Personal tools

AusCERT Conference

The annual AusCERT conference is Australia's best cyber security event for anyone with an interest in cyber and information security.

AusCERT PKI certificate service

The AusCERT Certificate Service offers PKI certificates for people, servers and software for Australian and New Zealand education and research organisations.

AusCERT Vision & Mission Statement

AusCERT is the trusted cyber emergency response team for the Australian information economy, providing valued incident prevention and detection.

Smartphone compromise made trivial

As if we needed more proof that updating your smartphone OS is a good thing, Apple's iOS9 mitigates a potentially nasty vulnerability in the Airdrop application which is present by default. The vulnerability allows an attacker to install a malicious app onto a vulnerable iPhone without any prompts and bypassing the AppStore. 

According to the security researcher who discovered the bug, an attacker requires physical access or must be within Bluetooth range of a vulnerable iPhone to exploit it. 

By contrast, some of the stage Stagefright bugs enable a remote attacker to infect an Android phone without any user interaction using a variety of attack vectors, including MMS.

There is no defence against a Stagefright attack on older Android versions for which no patch is available, but disabling automatic download of MMS will mitigate one of the attack vectors.

Newer versions are harder to exploit. While we are not aware of attacks in the wild, with the recent release of exploit code, this could quickly change.   Also, when you consider the potential impact of an attack, such as the ability to remotely turn on the device's camera and audio recording, the harm could be significant.  Along with identity theft, think stalking, surveillance, industrial or political espionage.

Another common cause of smartphone compromise is via an infected app. While the Android marketplace has a reputation for malware, the Apple store is considered to be safe. However, the App Store has just become the target of a large-scale malware attack, with hundreds of apps infected.

So, what can you do? In one word, patch. Whenever an update for your phone becomes available, apply it as early as possible. If no patches are forthcoming, think seriously about replacing your phone for one that is updated and, until then, consider avoiding any activity on your device that is sensitive.