A group of security researchers exposed a flaw in the web browser on the T-Mobile G1 that could potentially allow trojans and keyloggers to install themsevles on your phone if you visited an infected website. The stars would somehow have to align for someone to fall victim:
- A malicious developer would need to know what the flaw is
- Said developer needs to place this malicious code on a website
- T-Mobile customer browsing the web with their G1 must visit offending website with malicious code
So unless you’re out there hunting for websites that will screw you over, your probably safe for the next week or so… but just as a heads up – be careful. Google will likely patch this flaw with an Over The Air update but its unclear to what extent and how deep the problem really is.
One of these security researchers is Charles A. Miller, a former NSA computer security specialist and current analyst at Independent Security Evaluators in Baltimore, MD. According to the New York Times, Mr. Miller thought about keeping the flaw a secret but felt that consumers had a right to know that products had shortcomings. Especially in this case, since most consumers don’t understand that their mobile phone is susceptible to the same types of intrusions as a Personal Computer.
This didn’t make Google happy… at ALL… and the company accused Mr. Miller of violating an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized. As a sidenote, Mr. Miller’s revealing of the flaw included no details that would make it easier for hackers to write malicious code.
I can see how Google would be extremely upset by this news… the success of the T-Mobile G1 is crucial to the success of the Android platform. They need more handsets on more carriers and the only way to do that is garner the attentions – and TRUST – of the manufacturers and carriers.
Sprint’s CEO Dan Hesse recently announced that Android wasn’t good enough for Sprint yet and this announcement could have HUGE implications on what carriers/manufacturers choose to follow through with an Android related handset. Even if this is one small flaw… it shows a fairly big vulnerability.
The question is how quickly and effectively will Google be in responding and patching the flaw?
[Via NewYorkTimes]
I can understand Google feeling PO-ed, for the reasons you state, Rob. However, as a consumer and soon-to-be owner of the G1, I am glad to be informed of a potential threat. Security flaws are inevitable, we are fortunate to have a “good guy” be the one to break the news, and not some coder with malicious intent. Hopefully Google gets cracking ASAP.
I agree that the security firm should have given Google a head start on the issue. That is the standard practice and it’s standard practice because it’s the best thing for the consumer. I see no reason for Mr. Miller to deviate from that other than to get attention and he has succeeded in that.