Information Security News: Black Hat: Android, iPhone SMS Flaws Revealed

[InfoSec News <alerts () infosecnews org>]

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218800192

By Thomas Claburn
InformationWeek
July 29, 2009 07:08 PM

In a presentation at the Black Hat security conference in Las Vegas on 
Thursday, security researchers Charlie Miller and Collin Mulliner are 
scheduled to discuss SMS vulnerabilities that affect various mobile 
platforms, including Android, iPhone, and Windows Mobile.

Using the Sully fuzzing framework, the researchers have developed a way 
to identify flaws in SMS systems in mobile devices. Fuzzing is a form of 
automated software testing that involves entering random or unexpected 
data. Crashes or unexpected behavior arising from such input can then be 
analyzed as a potential vulnerability.

"Until now most of the SMS related security issues have been found by 
accident," state Miller and Mulliner in a paper that describes their 
approach. This, they explain, is because sending SMS messages costs 
money and because lack of access to source code for SMS implementations 
has meant hunting for bugs by trial and error.

The two researchers created a layer, called the injector, just above the 
bottom of the telephony stack that performs a man-in-the-middle attack 
by intercepting communication between a mobile device's modem and 
multiplexer.

[...]


_______________________________________________      
Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com