"A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customization chain that leave millions of devices and users vulnerable to attack," according to presenters Ohad Bobrov and Avi Bashan, both of Check Point Software.
The vulnerabilities let attackers exploit unsecured applications to gain access to any device and perform screen scraping, key logging, data exfiltration and back-door application installation, they say. The problems can be remediated to some degree, they say, but they can't be completely eliminated.
SIM card security
How the security of SIM cards used for 3G/4G phones has been broken will be detailed in a talk by Yu Yu, a research professor at Shanghai Jiao Tong University.
By analyzing power usage of target phones, he says he was able to recover encryption keys as well as other secrets used to secure the SIM cards within 40 minutes. He says he succeeded in cracking eight SIM cards from a variety of manufacturers and service providers. The tools he used: an oscilloscope to acquire power-use data, a protocol analyzer to intercept messages, a SIM card reader and a PC that performed signal processing and cryptoanalysis.
Near-field communications payment systems such as Apple Pay and Google Wallet are vulnerable to attacks using a standard phone and "a little bit of software," according to the description of a briefing by payment system expert Peter Fillmore. "I'll take you through how you can clone common NFC payment cards; show you the attacks and explain why it is possible," he writes. He will also address what security mechanisms can prevent such attacks and also show how to subvert the payment systems to make fraudulent transactions.
Researchers at Fidelis Cybersecurity will challenge claims by commercial mobile phone spyware vendors that the spyware is undetectable when installed on phones. "It's very detectable," says Joshua Dalman, a cybersecurity specialist at Fidelis.
He and his co-researcher Valerie Hantke checked out the two most popular commercial spyware prodoucts mSpy and SpyToMobile and found they either created logs on the devices, created shells for pulling data off the phone or created a widget icon announcing its presence, he says.
Regardless, if BYOD phones are running these apps they can pose a threat to corporate security. If business email is synched to the phone, the spyware can capture it and forward it to third-party servers, he says.
How big a threat is this type of spyware? He quotes a Check Point study that says organizations with 2,000 BYOD phones have a 50-50 chance that at least one has spyware. This software is advertised as a way to keep an eye on spouses and what children are up to.
Sign up for Computerworld eNewsletters.