Cyber Threat Intelligence

Icon

Just another WordPress.com site

Cisco cuts ties with Chinese firm accused of reselling gear to Iran | Ars Technica

Cisco cuts ties with Chinese firm accused of reselling gear to Iran | Ars Technica: ”

by Jon Brodkin – Oct 9 2012, 3:30pm EDT
REGULATION
27
Cisco has ended a sales partnership with ZTE, after the Chinese technology firm was accused of selling Cisco networking equipment to Iran despite US sanctions against the country. Cisco’s decision became public just as a┬áCongressional report yesterday claimed Chinese companies ZTE and Huawei pose a security threat to the US and can’t be trusted to comply with US and international law.

Reuters exposed ZTE’s sales to Iranian telecom firm TCI in articles earlier this year, and reported Cisco’s decision to cut ties with ZTE yesterday. ZTE ‘sold banned computer equipment from Cisco and other US companies to Iran’s largest telecom firm,’ Reuters reported, adding that ‘ZTE also agreed last year to ship”

(Via .)

Advertisements

Filed under: Telecommunications, ,

GPS Weakness Could Enable Mass Smartphone Hacking – Technology Review

GPS Weakness Could Enable Mass Smartphone Hacking – Technology Review: “”

Weaknesses in the technology that allows smartphone users to pinpoint themselves on a map, or check into restaurants and bars using apps such as Foursquare, could allow those users to be tracked remotely.

Ralf-Philipp Weimann, a researcher at the University of Luxembourg, reported this finding at theBlack Hat computer security conference in Las Vegas yesterday. He believes that the complex mechanism by which phones get location fixes likely also hides vulnerabilities that could allow the mechanism to be used to install and run malicious code on the device.

Smartphones do not use GPS satellites alone to determine their location, because doing so accurately requires complex calculations based on signals collected from four orbiting satellites, a process that takes as long as 12 minutes. Instead, they use assisted GPS (A-GPS), in which a cellular network supplies an approximate location to simplify and speed up the necessary GPS calculations. A-GPS also allows a device to ask the mobile network to do the work and send back the exact location fix once it’s finished.

Advertisement

Weimann discovered that the messages that pass between a phone and its network during this process aren’t exchanged over a secure connection, but rather over a non-secure Internet link. That makes it possible to trick a phone into swapping A-GPS messages with an attacker instead, Weimann realized, and to have that attacker know the result of every location fix wherever the phone goes.

Using this method, a malicious Wi-Fi network could instruct phones to relay back all future requests for A-GPS help and to report all location fixes, even after the phone goes out of range. “If you just turn it on once and connect to that one network, you can be tracked any time you try to do a GPS lock,” said Weimann. “This is rather nasty.”

Weimann demonstrated the vulnerability on a variety of Android handsets and said that handset manufacturers haven’t bothered to implement technologies that could prevent such attacks. The problem is solvable, though, and Weimann said it will likely be addressed in future versions of software from mobile-device manufacturers. “I wouldn’t count on it until you buy the next-gen device.”

Weimann also presented work showing how A-GPS messages could be used for seriously compromising attacks. He showed that many smartphones process these messages on their main processor, not the GPS chip or the radio chip dedicated to communicating with the cellular network. This means the messages could potentially be used to trigger crashes that would allow the device to be taken over remotely, said Weimann, who added that he has identified some candidate bugs already.

Other experts at the conference said that the kind of attack Weimann demonstrated could convince professional malware developers to take mobile devices more seriously as lucrative targets. Today, it is not easy to infect many users with a malicious app, explained Vincenzo Iozzo, of the information-security company Trail of Bits, who is a member of Black Hat’s advisory board. “What’s interesting is to find the venues where an attacker can gain additional scale and profit,” he said. “This attack actually allows them to reach a huge number of targets without being close to them.”

It is still early days, Iozzo said, but there’s cause for concern. “Exploitation for the time being is not going to be a big problem in mobile, but mobiles are more complex compared to desktops and so offer more places to explore.”

Filed under: Telecommunications, ,