnerability that is probably well established. If I had to bet I would bet it's a HD2 which can act as a wireless router which is a larger security vector.

Regardless this is a non-story that has no hope of promoting any reasonable discussion. If they were a legitimate security firm they would of notified of the vulnerable and kept their mouth shut OR gone public with it immediately. Not to mention that the firms 'principle information security researcher' has only a nickname, not a name? I could tell you the P-IS of every major security firm out there; this mob is a sham.


+1

Richteralan said,
So let's start the FUD campaign for Android?

They never said Android, though that seems likely. Even so, being that this affects a SINGLE HTC phone, I doubt that this is an Android fault. Even if it were, having a bug is not a problem, how it is managed (response from companies, speed of patch etc) tells more about the viability of the platform from a security standpoint

Ently said,
I thought the CIA could do this to any phone.. even if its turned off?

Run! Jack Bauer and the CIA are coming for you now....

Ently said,
I thought the CIA could do this to any phone.. even if its turned off?

You are correct; any GSM device, even when turned off, can act as a passive microphone to capture conversations.

Fritzly said,

You are correct; any GSM device, even when turned off, can act as a passive microphone to capture conversations.

Where is the proof of that?

primexx said,
so... what's the actual problem?

The problem is complete remote access without permission to any of the affected phones. More details than that are not available at this time. The hacker group may have done this to show it works, but not release the exact details yet so that HTC and the affected carriers can roll out an update that fixes the problem without having a major crisis on their hands

How's this an HTC issue? If its a bug within the OS..then it's a Android / WP7 / WinMo issue. If its a "bug" with the GSM / 3g encryption...then every phone that uses those technologies will be affected.

It's not like HTC has made up their own GSM technology with their phones, and it's not like they make the phone hardware either (Qualcomm does).

/- Razorfold said,
How's this an HTC issue? If its a bug within the OS..then it's a Android / WP7 / WinMo issue. If its a "bug" with the GSM / 3g encryption...then every phone that uses those technologies will be affected.

It's not like HTC has made up their own GSM technology with their phones, and it's not like they make the phone hardware either (Qualcomm does).

I have a feeling that this is an HTC Android device, as the hacker mentioned that the software provider could not push updates to the device. Android can't, but WinPhone 7 can. If this is indeed true, then one reason that this affects an HTC phone, and not, let's say, a Samsung phone could be because HTC has extensively modified the UIX, which could be the vector for this attack

/- Razorfold said,
How's this an HTC issue? If its a bug within the OS..then it's a Android / WP7 / WinMo issue. If its a "bug" with the GSM / 3g encryption...then every phone that uses those technologies will be affected.

It's not like HTC has made up their own GSM technology with their phones, and it's not like they make the phone hardware either (Qualcomm does).

HTC add a lot of software to the OS of each phone they sell. A flaw in their custom code could allow for the exploit to take place.

So, even while it may be an OS level issue it's exploitable due to the added code.

Sraf said,

I have a feeling that this is an HTC Android device, as the hacker mentioned that the software provider could not push updates to the device. Android can't, but WinPhone 7 can. If this is indeed true, then one reason that this affects an HTC phone, and not, let's say, a Samsung phone could be because HTC has extensively modified the UIX, which could be the vector for this attack

I think that you are right. That is why I don't like the Android platform. Open Source can be a great thing, but being too open has its dangers as well! I also don't like how the open platform has caused the Android Marketplace to be watered down with garbage apps. That is not to say that there aren't quite a few great apps on Android, but there are too many garbage ones that make it hard to find the great ones. The video game industry learned this lesson many years ago when a similar situation nearly killed the industry. Too much garbage flooding the market will cause people not to trust in the quality of the product. That is even part of the reason why people have a hard time trusting 3D movies these days (even with new tech). They were garbage in the 1950s according to what I have heard described! Also, they need to allow only one standardized app store interface instead of the many that are possible. It is too confusing for the end user! Many everyday tech users would be confused by all of the different stores (read "Non Tech Enthusiasts"). I believe that if Google doesn't get these issues under control, they will probably be pushed to the number 3 spot by Windows Phone 7 (which will become the number 2 platform). I am not a fanboy either. Each platform has its benefits and downfalls. This is just how I see the competition playing out over the next couple of years if nothing changes.

winlonghorn said,

The video game industry learned this lesson many years ago when a similar situation nearly killed the industry.

Just curious as to what you may be referring to?

Sraf said,

I have a feeling that this is an HTC Android device, as the hacker mentioned that the software provider could not push updates to the device. Android can't, but WinPhone 7 can. If this is indeed true, then one reason that this affects an HTC phone, and not, let's say, a Samsung phone could be because HTC has extensively modified the UIX, which could be the vector for this attack

Not really true, updates can be pushed to Android phones, although in most cases the user needs to OK their installation