Are dumb phones sufficiently secure? Say something monochrome from the 90's? Heard rumors operators can update the firmware on a lot of models, not sure how true is this. On Tue, Jul 22, 2014 at 12:48:35PM -0700, coderman wrote:
On Tue, Jul 22, 2014 at 5:21 AM, Georgi Guninski <guninski@guninski.com> wrote:
Alleged IOS backdoors
http://www.zdziarski.com/blog/wp-content/uploads/2014/07/iOS_Backdoors_Attac...
Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices
note that Google is no better. back in 2011 i reported the abuse of Google Voice Search as easily accessible (no permissions required) and excellent for eavesdropping (always on should not be possible).
the more things change, the more they stay the same ;)
best regards,
---
'... nearly all Android devices equipped with Google Services Framework can be affected by GVS-Attack'
http://arxiv.org/abs/1407.4923 """ Previous research about sensor based attacks on Android platform focused mainly on accessing or controlling over sensitive device components, such as camera, microphone and GPS. These approaches get data from sensors directly and need corresponding sensor invoking permissions.
This paper presents a novel approach (GVS-Attack) to launch permission bypassing attacks from a zero permission Android application (VoicEmployer) through the speaker. The idea of GVS-Attack utilizes an Android system built-in voice assistant module -- Google Voice Search. Through Android Intent mechanism, VoicEmployer triggers Google Voice Search to the foreground, and then plays prepared audio files (like "call number 1234 5678") in the background. Google Voice Search can recognize this voice command and execute corresponding operations. With ingenious designs, our GVS-Attack can forge SMS/Email, access privacy information, transmit sensitive data and achieve remote control without any permission.
Also we found a vulnerability of status checking in Google Search app, which can be utilized by GVS-Attack to dial arbitrary numbers even when the phone is securely locked with password. A prototype of VoicEmployer has been implemented to demonstrate the feasibility of GVS-Attack in real world. In theory, nearly all Android devices equipped with Google Services Framework can be affected by GVS-Attack. This study may inspire application developers and researchers rethink that zero permission doesn't mean safety and the speaker can be treated as a new attack surface. """