December 9, 2010 No Comments-
Hacker Atul Alex from India, created a backdoor in a modified version of the firmware for Symbian 60 Version 5 smartphones. When users update the firmware in their smartphone with this “updated” firmware, the backdoor makes it possible to take full control of the smartphone. More details about the possibilities can be found in an article from the German online publication Heise.
The fact that there are trojanized updates not new. Neither the fact that smartphones are being attacked, earlier this year a first-person-shooter game was released (with accompanying website) that would make calls to very expensive numbers.
The threat however now is emerging into the firmware range. How can we be sure that the new firmware is legitimate and does not contain a backdoor? To be honest, we can’t even be sure that a hardware device out-of-the-box, factory-sealed does not contain a backdoor. In 2008 we already had stories of Chinese routers that contained backdoors.
If we assume (and we assume a lot in life) that at least the out-of-the-box, factory-sealed device has not been tampered with and does not have a backdoor already installed, we still do not know if the updated firmware is legitimate as released by the manufacturer and does not contain a backdoor. A digital signature does not help either. Remember that the people behind Stuxnet were able to steal digital certificates from Realtek and JMicron. If they executable installing the “new” firmware is digitally signed by the company that normally would release the firmware, how many people will install it??? Don’t answer this…
If you do not have an urgent need to update the firmware on your device as in: “my device works perfectly for the things I do with it!” then why update the firmware and potentially introduce possible problems (and that can easily be a newly introduced bug).
But if you do have an urgent need to install the firmware, apply common sense. Make sure the firmware is coming from the real manufacturer, that you have downloaded it yourself, and then do some “security through obscurity”: wait a long time (as long as possible) before applying it. Maybe some other less lucky people installed the firmware and got into trouble. This is of course no guarantee that nothing rogue will be installed on your device.
Made up of various contributors' opinions and insights - the power of the collective.
Norman Security Portal Bloggers
Norman Safeground Blogs Archive