Built-in vulnerabilities in a large number of smartphones could allow Government spies and sophisticated hackers to install malicious code and take control of the device.
According to Wired, the attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off, but it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.
They found that the vulnerabilities lie within a device management tool which carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor that is used in some form in more than 2 billion phones worldwide. The vulnerabilities, they say, were found so far in Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers, and will be named at this week’s Black Hat conference in Las Vegas.
The researchers say there’s no sign that anyone has exploited the vulnerabilities in the wild, and the company that makes the tool has issued a fix that solves the problem.