Recently there have been several reports of security flaws in a product provided by a company called Mobile Spy. The product is an application for Windows Mobile smartphones. The application logs various forms of communication data transmitted to and from the phone and sends it to a hosted database. A user can log in to the web service and view all the data that has been logged.
The idea behind this product is that it’s installed on a device without the knowledge of that device’s user (for example, an employee, child, spouse, etc.). The party who installed it can then monitor the user’s activity to ensure that the device is not being abused. A company manager, for example, can make sure that an employee is not making personal calls or sending personal text messages from a company device.
For the most part, this seems like a reasonable idea, but the security flaws in both the application and the associated web service can lead to some severe problems. First of all, as noted in BID 26177, the application uses a very weak storage mechanism for the account password. This means that if a user discovers the application on the device, they could easily gain full access to the web service account. Obviously, this is bad for the party who was monitoring the user because account credentials can be changed and log entries deleted. If the account is used to monitor multiple smartphones, the logs associated with them will now be compromised as well. This clearly defeats the purpose and leaves the account owner in a poor position.
The most critical flaws, though, affect the web service itself. One flaw allows a user to access arbitrary logs from any account. Another flaw allows attackers to spoof communications sent from a device to the service so as to create arbitrary logs. Falsifying log data for any account is a powerful ability in the hands of a determined attacker.
It seems to me the implications of these flaws are huge. This or similar technologies will likely be implemented -- if they aren't already -- into high-profile companies and government organizations. Since security flaws are inevitable, the technologies they use will be prone to similar flaws. Given the competitive nature of business and politics, flaws such as those described above could prove extremely debilitating for victims. Attackers could spoof logs to cover the tracks of their malicious activity, access privileged political or corporate information, or even frame people by making it appear as though they leaked sensitive information. Many other outcomes are possible, and I’m sure attackers will not let such an opportunity pass them by.
Adopted technologies are regularly prone to flaws that can exacerbate the very problems they were meant to prevent. The potential for misuse of such technologies is high and the possibilities are endless.
Message Edited by SR Blog Moderator on 04-16-2008 01:18 PM