Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/31/2014
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Mobile Phone '0wnage' Threat Discovered

Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week.

Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world.

Accuvant Labs researchers Mathew Solnik and Marc Blanchou -- who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas -- say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions.

Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. "The attacks require more or less a rogue femtocell, or base station," says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.

The attack is not for the novice hacker, however: "The ability and knowledge sets to run it in the way it needs to be done to take advantage of the vulnerabilities requires very specific knowledge of how they work," Solnik says. In other words, it would take a sophisticated and determined attacker, likely targeting an individual or group of individuals.

Larger GSM hardware can cost hundreds of thousands of dollars, but these systems could be used to wage attacks from afar, he says.

Solnik and Blanchou say they found that device authentication was completely bypassable in some devices, as the authentication tokens used to verify the clients to the servers can be "pre-calculated. "And the encryption used, which is based on SSL, is not properly verifying the remote hostname in certain cases," Solnik says.

Those two bugs alone could allow an attacker with a base station to take over the mobile devices altogether, he says. "We also found fairly significant memory corruption vulnerabilities" that would allow remote code execution on many of the devices, as well as integer overflow flaws.

"If you had the [proper] equipment and proximity, you would not need to know anything about the device. You could pretend to be a cell carrier and intercept. And acting as a cell carrier, you could take control of the apps running on the device, and leverage the apps to do what you choose."

The research is sort of a "next-next generation" to previous research into cellphone interception such as that of Kristin Paget at DEF CON 18 in 2010, when the researcher demonstrated  security weaknesses in the GSM protocol using a homegrown GSM base station, running over ham-radio frequency, which spoofed a cell tower and lured unsuspecting phones to connect to it.

Meanwhile, the tricky part may be parsing out the offending code and determining who is responsible for patching it. "In most cases, the device manufacturers use a third party that provides a binary blob that gets put on the device and shipped. No one has full responsibility" for the software, Solnik tells us.

The majority of cellphones are vulnerable at some level, the researchers say, depending on the model and software, and the client software is configured differently in different types of devices. "On the Android, it lives in userland. Yet that does have a direct interface to baseband, and can change baseband settings as well as other things on the device."

While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

The researchers next week also will release a free tool to test devices for the flaws. The tool inventories what's running on the device, and detects any vulnerabilities in the apps, for example, says Blanchou, a senior research consultant at Accuvant.

But they emphasize they are not providing any exploit tools.

What can mobile phone users do to protect themselves in the meantime? "Make sure you update your device. That's pretty much the best recommendation," says Solnik.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
7/31/2014 | 7:49:45 PM
Re: Naming Names
I bet that Samsung is top of the list. They are well known to delay critical updates to their products and have the most vulnerable bundled software.

Smart phones aren't really that smart at all. There is no ACL in place of which cell tower your device communicates to.

That being said, any smart phone can be compromised using a cell tower simulator to intercept voice/data and push malware enriched firmware to one's device without their knowledge.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 12:07:35 PM
Naming Names
While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

That's information I will be checking back for after Black Hat! Thx Kelly!
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:25:55 AM
Re: Worried
Outstanding observation. If a consumer really needs an app for everything. Then buyer beware.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/31/2014 | 11:17:25 AM
Worried
Hacks like these make me worried that even if we do manage to find a way to stop the governments of the world tracing our calls metadata and content throug ISPs, that they'll just set up snooping stations in between which we can do even less about. 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/31/2014 | 11:16:39 AM
Re: Mobile Phone Threats 'Ownage'
I'll be interested to see just which vendors are tasked with the patches. Smartphones are such a maze of software, with cellular provider interfaces, hardware manufacturer software, the OS, and apps. 
Andre Leonard
100%
0%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:01:06 AM
Mobile Phone Threats 'Ownage'
Let's face it. There will always be people who's mission is to hack, spoof, steal and infect systems. Like the poor, they are not going anywhere. The good news is, this will create opportunites for others to devise patches after the fact.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25595
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. The PCI passthrough code improperly uses register data. Code paths in Xen's MSI handling have been identified that act on unsanitized values read back from device hardware registers. While devices strictly compliant with PCI specifications shouldn't be ...
CVE-2020-5783
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the login functionality does not contain any CSRF protection mechanisms.
CVE-2020-11031
PUBLISHED: 2020-09-23
In GLPI before version 9.5.0, the encryption algorithm used is insecure. The security of the data encrypted relies on the password used, if a user sets a weak/predictable password, an attacker could decrypt data. This is fixed in version 9.5.0 by using a more secure encryption library. The library c...
CVE-2020-5781
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, the langSelection parameter is stored in the luci configuration file (/etc/config/luci) by the authenticator.htmlauth function. When modified with arbitrary javascript, this causes a denial-of-service condition for all other users.
CVE-2020-5782
PUBLISHED: 2020-09-23
In IgniteNet HeliOS GLinq v2.2.1 r2961, if a user logs in and sets the ‘wan_type’ parameter, the wan interface for the device will become unreachable, which results in a denial of service condition for devices dependent on this connection.