08:00 AM
Connect Directly

New Mobile Phone '0wnage' Threat Discovered

Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week.

Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world.

Accuvant Labs researchers Mathew Solnik and Marc Blanchou -- who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas -- say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions.

Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. "The attacks require more or less a rogue femtocell, or base station," says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.

The attack is not for the novice hacker, however: "The ability and knowledge sets to run it in the way it needs to be done to take advantage of the vulnerabilities requires very specific knowledge of how they work," Solnik says. In other words, it would take a sophisticated and determined attacker, likely targeting an individual or group of individuals.

Larger GSM hardware can cost hundreds of thousands of dollars, but these systems could be used to wage attacks from afar, he says.

Solnik and Blanchou say they found that device authentication was completely bypassable in some devices, as the authentication tokens used to verify the clients to the servers can be "pre-calculated. "And the encryption used, which is based on SSL, is not properly verifying the remote hostname in certain cases," Solnik says.

Those two bugs alone could allow an attacker with a base station to take over the mobile devices altogether, he says. "We also found fairly significant memory corruption vulnerabilities" that would allow remote code execution on many of the devices, as well as integer overflow flaws.

"If you had the [proper] equipment and proximity, you would not need to know anything about the device. You could pretend to be a cell carrier and intercept. And acting as a cell carrier, you could take control of the apps running on the device, and leverage the apps to do what you choose."

The research is sort of a "next-next generation" to previous research into cellphone interception such as that of Kristin Paget at DEF CON 18 in 2010, when the researcher demonstrated  security weaknesses in the GSM protocol using a homegrown GSM base station, running over ham-radio frequency, which spoofed a cell tower and lured unsuspecting phones to connect to it.

Meanwhile, the tricky part may be parsing out the offending code and determining who is responsible for patching it. "In most cases, the device manufacturers use a third party that provides a binary blob that gets put on the device and shipped. No one has full responsibility" for the software, Solnik tells us.

The majority of cellphones are vulnerable at some level, the researchers say, depending on the model and software, and the client software is configured differently in different types of devices. "On the Android, it lives in userland. Yet that does have a direct interface to baseband, and can change baseband settings as well as other things on the device."

While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

The researchers next week also will release a free tool to test devices for the flaws. The tool inventories what's running on the device, and detects any vulnerabilities in the apps, for example, says Blanchou, a senior research consultant at Accuvant.

But they emphasize they are not providing any exploit tools.

What can mobile phone users do to protect themselves in the meantime? "Make sure you update your device. That's pretty much the best recommendation," says Solnik.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/31/2014 | 7:49:45 PM
Re: Naming Names
I bet that Samsung is top of the list. They are well known to delay critical updates to their products and have the most vulnerable bundled software.

Smart phones aren't really that smart at all. There is no ACL in place of which cell tower your device communicates to.

That being said, any smart phone can be compromised using a cell tower simulator to intercept voice/data and push malware enriched firmware to one's device without their knowledge.

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 12:07:35 PM
Naming Names
While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

That's information I will be checking back for after Black Hat! Thx Kelly!
Andre Leonard
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:25:55 AM
Re: Worried
Outstanding observation. If a consumer really needs an app for everything. Then buyer beware.
User Rank: Ninja
7/31/2014 | 11:17:25 AM
Hacks like these make me worried that even if we do manage to find a way to stop the governments of the world tracing our calls metadata and content throug ISPs, that they'll just set up snooping stations in between which we can do even less about. 

Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/31/2014 | 11:16:39 AM
Re: Mobile Phone Threats 'Ownage'
I'll be interested to see just which vendors are tasked with the patches. Smartphones are such a maze of software, with cellular provider interfaces, hardware manufacturer software, the OS, and apps. 
Andre Leonard
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:01:06 AM
Mobile Phone Threats 'Ownage'
Let's face it. There will always be people who's mission is to hack, spoof, steal and infect systems. Like the poor, they are not going anywhere. The good news is, this will create opportunites for others to devise patches after the fact.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Containing Corporate Data on Mobile Devices
Containing Corporate Data on Mobile Devices
If youre still focused on securing endpoints, youve got your work cut out for you. WiFi network provider iPass surveyed 1,600 mobile workers and found that the average US employee carries three devices -- a smartphone, a computer, and a tablet or e-reader -- with more than 80% of them doing work on personal devices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.