July 31, 2009 | by Andrew Kameka
The Android firmware update sent out to T-Mobile phones recently seemed pretty boring since no one noticed any new features. It was quickly discovered to be a security patch and it seems the Android world may now know exactly what the update protected us from.
Two security researchers discovered a flaw in Android and iPhone devices that leave both operating systems vulnerable to denial of service attacks. By sending difficult-to-manage SMS messages, researchers were able to exploit a bug in the Android system and prevent the phone from accessing the network.
“The bug is similar to the second iPhone bug in the way that it kills the telephony process(com.android.phone) and thus kicks the Android device from the mobile phone network,” the researchers said. “On Android the bug is a little more interesting since it will permanently kick the target device off the network if the SIM card residing in the phone has a PIN set.”
Wow. That update doesn’t seem so boring now.
At the Black Hat Security Conference in Las Vegas yesterday, Charlie Miller and Collin Mulliner, the aforementioned researchers, explained how they exploited the bug. Creating an “injector” in the phone’s process allowed them to block communication to the point that a network connection became impossible. That essentially meant they could have sent a text message to a phone and caused serious damage.
Google has confirmed that the security flaw has already been addressed, likely in the recent OTA update.