WFTS posted the video of the Smartphone Security piece that aired last night. You can watch the video below.
Yes, that was my wife sending me the rigged SMS message. Thanks Honey!
In all seriousness, the exploit used in the video utilized the Webkit Floating Point Datatype Remote Code Execution Vulnerability (CVE-2010-1807). I used MJ’s exploit code to compromise a stock Verizon Motorola Droid (A855) running Android Eclair (2.1). The exploit code was about 33% reliable, but I found running it against an Eclair Emulator to be far more reliable (~80%).
You can watch a full length video of the exploit demo below. I had put this together to show Michael George of WFTS how an attack might work. This was against an emulated Motorola Droid (A855) running Eclair (2.1).
If you have any questions about either of the videos, or smartphone security, please post them in the comments below. Also, make sure you read the previous posts on our blog regarding smartphone security:
I have a feeling that Shmoocon 2010 (and all snow-themed variations of the name) will go down as one of the most unique security conference experiences ever. Given that some people still have not made it home Shmoocon might be one of the longest running security conferences ever. I had a great time hanging out with friends and a great time giving my first ever conference talk “The New World of Smartphone Security – What your iPhone Disclosed About You”.
Highlights for me included Michael Weigand’s talk “Build your own Predator UAV @ 99.95% Discount” about making your own autonomous aerial camera platform. Since the UAV uses a GPS to orient itself and lat/long coordinates to fly its route, I was thinking that it would be cool to send his UAV the coordinates of an iPhone user for the ultimate aerial tracking system.
Some have been asking where the archived uStream footage of my talk is. It turns out that the AV folks had some technical issues on Saturday morning and were unable to stream or record my talk. However, MediaArchives.com did catch all but the first 10 minutes. I bought the DVD and am waiting to hear from the folks at Shmoocon if I am cleared to rip and post the video. Once we hear back on that I’ll post the link to Vimeo.