Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/31/2014
08:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Mobile Phone '0wnage' Threat Discovered

Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week.

Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world.

Accuvant Labs researchers Mathew Solnik and Marc Blanchou -- who will provide details and demonstrations of their findings next week at Black Hat USA in Las Vegas -- say they found a variety of serious flaws in the software that sits on Android, BlackBerry, and Apple iOS smartphones and embedded devices that handle everything from firmware, cell network baseband parameters, CDMA settings, and LTE settings, to device-wiping, Bluetooth, GPS, encryption, software activation, and battery monitoring, among other functions.

Attackers using a rogue base station could exploit these flaws to wrest control of the mobile devices themselves, or remotely spread malware on devices connecting to the station, for example. "The attacks require more or less a rogue femtocell, or base station," says Solnik, a research scientist with Accuvant. Such hardware is relatively simple to acquire: He and Blanchou purchased a base station for under $1,000 for their research, and were able to conduct their proof-of-concept attacks anywhere from 30 feet to 30 yards away from the targeted phones.

The attack is not for the novice hacker, however: "The ability and knowledge sets to run it in the way it needs to be done to take advantage of the vulnerabilities requires very specific knowledge of how they work," Solnik says. In other words, it would take a sophisticated and determined attacker, likely targeting an individual or group of individuals.

Larger GSM hardware can cost hundreds of thousands of dollars, but these systems could be used to wage attacks from afar, he says.

Solnik and Blanchou say they found that device authentication was completely bypassable in some devices, as the authentication tokens used to verify the clients to the servers can be "pre-calculated. "And the encryption used, which is based on SSL, is not properly verifying the remote hostname in certain cases," Solnik says.

Those two bugs alone could allow an attacker with a base station to take over the mobile devices altogether, he says. "We also found fairly significant memory corruption vulnerabilities" that would allow remote code execution on many of the devices, as well as integer overflow flaws.

"If you had the [proper] equipment and proximity, you would not need to know anything about the device. You could pretend to be a cell carrier and intercept. And acting as a cell carrier, you could take control of the apps running on the device, and leverage the apps to do what you choose."

The research is sort of a "next-next generation" to previous research into cellphone interception such as that of Kristin Paget at DEF CON 18 in 2010, when the researcher demonstrated  security weaknesses in the GSM protocol using a homegrown GSM base station, running over ham-radio frequency, which spoofed a cell tower and lured unsuspecting phones to connect to it.

Meanwhile, the tricky part may be parsing out the offending code and determining who is responsible for patching it. "In most cases, the device manufacturers use a third party that provides a binary blob that gets put on the device and shipped. No one has full responsibility" for the software, Solnik tells us.

The majority of cellphones are vulnerable at some level, the researchers say, depending on the model and software, and the client software is configured differently in different types of devices. "On the Android, it lives in userland. Yet that does have a direct interface to baseband, and can change baseband settings as well as other things on the device."

While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

The researchers next week also will release a free tool to test devices for the flaws. The tool inventories what's running on the device, and detects any vulnerabilities in the apps, for example, says Blanchou, a senior research consultant at Accuvant.

But they emphasize they are not providing any exploit tools.

What can mobile phone users do to protect themselves in the meantime? "Make sure you update your device. That's pretty much the best recommendation," says Solnik.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
7/31/2014 | 7:49:45 PM
Re: Naming Names
I bet that Samsung is top of the list. They are well known to delay critical updates to their products and have the most vulnerable bundled software.

Smart phones aren't really that smart at all. There is no ACL in place of which cell tower your device communicates to.

That being said, any smart phone can be compromised using a cell tower simulator to intercept voice/data and push malware enriched firmware to one's device without their knowledge.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/31/2014 | 12:07:35 PM
Naming Names
While the researchers won't name names until their talk next week, they say some vendors' products are less vulnerable than others.

That's information I will be checking back for after Black Hat! Thx Kelly!
Andre Leonard
50%
50%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:25:55 AM
Re: Worried
Outstanding observation. If a consumer really needs an app for everything. Then buyer beware.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
7/31/2014 | 11:17:25 AM
Worried
Hacks like these make me worried that even if we do manage to find a way to stop the governments of the world tracing our calls metadata and content throug ISPs, that they'll just set up snooping stations in between which we can do even less about. 

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/31/2014 | 11:16:39 AM
Re: Mobile Phone Threats 'Ownage'
I'll be interested to see just which vendors are tasked with the patches. Smartphones are such a maze of software, with cellular provider interfaces, hardware manufacturer software, the OS, and apps. 
Andre Leonard
100%
0%
Andre Leonard,
User Rank: Strategist
7/31/2014 | 11:01:06 AM
Mobile Phone Threats 'Ownage'
Let's face it. There will always be people who's mission is to hack, spoof, steal and infect systems. Like the poor, they are not going anywhere. The good news is, this will create opportunites for others to devise patches after the fact.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11997
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
CVE-2020-27266
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
CVE-2020-27268
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
CVE-2020-27269
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
CVE-2020-28707
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...