Mobile
7/31/2014
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Mobile Phone '0wnage' Threat Discovered

Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week.

Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world.

Accuvant Labs researchers Mathew Solnik and Marc Blanchou -- who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas -- say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions.

Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. "The attacks require more or less a rogue femtocell, or base station," says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.

The attack is not for the novice hacker, however: "The ability and knowledge sets to run it in the way it needs to be done to take advantage of the vulnerabilities requires very specific knowledge of how they work," Solnik says. In other words, it would take a sophisticated and determined attacker, likely targeting an individual or group of individuals.

Larger GSM hardware can cost hundreds of thousands of dollars, but these systems could be used to wage attacks from afar, he says.

Solnik and Blanchou say they found that device authentication was completely bypassable in some devices, as the authentication tokens used to verify the clients to the servers can be "pre-calculated. "And the encryption used, which is based on SSL, is not properly verifying the remote hostname in certain cases," Solnik says.

Those two bugs alone could allow an attacker with a base station to take over the mobile devices altogether, he says. "We also found fairly significant memory corruption vulnerabilities" that would allow remote code execution on many of the devices, as well as integer overflow flaws.

"If you had the [proper] equipment and proximity, you would not need to know anything about the device. You could pretend to be a cell carrier and intercept. And acting as a cell carrier, you could take control of the apps running on the device, and leverage the apps to do what you choose."

The research is sort of a "next-next generation" to previous research into cellphone interception such as that of Kristin Paget at DEF CON 18 in 2010, when the researcher demonstrated  security weaknesses in the GSM protocol using a homegrown GSM base station, running over ham-radio frequency, which spoofed a cell tower and lured unsuspecting phones to connect to it.

Meanwhile, the tricky part may be parsing out the offending code and determining who is responsible for patching it. "In most cases, the device manufacturers use a third party that provides a binary blob that gets put on the device and shipped. No one has full responsibility" for the software, Solnik tells us.

The majority of cellphones are vulnerable at some level, the researchers say, depending on the model and software, and the client software is configured differently in different types of devices. "On the Android, it lives in userland. Yet that does have a direct interface to baseband, and can change baseband settings as well as other things on the device."

While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

The researchers next week also will release a free tool to test devices for the flaws. The tool inventories what's running on the device, and detects any vulnerabilities in the apps, for example, says Blanchou, a senior research consultant at Accuvant.

But they emphasize they are not providing any exploit tools.

What can mobile phone users do to protect themselves in the meantime? "Make sure you update your device. That's pretty much the best recommendation," says Solnik.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
7/31/2014 | 7:49:45 PM
Re: Naming Names
I bet that Samsung is top of the list. They are well known to delay critical updates to their products and have the most vulnerable bundled software.

Smart phones aren't really that smart at all. There is no ACL in place of which cell tower your device communicates to.

That being said, any smart phone can be compromised using a cell tower simulator to intercept voice/data and push malware enriched firmware to one's device without their knowledge.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 12:07:35 PM
Naming Names
While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

That's information I will be checking back for after Black Hat! Thx Kelly!
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:25:55 AM
Re: Worried
Outstanding observation. If a consumer really needs an app for everything. Then buyer beware.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/31/2014 | 11:17:25 AM
Worried
Hacks like these make me worried that even if we do manage to find a way to stop the governments of the world tracing our calls metadata and content throug ISPs, that they'll just set up snooping stations in between which we can do even less about. 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/31/2014 | 11:16:39 AM
Re: Mobile Phone Threats 'Ownage'
I'll be interested to see just which vendors are tasked with the patches. Smartphones are such a maze of software, with cellular provider interfaces, hardware manufacturer software, the OS, and apps. 
Andre Leonard
100%
0%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:01:06 AM
Mobile Phone Threats 'Ownage'
Let's face it. There will always be people who's mission is to hack, spoof, steal and infect systems. Like the poor, they are not going anywhere. The good news is, this will create opportunites for others to devise patches after the fact.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.