[security] sailfish is not affected by "vDirect Mobile / OMA-DM" vulnerability. [answered]
asked 2014-08-07 20:33:57 +0200
EDIT: Question was "is sailfish affected by "vDirect Mobile" vulnerability?", reformulated thanks to Aards answer!!
Read today about a possible vulnerability in "vDirect Mobile" software, which is used in "all prominent mobile oses" for "over-the-air configuration" according to heise.de. [german] http://www.heise.de/newsticker/meldung/Black-Hat-2014-Netzbetreiber-Software-zum-Fernsteuern-von-Mobilgeraeten-erlaubt-Missbrauch-2287821.html and in Securityledger.com [english] https://securityledger.com/2014/08/vulnerable-mobile-software-management-tool-reaches-into-iot/ My question is, does Jolla use any of that code in Sailfish, or is this vulnerability limited to Android, Blackberry, iOS and Windows Phone? If so, it would be a great marketing timing to go forward and let folks know about this security advantage!
Would be very interesting to know!!!
Stefan P ( 2014-08-07 22:30:28 +0200 )editAnd another article with reference to the Open Mobile Alliance Device Management (OMA-DM) protocol, and some links: http://www.theregister.co.uk/2014/08/08/two_billeeon_mobile_phones_easily_hackable_with_dummy_base_station/
meneer ( 2014-08-08 13:47:59 +0200 )editSo, even if sailfish would rely on OMA-DM (which is totally a guess as there is no official statement or other source that i could find in 3 days searching), the attack scenario would require the attacker to develop and deploy a device/os specific hacked firmeware (or patch?). As with all malware this is rather unlikely to happen to a small ecosystem like ours due to "commercial inefficiancy". Or am i wrong?
mosen ( 2014-08-10 12:53:11 +0200 )edit