"Imagine you're at the airport and you want to find the free Wi-Fi. When you scan, your phone is going to display the Wi-Fi access points. That could be an easy channel for a hacker to inject malicious worm code into your smartphone," Du says. "Once the worm takes control, it can duplicate itself, and send copies to your friends via SMS messages, multimedia file sharing, and other methods."
Du and a team of researchers from the College of Engineering and Computer Science at Syracuse University are warning about Cross-Device Scripting (XDS) attacks on smartphones if apps are based on HTML5. Details of the attacks are in the research paper "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" (pdf), which will be presented at the Mobile Security Technologies (MoST) workshop in May.
To help even technically challenged folks grasp the risks, the team put together video examples demonstrating the following four attack scenarios:
- If you are at an Airport, and scan for free Wi-Fi access points using an HTML5-based app, you may be attacked.
- If you receive an SMS message, and use an HTML5-based app to read the message, you may be attacked.
- If you play an MP3 song or music using an HTML5-based app, you may be attacked.
- If you scan a 2D barcode using an HTML5-based app, you may be attacked.
Put another way, even basic activities like listening to music, watching a video, opening an image, sending a text message, or scanning for Wi-Fi can leave smartphones "vulnerable to harmful 'computer worms'." If an attacker injects malicious code into a victim's smartphone, it doesn't end there. The researchers warned (pdf), "It can be spread to other people's phones like a worm. The more popular the technology becomes, the more quickly a worm can spread." All major mobile platforms "will be affected, including Android, iOS, Blackberry, Windows Phone, etc., because they all support HTML5-based mobile apps."
Xing Jin is a doctoral candidate at SU who has worked with Du on software security for the past year and a half. Jin said, “Professor Du always said, ‘You need to have an evil mind, but have a good heart'. I would like to use my knowledge to help the systems developer. I would like to see my work implemented within Samsung’s technology to benefit the greater good."
So far, the Syracuse team has "identified 14 vulnerable HTML5-based apps from three types of mobile systems, including Android, iOS and Blackberry. Developers of those vulnerable apps have been informed and in an effort to give them time to fix the problem, researchers have decided not to disclose the names of the vulnerable apps."
There is one simple solution; don't use apps based on HTML5. The researchers said, "If the app is written using the language native to the platform (e.g. Java for Android and Object-C for iOS), it is immune to this type of attacks."
I encourage you to watch the plethora of videos showing the attacks, the one showing how to track the victim's location, and/or the longer version embedded above about code injection attacks on HTML5 apps. It's interesting work. You can also read the research, "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" (pdf), before it hits the "mainstream" at the Mobile Security Technologies conference in May.
Like this? Here's more posts:
- Twice as many desktops still running Windows XP than Windows 8, 8.1 combined
- IP address does not identify a person, judge tells copyright troll in BitTorrent case
- Forget physical access: Remote USB attacks can blue screen Windows servers
- Is Obama's proposal to end NSA bulk collection of phone records really a privacy win?
- Social engineer tag teams to capture the flags at Def Con 22 contest
- Google wants to black out court details about data-mining e-mails
- Fake police warning leads to murder-suicide: Deaths due to ransomware?
- Windows 8.1. Update required for future Windows 8.1, Server 2012 R2 security patches
- How to change Windows 8.1 to local account with no Microsoft email account required
- Biased software vulnerability stats praising Microsoft were 101% misleading
- North Korean leader plays Homefront on Xbox to practice taking over US
- Researchers: Phone metadata surveillance reveals VERY personal info about callers
Follow me on Twitter @PrivacyFanatic