Jump to content

WSJ reports SPV security breach from MoDaCo

Guest j_sincla

By Guest j_sincla
in Smartphone General Discussion

 Share

Recommended Posts

Guest j_sincla

Guest j_sincla

Posted
Posted

Orange Examines Possible Security Breach on Handsets, WSJ Says

2003-01-16 03:24 (New York)

Paris, Jan. 16 (Bloomberg) -- France Telecom SA's Orange SA

mobile unit is examining possible security flaws on its SPV

handsets after a Web site described how to bypass the software,

the Wall Street Journal reported citing the company.

The SPV phones are the first cellphones to use Smartphone

software, a reduced version of Microsoft Corp.'s Windows operating

system, the paper said. Microsoft considers Smartphone to be one

of its top new products.

The handsets are designed to only run software approved by

Orange to enhance security, allowing the company a share in

software revenue, the Journal said.

Two separate methods of circumventing the security system

have been posted on the Web, according to the Journal. One relates

to the handset sold in France, the other to the U.K. phone.

(Wall Street Journal Online 1-16 )

For the Wall Street Journal Web site, see {WWSJ }

--Lianne Gutcher in the London newsroom (4420) 7073 3563 or

[email protected] Editor: Peterson

Guest Arisme

Guest Arisme

Posted
Posted

And none of them understands that there's only ONE bug

(ie a provisioning bug in the default registry of the ROM image that leaves the phone all open for a short time after the registry has been rebuilt in RAM, which is trivial to fix, at least for the next batch of SPVs ...)

yawn :roll:

Guest DJ WATTS

Guest DJ WATTS

Posted
Posted

Well i spoke to a guy at Orange technical support about the Orange certification thing last week and he said it was a bit naughty of Orange to have the certificate system in the first place.

Seems we are not alone in thinking that it was wrong of Orange to have it in the first place as even their staff think this way!;)

Think Orange should just get over it and put it down as a bad idea as they need to promote the phone more than make revenue from signed apps.

Without a flood of software available for the phone early on may criplle the phone before it takes off and Orange need the customers more than the revenue i think and to have a phone that has all this great software and apps available will only do the phone good by atracting more customers to the Orange SPV and their network.

Guest Rob.P

Guest Rob.P

Posted
Posted

Put it this way you don't go into a computer shop and buy a spanking new system that you can't load software on without the shop staff logging in as an administrator. You bought the computer you can do what the f u like with it.

As it says in the terms and conditions of the monthly user, section 14.1, "your phone is not part of the contract", so Orange have no right to tamper with it in such away that it inhibites our expected use of the phone. We should get the legal begals that our registered on the forum to scour our terms and conditions, just in case this can of worms turns nasty.

Guest DJHope

Guest DJHope

Posted
Posted

I was having a think about this the other day when you unlock the phone and its officially yours (no subsidy) i imagine they are under a legal obligation to remove certification because:

a) you now OWN the phone and as such should have the right to run anything you want, imagine next time you get a pc and its locked all hell would break loose (not sure about this one).

;) now you can run spv on networks OTHER than orange and hence you should not be governed by their secuirty polilicies.

PAUL: you have unlocked your phone i wonder what your stance is?

DJ Hope

Guest spacemonkey

Guest spacemonkey

Posted
Posted

Legally, you own the phone (regardless of subsidy or not) and therefore anything you choose to do to your own phone is legally fair use. Similar cases would be that PS2 and XBox modchipping is legal, and Multi Region chipping DVD players, cos you own the device, it's fair use.

If you do something to your phone that affects their networks (eg sending deliberately misformed packets as an attempt at breaching security or DOS) then you are breaking the law.

If you create a virus that will spread to other mobiles by whatever means (even if it's an email attachment) then you are breaking the law.

Orange could attempt to claim that your device is in breach of your connection agreement after you have modified it, as in only "normal" phones are allowed to connect to the Orange network. This is the closest they could come to a legal problem for us, however they would be hard pressed given that they allow GSM PCMCIA cards and PocketPC with GSM cards on their network that are less secure than the cracked SPV. If you are not using your phone for illegal activities they would have difficulty going after you on this one.

Further to that... the methods that have been developed and posted only unlock the insecure end of the phone. Even though the method could be extended, we haven't done so because none of us want to create a hackable network for Orange, I want to use their service for data and calls. We have just made the phone open for local applications and development which it always should have been, and which can only help the phones future.

Guest DJHope

Guest DJHope

Posted
Posted

It does appear that certification is just a revenue generator (even wallstreet indicates it) and the security issue is a cover story, since as spacemonkey so rightly puts it un-restricted GSM PocketPC and PCMCIA cards are avalable, since those arnt phones we can look at the 7650 which isnt restricted.

The handsets are designed to only run software approved by  

Orange to enhance security, allowing the company a share in  

software revenue, the Journal said.

