Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
You are here: Home / Enterprise I.T. / 2 Billion Devices at Risk To Be Hacked
Hidden Controls Expose 2 Billion Devices to Hackers
Hidden Controls Expose 2 Billion Devices to Hackers
By Jef Cozza / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
Hidden software secretly installed on cars, mobile phones, and laptops has put roughly two billion devices at risk of being hijacked or attacked by hackers, according to new research. The vulnerability is so widespread that even automobiles use the software that contains the security flaw, said security scientists presenting at the Black Hat USA security conference in Las Vegas this week.

The software, known as the Open Mobile Alliance Device Management (OMA-DM) protocol, is also found on many other devices connected to the Internet. It is installed by manufacturers at the behest of Relevant Products/Services and telephone carriers as a way to allow the companies to troubleshoot devices, deliver firmware updates and remotely change network configurations.

The vulnerability was discovered by Mathew Solnik and Marc Blanchou, security researchers with Denver-based firm Accuvant. They analyzed the OMA-DM implementation on devices for Apple, Android and BlackBerry sold in the U.S. and other countries. The two offered details of their research Wednesday in a presentation titled “Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol.”

Easy Access for Hackers

“Carriers embed control software into most mobile devices,” said Ryan Smith, Accuvant vice president and chief scientist. “Our researchers found serious security vulnerabilities in the carrier control software used in a large number of cell phones across platforms and carriers.”

The Accuvant scientists focused on an implementation of the protocol developed by Red Bend Software, which they said is installed on 70 percent to 90 percent of all carrier-sold phones on the planet.

Unfortunately, the way in which many carriers implement the security on the OMA-DM protocol makes it extremely easy for attackers to gain high-level access to customers’ devices. Controlling a device, such as a cell phone, through OMA-DM requires a two-part authorization code consisting of the device’s unique ID number and a secret security token provided by the carrier.

However, some carriers use the same token for every device on their networks. Under those circumstances, anyone who compares the authorization codes of two or more devices can easily extract the security token, and use it in combination with a device's ID number to gain access to it.

Cars with OnStar at Risk

Once a hacker is able to access a device remotely, he can listen in on phone conversations, steal passwords for a user’s financial accounts, or even hijack control of the device entirely. The security flaw can be found in a wide variety of mobile devices and platforms, including those built for Android, BlackBerry and a small number of iOS devices.

The vulnerability even extends to vehicles that make use of the OMA-DM protocol. Automobiles that have the OnStar roadside assistance service, for example, could be attacked by hackers through the exploit.

Tell Us What You Think


Posted: 2014-08-08 @ 4:56am PT
So it is not an issue with the phone manufacturers, but instead the carrier and their software. So to say "security flaw in a wide variety of Android, BlackBerry and some iOS mobile devices and platforms" is in fact incorrect.

Like Us on FacebookFollow Us on Twitter
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.