RSS Alerts

Share

More services

Related Links

Related Stories

  • Let’s Get This BYOD Office Party Started
    The most dangerous security aspect of BYOD, according to many experts, is the apps that personal devices run, not the operating system or hardware. Fred Donovan examines how organizations can say ‘yes’ to employee-owned devices while still maintaining control of their data
  • Europeans exhibit more caution regarding BYOD
    BT conducted a survey of over 2000 IT users and decision makers across 11 countries. The research, released during last week’s Infosecurity Europe show in London, showed that Western European organizations tend to take a more guarded approach to BYOD implementation when compared to their global counterparts.
  • Infosecurity Europe 2012: Are we smart enough to secure smartphones?
    Three heads of security from three very different organizations came together to discuss their practical and very different experiences in introducing a company BYOD strategy.
  • Comment: Flow-based Monitoring Provides Security for the BYOD Environment
    Lancope’s Joe Yeager discusses the benefits of leveraging flow-based data collection and analysis for mobile device security in BYOD environments
  • iPhone spyware surfaces
    Retina-X Studios has released the first software designed to secretly spy on iPhone users. The iPhone version of the Mobile Spy software can log phone activity including calls and SMS mesages in stealth mode, without showing up in the device's process list.

Top 5 Stories

News

Vulnerability found in Mobile Spy spyware app

17 May 2012

Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.

Mobile Spy can run on iPhone, Android, Symbian and Blackberry; and it can run in stealth mode, making it little different in operation – if not in intention – to standard malware spyware. Once installed, it will silently upload data to the subscriber’s web account where it can be viewed via anything with web connectivity. One option allows the subscriber to track the device via GPS, and control it remotely – offering an attractive security option for both individuals and companies.

But now the Vulnerability Lab has discovered multiple vulnerabilities and issued an advisory. “The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation.” Two of the vulnerabilities are given a ‘high risk’ rating and a third is given a ‘medium risk’ rating.

One possible outcome is described in the advisory: “If you know for example your mobile is observed you can inject script code to your sms and send it via service. The SMS spy service is logging the issue & the script code is getting executed on the display website of the observer. This possibility allows the observed person to spy back the attacking observer by redirection to log him when processing to watch the sms.”

The irony is that the spied upon becomes the spy. But the danger to business, already very worried about the effect of BYOD on their corporate systems, is that it might turn to this type of security as a quick and simple solution rather than one of the more formal solutions. "We have over 20 years of vulnerability alerts for PCs, but mobile security is still taking its first steps,” says Nigel Hawthorn, director EMEA Marketing at MobileIron, a California based mobile security company. “Vulnerabilities like this one demonstrate that users and their employers need to implement complete mobile device and mobile application control.  Solutions are available where administrators can select which mobile applications are required, allowed, or disallowed and then define the consequences of being out of policy, for example warning users or selectively deleting corporate information from the device that may be vulnerable."

Spyware instead of security is probably not the best way to secure BYOD policies – even without these vulnerabilities.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×