New Smart Phone Hack Could Expose Cell Network

Researchers have hacked a built-in maintenance application found on many smart phones that could open the door to hacking the cellular network itself.

David Maynor, CTO for Errata Security, this weekend at the Summercon security confab in Atlanta will demonstrate a tool built by Errata that provides a peek into the inner workings of the cell network, such as the frequency at which a smart phone is operating. Maynor will also explain how he reverse engineered the so-called Field Test application found in Windows Mobile and Apple iPhone smart phones in advance of Errata's building the tool.

Errata calls its hack “cellular spelunking,” and will release the source code for its new tool in conjunction with Maynor’s presentation. Maynor says the tool is aimed at cell network providers and smart phone manufacturers, as well as “people who want to know how cell networks work.”

“I don’t know why these [maintenance] apps are on a phone for consumers,” says Maynor, who says his demo won’t contain any potentially unlawful or malicious hacking activities. “If you start looking at security as whole, mobile devices are a larger concern... This is really an unexplored area of security.”

Maynor says Errata didn’t exploit any vulnerabilities in the hack -- that wasn’t necessary, he says. “This weakness in the phone leads to a greater understanding of the network as a whole.”

Cell network security is a tricky area for researchers given strict regulations protecting the cellular infrastructure. Still, it’s increasingly becoming an area of interest for security researchers -- a pair of researchers at Black Hat USA earlier this year demonstrated how they had cracked the encryption in GSM mobile phones and could intercept voice conversations and SMS text messages. (See Encrypted GSM Voice Calls & SMS Messages Hacked in Minutes.)

Errata’s new hacking tool runs on an iPhone and gathers information about the cellular network to which the smart phone is connected.

Cell networks weren’t built with security in mind, Maynor says. And knowing the frequency of a smart phone means you can also find control channels for the cell towers, Maynor says, many of which carry information such as SMS messages destined to all phones in that cell area, for instance. “It would be the equivalent of turning on a sniffer on a computer for certain types of data,” he says.

Errata’s hack basically demonstrates how you can use information from the smart phone to get more access to the cell network than a user is supposed to have, Maynor says. And if Errata’s new tool were paired with the Universal Software Radio Peripheral (USRP), for example, he says, an attacker could hack the cell network itself.

Another danger, of course, would be an attacker exploiting the smart phone’s information to launch a malware attack that could disrupt the cell network.

Maynor, meanwhile, plans to release a white paper for his presentation that provides more details on how he reverse engineered the Field Test smart phone app and what he discovered during the process.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.