Palm Pre snooping fears over 'unpatched' vCard flaw

by Graham Cluley on August 13, 2010 | Leave a comment

Filed Under: Data loss, Malware, Mobile

Palm Pre
Updated British security researchers are claiming that an unpatched flaw in the Palm Pre operating system could allow malicious hackers to bug calls and spy on users without their knowledge.

According to media reports, penetration experts at MWR InfoSecurity were able to construct a malicious vCard that could be sent to the victim's Palm Pre via SMS text message, Bluetooth, or by tricking the user into visiting a web link.

MWR InfoSecurity claims that if the Palm Pre owner views the boobytrapped vCard, a backdoor can be opened on the their smartphone, and calls and data can be recorded and transmitted to remote hackers.

The researchers claim that they reported the serious security vulnerability to Palm in May, but that no action has yet been taken to protect users.

vCard

Update MWR's claims that Palm has taken no action are thrown into some confusion, however, by Palm's own assertions. Matt Stewart, who works at Palm's UK PR agency, contacted me to say that "The current version of webOS fixes the security vulnerability reported to Palm."

He went on to confirm that webOS 1.4.5 resolves the security issue (release notes for the new version of WebOS are available on Palm's website).

So is the vCard vulnerability really now fixed or not? "No" says MWR, who have published a statement on their website saying Palm's claims of having patched the vulnerability are inaccurate, and that Pre customers are still exposed.

Of course, most smartphone users wouldn't be at all surprised to be sent a vCard (the equivalent of an electronic business card), as a it is a common way of sharing contact information. It's clear that as we put more and more sensitive information on our smartphones, we become more reliant upon the mobile operating system vendors to patch against security holes in a timely fashion.

Incidentally, MWR also claim to have found a flaw in Google Android that allows them to harvest usernames and passwords from the WebKit browser engine - which has been fixed in Android 2.2 Froyo.

PC Pro published an interview with Alex Fidgen, director of MWR Labs, which some may find interesting.

Tags: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.