:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/63708909/shutterstock_96096149.0.1486426416.0.jpg)
What’s the most cyber-secure place in the world? A cyber security conference, right?
Nope.
A snooping researcher managed to find a security flaw in the official app for the RSA Conference, a marquee tech security event being held in San Francisco this week. It’s a reminder of the nagging security issues plaguing Android phones. It’s also sort of hilarious.
Vendors at these sorts of conferences usually have smartphones to check in visitors to their booths. RSA vendors were given Samsung Galaxy S4 handsets set in “kiosk” mode, with a password protecting the scanning app. Andrew Blaich, a lead security analyst with Bluebox Security, dug into the source code of the app where, he claims, there was “an easily found bug.” He writes:
When we used that passcode we were able to gain access to the kiosk app’s settings. This, in turn, let us gain access to the device’s system settings, which then enabled us to put the device into developer mode to gain full access to the device. This is concerning because if we can do this, an attacker can too, letting them root the device, pull any data off of it, or install malware to steal even more data.
Security researchers like Blaich make part of their living pointing out such exploitable bugs, many of which are never actually exploited by hackers. That trend is more common with Google’s Android, since it, unlike Apple, relies on a complex layer of software, carriers and manufacturers to get security right.
Also, it’s probably unlikely that anyone at a tech conference would hack into a vendor’s phone. Then again, of all the places where that could theoretically happen, a gathering of cyber security tech experts ranks up there on the list. We reached out to the RSA to see what they have to say.
This article originally appeared on Recode.net.
