Palm Pre snooping fears over 'unpatched' vCard flaw

Filed Under: Data loss, Malware, Mobile

Palm Pre
Updated British security researchers are claiming that an unpatched flaw in the Palm Pre operating system could allow malicious hackers to bug calls and spy on users without their knowledge.

According to media reports, penetration experts at MWR InfoSecurity were able to construct a malicious vCard that could be sent to the victim's Palm Pre via SMS text message, Bluetooth, or by tricking the user into visiting a web link.

MWR InfoSecurity claims that if the Palm Pre owner views the boobytrapped vCard, a backdoor can be opened on the their smartphone, and calls and data can be recorded and transmitted to remote hackers.

The researchers claim that they reported the serious security vulnerability to Palm in May, but that no action has yet been taken to protect users.

vCard

Update MWR's claims that Palm has taken no action are thrown into some confusion, however, by Palm's own assertions. Matt Stewart, who works at Palm's UK PR agency, contacted me to say that "The current version of webOS fixes the security vulnerability reported to Palm."

He went on to confirm that webOS 1.4.5 resolves the security issue (release notes for the new version of WebOS are available on Palm's website).

So is the vCard vulnerability really now fixed or not? "No" says MWR, who have published a statement on their website saying Palm's claims of having patched the vulnerability are inaccurate, and that Pre customers are still exposed.

Of course, most smartphone users wouldn't be at all surprised to be sent a vCard (the equivalent of an electronic business card), as a it is a common way of sharing contact information. It's clear that as we put more and more sensitive information on our smartphones, we become more reliant upon the mobile operating system vendors to patch against security holes in a timely fashion.

Incidentally, MWR also claim to have found a flaw in Google Android that allows them to harvest usernames and passwords from the WebKit browser engine - which has been fixed in Android 2.2 Froyo.

PC Pro published an interview with Alex Fidgen, director of MWR Labs, which some may find interesting.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.