Possible security hole for Dialers/troyan horses
Todd W
trwww at sbcglobal.net
Thu Mar 1 19:38:37 CET 2007
From: Bartlomiej Zdanowski AutoGuard Ltd.
> While thinking of antythieft protection we came to some ideas about
> sending smses with stolen phone GPS coords. There were some
> ideas about silent voice calls with message that the phone is stolen.
> (for details see thread Itch3: Anti-lost/theft protection). But at this
> point we came to a serious problem of open phones. Sooner or later
> someone will write a Troyan Horse or some king of dialer (like for
> PC) looking like a solitaire or sth. When you will be enjoying free
> game it will send a bunch of smses for paid numbers or make expensive
> calls. THAT IS THE PROBLEM. Bigger than phone theft.
That's the problem with malware in general. You can't engineer stupidity out
of your users. If you send your credit card number to shoddy looking web
storefronts, you'll eventually have your identity and money stolen. If you
open every email attachment sent to you from Timbuktu, expect that you are
sharing your computer with every 419 scammer on the face of the earth.
> ...That's why commercial phone manufacturers don't allow to access
> all the phone for java apps. To disallow hidden calls and smses.
I don't understand why people think this. I haven't ran in to a phone yet
that I couldn't run my own apps on. A particular account may not have the
proper level of network access, but that has nothing to do with the
capabilities of the phone. Please stop spreading FUD.
> I suppose that access to calling, smses and gprs data cannot be disabled
> but at least we can add menu entry with summaries and statistics which
> application made calls and sent smses. Openmoko kernel should log any
> transmissions with it's length and cost (if such data is available).
Every phone I have seen keeps a log of calls made and messages sent. Web
based account manager apps provide the same data. The monthly bill does
also. I'm not understanding what else you would need?
> What do you think?
I think you are making a mountain out of a molehill.
More information about the community
mailing list