Ralf-Philipp Weinmann, a researcher at the University of Luxembourg, was poised here to demonstrate an exploit he created that turns on the auto-answer feature on the affected smartphones and then uses them as remote listening devices. But he was unable to get his demo to run live successfully, in part due to poor cellular reception in the hotel where the conference was held.
Despite the demo glitch, security experts say the research marks a new generation of smartphone hacking.
"This is extremely significant," says Don Bailey, security consultant with iSec Partners. "Before, you could intercept calls, SMS, and in some cases GPRS [General Packet Radio Service]/EDGE, depending on if you had the requisite hardware."
And Weinmann's research achieves the endgame of code execution, Bailey says.
Weinmann is no stranger to smartphone hacking -- he and Vincenzo Iozzo, a researcher at Zynamics, last year won the PWN2OWN contest at CansecWest by exploiting the iPhone via Safari.
Hardware hacking expert Chris Paget successfully faked several attendees' cell phones into connecting to his phony GSM base station during a live demonstration at Defcon18 in Las Vegas in July. Paget, who says GSM is "broken," was demonstrating weaknesses in the GSM protocol by using a homegrown GSM base station. His so-called "IMSI Catcher" acted as a spoofed GSM tower and fake base station that fooled GSM smartphones into connecting to it.
GSM technology is used in 80 percent of the world's mobile phone calls today and has been the subject of previous security research poking holes in it. "The main problem is that GSM is broken. You have 3G and all of these later protocols with problems for GSM that have been known for decades. It's about time we move on," Paget said prior to his demonstration at DefCon.
Weinmann's attack takes it to another level: "Mine is more malicious ... I could break the phone" and take it over with this attack, says Weinmann. But he says his goal was make vendors and users aware of this threat, and he has no plans at this time to release his exploit.
"I don't want other people to use it for malicious purposes," he says.
Weinmann also points to security deficiencies in GSM technology. "GSM code was developed in the 1990s, and its security comes from the same [time frame], Weinmann says. "There's not much checking on input, and network elements are considered trusted ... GSM and 3GPP have many length fields" as well, he says.
Like Paget's, Weinmann's hack was relatively inexpensive to pull off. He ran OpenBTS (Open Base Transceiver Station) GSM access point software, some cheap hardware, and a clocking module -- all for about $1,500. The attack injects messages into layer three of the GSM stack, which then turns on the auto-answer function on the affected phones.
Wienmann discovered multiple bugs in the baseband processors, which transmit and receive radio signals on the cell network, including so-called unchecked memory copies, "use after free," and a major stack buffer overflow in QualComm's cell baseband processor, which is used in many Android smartphones. He says Qualcomm has since fixed that bug and passed the fix to its OEMs. He also found an overflow bug in the Infineon TMSI baseband product, which is used in the iPhone.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.