Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/12/2012
01:55 AM
50%
50%

Top Mobile Vulnerabilities And Exploits Of 2012

Spoofing, banking attacks, authentication flaws, and more top the list of 2012's biggest mobile security headaches

While many security prognosticators had tried to predict previous years as the "year of mobile exploits," 2012 was one of the first that actually seemed to live up to expectations. Security researchers found new vulnerabilities, developed new proof-of-concepts, and found exploits in the wild, too. Here are some of the year's highlights.

Twitter SMS Spoofing
Security researcher Jonathan Rudenberg last week demonstrated the types of risks that can crop up from fast-access social media apps when he showed how an attacker could post messages or alter the account settings of a Twitter user as long as he knew the mobile number tied to that user's account and the user had not set a PIN number for the account. Since the PIN code is not a feature available to U.S. users, and because Rudenberg felt he'd been brushed off by the Twitter security team since he disclosed the SMS spoofing vulnerability to it in August, he decided to go public with the flaw. He'd found similar vulnerabilities in Facebook and the Venmo payment network, as well, but those sites took care of the bug.

[Which applications and vendor dominated the vulnerability and exploit headlines in 2012? See The Vulnerability 'Usual Suspects' Of 2012.]

Dirty USSD
In September, researcher Ravi Borgaonkar went public with a vulnerability he disclosed to Android-powered handset manufacturers earlier in the year that would allow hackers to remotely reset and wipe phones running versions earlier than Android 4.1.x (Jelly Bean). A potential attack would use the Android dialer functionality to execute special Unstructured Supplementary Service Data (USSD) codes that are normally used by a carrier to send commands to the phone operator network. Using an NFC attack or an attack through a malicious URL or QR code, attackers could exploit the vulnerability remotely without user permission. Initially the vulnerability was demonstrated on only Samsung phones, but researchers found they could replicate the vulnerability across all handsets running early Android versions. Numerous anti-malware companies came out with apps to protect against the flaw, but another simple workaround would also be to use a different dialer than the default provided by the operating system.

Android SSL/TLS Woes
A study published in October by a team of security researchers in Germany found that 8 percent of Android apps could be vulnerable to man-in-the-middle attacks due to poor SSL/TLS implementations. Many of the poor implementations came by way of customized SSL code that was more permissive than default Android settings. In particular, the researchers did a manual audit of 100 apps on the Google Play marketplace and found that 41 of them let researchers capture credentials for bank accounts, remote servers, email accounts, and social media accounts. It is estimated by the sample sizes that as many as 185 million users could be affected by these poor SSL practices among third-party apps.

Android NFC Vulnerabilities
Renowned Apple bug hunter Charlie Miller made one of the biggest splashes at Black Hat this summer with his presentation on the "cautionary tale" of near-field communications (NFC) vulnerabilities that could crop up as the technology gains ground in hardware over the next few years. Miller showed how vulnerabilities in Android smartphones could allow for exploitation of NFC to take over a device using another device placed within a few centimeters of the phone under attack.

Mobile Man-In-The-Middle Attacks Using Exchange
Another Black Hat presentation by researcher Peter Hannay focused on the lopsided trust model of Microsoft Exchange, which focuses mainly on authenticating a client to a server and not the other way around. Hannay developed a proof-of-concept attack that had him using Exchange to conduct man-in-the-middle attacks against poorly configured mobile clients that would give attackers the ability to access device emails, calendar entries, and phonebook entries. Even more damaging, the attacker could potentially impersonate a corporate email server and erase all of the data on the device through push commands.

Social And Sharing Authentication Flaws
Facebook, LinkedIn, and Dropbox were all found to expose users to identity theft through a flaw in the design of their authentication systems in iOS apps that had them saving authentication keys in unencrypted plain text files. These files could be transferred to other devices, allowing a criminal to access someone's account without ever having to enter log-in information. Discovered first on the Facebook app by researcher Gareth Wright this spring, further research by blogger Neil Cooper found the flaw worked on other apps, such as LinkedIn and Dropbox, and would likely translate over to other platforms, such as Android.

Zitmo
One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers (mTANs) banks send via text to their users as a second form of authentication. Initially discovered in 2010, researchers last summer saw Zitmo gaining steam in the wild throughout 2012.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
@WolfFlight
50%
50%
@WolfFlight,
User Rank: Apprentice
12/13/2012 | 10:21:24 PM
re: Top Mobile Vulnerabilities And Exploits Of 2012
How did Georgia Weidman and her research as well as the Smartphone Pentest Framework not get a mention here?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16395
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() function in cobc/tree.c via crafted COBOL source code.
CVE-2019-16396
PUBLISHED: 2019-09-17
GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_name() function in cobc/parser.y via crafted COBOL source code.
CVE-2019-16199
PUBLISHED: 2019-09-17
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
CVE-2019-16391
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows authenticated visitors to modify any published content and execute other modifications in the database. This is related to ecrire/inc/meta.php and ecrire/inc/securiser_action.php.
CVE-2019-16392
PUBLISHED: 2019-09-17
SPIP before 3.1.11 and 3.2 before 3.2.5 allows prive/formulaires/login.php XSS via error messages.