Saturday, 17 November 2007

Sony Ericsson mobiles: security risk

Many Sony Ericsson cellphones sold between 2005 and 2007, e.g. the K750i, K800i, K810i, T650i and W880i (which use a proprietary Sony Ericsson operating system rather than Symbian) are vulnerable to a security hole recently discovered by Adrian Nowak and Karsten Sohr, research scientists at Bremen University. This allows applications to read and write to system files, so they could e.g. replace certificates confirming the origin of programs to be installed:
"For the installation of malicious software, the user only needs to confirm that the software is allowed to read and write user data. According to the scientists this is also standard practice with trusted applications and doesn't, therefore, raise any suspicion ."

One upside: users could also use the security flaw to "replace the logos and ring tones installed for "branding" purposes."

Via Heise Security, who also noted that "It is still unclear whether the hole is located in the operating system itself or in the Java VM. The scientists didn't want to release any details to allow Sony Ericsson to fix the vulnerability. No statement has so far been received from the vendor."

Attacks on mobile phones are very rare, but still, if you have an affected phone, best not to install any software except from a site you absolutely trust in case it could be malware exploiting this hole. And hope that Sony Ericsson fix the vulnerability.


tonnet said...

Thanks! I do own a Sony Ericsson w810i...

Improbulus said...

Thanks for letting me know Tonnet.

I suspect Sony Ericsson won't be prioritising a fix, but I think you're pretty careful anyway about where you download from, aren't you?