Guest Arisme

Guest Arisme

Posted
Posted

But they need to understand that using the certification as a revenue generator is absolutely flawed ... what's coming next, they'll say that freeware games are hurting the market of commercial games ? I really enjoy being an alpha tester of Palladium :wink:

Guest DJHope

Guest DJHope

Posted
Posted

Well freeware does hurt commercialware, i mean if linux wasnt their everyone would have to PAY for windows or an alternative i cant think of!

If the US has its way nothing will be free since their removing virtually all of the 5th with things like the DMCA.

And dont get me started on this imminent war, when will the US wake up to itself!

Guest Arisme

Guest Arisme

Posted
Posted

in my opinion competition never hurts, but makes each side improve their weak points - if Linux didn't exist, I guess that we'd still be using Windows 95 with 3 reboots a day (I mean for the handful of people that wouldn't be sick of computers and doing something else) ; and if Windows didn't exist, I'd be typing this post with a telnet connection to MoDaCo instead of enjoying Mozilla :wink:

Guest madu

Guest madu

Posted
Posted

Apart from the commercial side of this (O's share from cert.) there is one very simple answer:

The phone is in beta testing and so is the OS (as we all know) even though it is considered to be a full commercial product. Because the OS is new and untested in mass market, it is not idiot-proof and error free..

For example in PC Windows, whether it's XP, 98 or ME (total shite) it has protection from malicious code from crashing it (well kinda).. You will not be able to do something very harmfull to the OS by f***ing around with it, and if something is designed for Win, it is most likely gonna work - Windows may not, but the software will ;)

As for the phone - fixing people's phones all the time coz they installe dsome crappy beta software or played with registry not knowing how to (and thinking what the f**k is PHPregedit in the first place) would be very expensive for orange - and there are enough SPV bugs of its own, to take care of bugs resulting from other soft.

They are trying to make the phone error-free on its own.. then we'll see.

Oh well, another 5p to the thread

PS: I have still to try and unlock it, but from what I know there is no soft other than regedit and mytools so far that would work even with cert. off, so don't see much point for all that hassle atm. Correct me if I'm wrong!?

Guest DJHope

Guest DJHope

Posted
Posted

its a pretty easy process anyways, but i supose if your not developing then its pretty pointless, someones already working on converting CEMAME and a GAmeboy emulator, we shall see time will tell all that cr*p!

Guest spacemonkey

Guest spacemonkey

Posted
Posted

In some ways you are right,MadU... but the phone support angle isn't really a problem to fix. If I was running customer support it would be, you have a problem? is your phone backed up? OK... hard reset it... is your problem still there sir? OK, now we'll look at it.

Easy as that, beta software is easy to fix by reseting peoples phones.

As to why you'd unlock it... yeah, unless you want to develope not a lot of point (although the MediaPlayer skin tweak to make it survive reboots is worth it to me).

In the near future I'd see that a freeware community will spring up where free unsigned apps become quite available and the unsigned phone community will use these and work out all the bugs in them. Then I'd like to see some sort of donation etc based foundation set up where once these free apps are reasonably bug free the foundation would sign them through Baltimore (about £7 per signed app after an initial outlay to set up) providing those apps free to the people without unsigned phones.

Just my call tho...

Guest Monolithix [MVP]

Guest Monolithix [MVP]

Posted
Posted

I think this needs a week or so to calm down a little. One news site has been informed (maybe) of the flaw, and has blown it up out of proportion Other sites have picked up on this and here we are. Lets wait and see if there are any official releases from Orange or MS about the mod and how they are gonig to deal with it.

Once some _sensible_ reporters take a look at the whole picture, hopefully some of the "truth" over this matter will be pulished. Now just to bide our time....

Guest Southwestwall

Guest Southwestwall

Posted
Posted

I agree with much that has been said on this, both here and on microsoft.publi.smartphone, where there have been some flamewars going on... maybe that's because its an MS group and one or two senior MS execs have been posting the arrogant corporate line.

How much damage can a bad app do, in the long run? A hard reset later and its back to factory settings. With IPSM backed up on an SD or PC, all's back to normal in a few minutes.

Even IF something tried to write to the ROM - how would that be possible from WITHIN the phone? - a full ROM backup on an SD card via the engineering menu soon cures that too.

Seeing that the network and hardware control is in the secure part of the phone - proprietary code that few can access, let alone program, and the signing was just part of some XML to restrict installing apps, what else did Orange expect. Just having the phone constantly use the file containing the signing code wasn't real security. It was not rocket science to access those files. It just took a bit of lateral thinking to alter them and get them back into the phone.

There have been rumblings that Orange will simply re-apply the original signing code as part of the update. Easy for them to do, not too hard to crack again, but bloody inconvenient for those who have unlocked their phones already and will have to wait for the experts to do it again...

Hmmm, much food for thought.

Guest Monolithix [MVP]

Guest Monolithix [MVP]

Posted
Posted

Read that the yesterday, shame articles like this are still comeing out. A direct, incorrect and plain stupid copy/twisted story from the CNET report. People really piss me off sometimes

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept