Just How Many Wireless Technologies Can You Misuse In One Shot?
from the now-that's-talent dept
We've seen a lot of stories recently about overhyped wireless "security holes" or "exploits" for both WiFi systems and mobile phones. In almost every case, the story would get a lot of press, but the actual risk was extremely low. The discoveries (and subsequent publications) were mostly designed to get attention for some random security researcher who discovered the supposed problem. Well, now that the obvious security attacks are out of the way, security researchers need to get a bit more creative. They can no longer just pick on a single technology (Bluetooth? WiFi?) and find a security hole. Now, they need to get with the converged times and go for a combined attack. That's about the only explanation I can come up with for the announcement of this new "vulnerability" that makes use of Bluetooth, WiFi and SMS all in one shot. The article doesn't do a great job of explaining the attack, but apparently, it works by having someone "bluejack" one of the few phones that are vulnerable to bluejacking (and which haven't been patched), using that connection to send an SMS to an "anonymous prepaid phone" owned by the attacker. They can then use this to determine if (just maybe) the vulnerable phone is a T-Mobile customer. If it is, they then hijack the vulnerable phone again, and send an SMS to T-Mobile to get login info for hotspots (since T-Mobile now lets users get hotspot login info via SMS). If the user is not a T-Mobile customer, there are other options, but they're equally convoluted (sometimes involving another associate with another mobile phone sitting at a hotspot). The group that put out the warning admits there's no evidence that this has been done, and, honestly, it really seems like a security hack for show more than anything else. Of course, now the bar has been set. Who will top it and give us the useless, unlikely security hack that involves four different wireless technologies?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
No Subject Given
I used to do penetration testing. (Bad business, I now do software.) It used to be valuble to companies to pen-test a system. Now that most of the cool systems are national, they're "too big to fail". Any vulnerability will either be prosecuted, legislated against, or advertised.
Pen-testing is still a great busines for smaller companies - Hell, I'm trying to figure out the parameters for making a new company, just for that. But, it sucks. And more and more, if you're a big company, "the law requires you to"...
Look at banking rules.
[ link to this | view in chronology ]