Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world.
Accuvant Labs researchers Mathew Solnik and Marc Blanchou -- who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas -- say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions.
Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. "The attacks require more or less a rogue femtocell, or base station," says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.
The attack is not for the novice hacker, however: "The ability and knowledge sets to run it in the way it needs to be done to take advantage of the vulnerabilities requires very specific knowledge of how they work," Solnik says. In other words, it would take a sophisticated and determined attacker, likely targeting an individual or group of individuals.
Larger GSM hardware can cost hundreds of thousands of dollars, but these systems could be used to wage attacks from afar, he says.
Solnik and Blanchou say they found that device authentication was completely bypassable in some devices, as the authentication tokens used to verify the clients to the servers can be "pre-calculated. "And the encryption used, which is based on SSL, is not properly verifying the remote hostname in certain cases," Solnik says.
Those two bugs alone could allow an attacker with a base station to take over the mobile devices altogether, he says. "We also found fairly significant memory corruption vulnerabilities" that would allow remote code execution on many of the devices, as well as integer overflow flaws.
"If you had the [proper] equipment and proximity, you would not need to know anything about the device. You could pretend to be a cell carrier and intercept. And acting as a cell carrier, you could take control of the apps running on the device, and leverage the apps to do what you choose."
The research is sort of a "next-next generation" to previous research into cellphone interception such as that of Kristin Paget at DEF CON 18 in 2010, when the researcher demonstrated security weaknesses in the GSM protocol using a homegrown GSM base station, running over ham-radio frequency, which spoofed a cell tower and lured unsuspecting phones to connect to it.
Meanwhile, the tricky part may be parsing out the offending code and determining who is responsible for patching it. "In most cases, the device manufacturers use a third party that provides a binary blob that gets put on the device and shipped. No one has full responsibility" for the software, Solnik tells us.
The majority of cellphones are vulnerable at some level, the researchers say, depending on the model and software, and the client software is configured differently in different types of devices. "On the Android, it lives in userland. Yet that does have a direct interface to baseband, and can change baseband settings as well as other things on the device."
While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.
The researchers next week also will release a free tool to test devices for the flaws. The tool inventories what's running on the device, and detects any vulnerabilities in the apps, for example, says Blanchou, a senior research consultant at Accuvant.
But they emphasize they are not providing any exploit tools.
What can mobile phone users do to protect themselves in the meantime? "Make sure you update your device. That's pretty much the best recommendation," says Solnik.