* Up to 90 pct of smartphones share flaws
* Google Android devices face issues involving spoofed IDs
* No evidence consumers have been harmed to date
By Eric Auchard
VIENNA, July 31 Security researchers have
revealed two separate threats this week they say could put up to
90 percent of the world's 2 billion plus smartphones at risk of
password theft, stolen data and in some cases let hackers take
full control of devices.
One vulnerability involves flaws in the way scores of
manufacturers of Apple, Google Android and
Blackberry devices, among others, have implemented an
obscure industry standard that controls how everything from
network connections to user identities are managed.
The threat could enable attackers to remotely wipe devices,
install malicious software, access data and run applications on
smartphones, Mathew Solnik, a mobile researcher with
Denver-based cyber security firm Accuvant, said in a phone
interview.
A separate threat specifically affecting up to
three-quarters of devices running older Android software has
been unearthed by researchers at Bluebox Security of San
Francisco.
Dubbed "Fake ID", the vulnerability allows malicious
applications to trick trusted software from Adobe, Google and
others on Android devices without any user notification, the
company said on Wednesday.
"Essentially anything that relies on verified signature
chains of an Android application is undermined by this
vulnerability," Bluebox said in a statement referring to devices
built before Google updated its core software late last year.
These risks could not be independently verified by Reuters.
Solnik stressed that the threat to smartphone management
software identified by Accuvant remained remote to average users
and said that only a few dozen mobile communications experts in
the world would currently be able to replicate the technique.
But by publicising the risks, his company hopes to avert this
becoming a danger on a global scale.
FIXING FLAWS
The global smartphone industry has been scrambling for the
past few years to respond to an increasing number of
vulnerabilities uncovered in mobile technology.
Both research groups will present their findings at next
week's Black Hat hacking conference in Las Vegas, which is
highlighting research on mobile technology, among other themes.
An Apple spokesmen declined immediate comment.
Blackberry said it was aware of Accuvant's findings and was
seeking more details.
"BlackBerry has been working closely with Accuvant. Internal
and external security researchers serve a critical role in
improving industry security standards," a spokeswoman said.
A Google spokesperson declined to comment on the general
vulnerability raised by Accuvant about many smartphone devices.
He confirmed that Google had quickly distributed a patch to
Android phone makers on learning of the issue from Bluebox.
In general, Android's open software development process
encourages individuals and security firms to report security
issues, allowing the company to push patches to manufacturers,
which in turn must implement the fixes.
The spokesperson said it has scanned all apps in Google
Play, Android's application market place, and elsewhere and have
found no risks to users. "We have seen no evidence of attempted
exploitation of this vulnerability," he said.
Christina Richmond, a security services analyst with
research firm IDC said detecting these vulnerabilities is
positive in that the phone industry has a chance to act on these
findings before they can be exploited by bad actors.
"These security threats have become everyday issues for
billions of smartphone users worldwide," she said. "Mr. and Mrs.
end user needs to understand the risk of not updating their
phone's software."
The disclosures come as market share statistics released on
Thursday by mobile research firm Strategy Analytics show Android
capturing a dominant 85 percent share of smartphones shipped
worldwide in the second quarter. All major rivals from Apple iOS
to Microsoft to Blackberry lost market share.
Security researchers say Android's rapid growth and dominant
market share has come with an Achilles heel.
Until late last year, successive versions of Android were
distinct creatures, making it hard, if not impossible for
developers to update products for each software release, and
meaning most Android security features could not be back-dated.
The "Fake ID" vulnerability is widespread in Android phones
dating back to the January 2010 release of Android 2.1 software
and affects all devices not patched by Google, Bluebox said.
(Editing by Alison Williams)