Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it.
One of the researchers, Charles Miller, notified Google of the flaw last week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers.
Miller, a former National Security Agency computer security specialist, said the flaw could be exploited by an attacker who might trick a G1 user into visiting a booby-trapped Web site.
The G1 went on sale at T-Mobile stores on Wednesday.
Google executives acknowledged the issue but said that the security features of the phone would limit the extent of damage that could be done by an intruder, compared with today’s PCs and other cellphones.
Unlike modern personal computers and other advanced smartphones like the iPhone, the Google phone creates a series of software compartments that limit the access of an intruder to a single application.
“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer.
He said that the company had already fixed an open-source version of the software and was working with its partners, T-Mobile and HTC (宏達電), to offer fixes for its current customers.
Typically, today’s computer operating systems try to limit access by creating a partition between a single user’s control of the machine and complete access to programs and data, which is referred to as superuser, root or administrative access.
The risk in the Google design, said Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.
Miller has previously gained attention for finding other vulnerabilities. In March, he received US$10,000 and a Macintosh Air laptop in a contest at the CanSecWest security conference by reading the contents of a file stored on a Mac laptop by directing the machine to a Web site that was able to exploit a vulnerability in Apple’s Safari browser.
Google executives said they believed that Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized.
Miller said he was withholding technical details, but said he felt that consumers had a right to know that products had shortcomings.
Taiwan Semiconductor Manufacturing Co (TSMC, 台積電) yesterday obtained the government’s approval to inject an additional US$7.5 billion into its US subsidiary, the Department of Investment Review said in a statement. The department approved TSMC’s application of investing in TSMC Arizona Corp, which is engaged in the manufacturing, sales, testing and design of IC and other semiconductor devices, it said. The latest capital injection follows a US$5 billion investment for TSMC Arizona approved in June. The chipmaker has broken ground on two advanced fabs in Arizona with aggregated investments approved by the department totaling US$24 billion thus far. According to TSMC, the first Arizona
The lethal hack of Hezbollah’s Asian-branded pagers and walkie-talkies has sparked an intense search for the devices’ path, revealing a murky market for older technologies where buyers might have few assurances about what they are getting. While supply chains and distribution channels for higher-margin and newer products are tightly managed, that is not the case for older electronics from Asia where counterfeiting, surplus inventories and complex contract manufacturing deals can sometimes make it impossible to identify the source of a product, analysts and consultants say. The response from the companies at the center of the booby-trapped gadgets that killed 37
FRIENDLY TAKEOVER: While Qualcomm Inc’s proposal to buy some or all of Intel raises the prospect of other competitors, Broadcom Inc is staying on the sidelines Qualcomm Inc has approached Intel Corp to discuss a potential acquisition of the struggling chipmaker, people with knowledge of the matter said, raising the prospect of one of the biggest-ever merger and acquisition deals. California-based Qualcomm proposed a friendly takeover for Intel in recent days, said the sources, who asked not to be identified discussing confidential information. The proposal is for all of the chipmaker, although Qualcomm has not ruled out buying some parts of Intel and selling off others. It is uncertain whether the initial approach would lead to an agreement and any deal is likely to come under close antitrust scrutiny
SECURITY CONCERNS: The proposed ban on Chinese autonomous vehicle software and hardware would go into effect with the 2027 and 2030 model years respectively The US Department of Commerce today is expected to propose prohibiting Chinese software and hardware in connected and autonomous vehicles on US roads due to national security concerns, two sources said. US President Joe Biden’s administration has raised concerns about the collection of data by Chinese companies on US drivers and infrastructure as well as the potential foreign manipulation of vehicles connected to the Internet and navigation systems. The proposed regulation would ban the import and sale of vehicles from China with key communications or automated driving system software or hardware, said the two sources, who declined to be identified because the