Serious flaws in cell phone carrier control software found
Posted on 08 August 2014.
At the Black Hat conference this week, two Accuvant researchers have disclosed serious security flaws in the carrier control software used in over 2 billion cellular devices across platforms and carriers.


The vulnerabilities discovered by the pair impact Android, Blackberry and a small number of iOS-based devices, with risk varying by carrier and device make and model.

“Carriers embed control software into most mobile devices so that they can configure phones for their networks and push over-the-air firmware updates,” explained Ryan Smith, Accuvant vice president and chief scientist.

The found vulnerabilities could spell disaster for users. Dependent upon device and carrier, when exploited the vulnerabilities in this control software may enable attackers to install malicious software; access data; add, delete and run applications; wipe a device; and remotely change the PIN for the screen lock, among other items.

But Accuvant has been working to properly disclose its findings to service providers to mitigate the risk. The company that makes the software has issued a fix that solves the problem; baseband manufacturers have written code to implement the fix; and carriers are in the process of distributing the fix to existing phones.

Mobile phone users should make sure their devices are up to date with the latest patches," Accuvant advises.

If no recent patches have been issued for a device, users should contact their carriers to find out if they are impacted and if a fix is available or has already been implemented. Organizations should leverage their MDM platforms to ensure users adopt the latest version of software for their phones.






Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Nov 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //