Smartphone Hack Highlights More GSM Woes

  /     /     /  
Publicated : 22/11/2024   Category : security


Smartphone Hack Highlights More GSM Woes


Researcher exploits new bugs in firmware to wrest control of vulnerable iPhone, Android devices



ARLINGTON, VA -- Black Hat DC -- A European researcher today showed how bugs he has discovered in the baseband chipset firmware of iPhone and Android smartphones could be exploited to ultimately take control of these devices.
Ralf-Philipp Weinmann, a researcher at the University of Luxembourg, was poised here to demonstrate an exploit he created that turns on the auto-answer feature on the affected smartphones and then uses them as remote listening devices. But he was unable to get his demo to run live successfully, in part due to poor cellular reception in the hotel where the conference was held.
Despite the demo glitch, security experts say the research marks a new generation of smartphone hacking.
This is extremely significant, says Don Bailey, security consultant with iSec Partners. Before, you could intercept calls, SMS, and in some cases GPRS [General Packet Radio Service]/EDGE, depending on if you had the requisite hardware.
And Weinmanns research achieves the endgame of code execution, Bailey says.
Weinmann is no stranger to smartphone hacking -- he and Vincenzo Iozzo, a researcher at Zynamics, last year won the PWN2OWN contest at CansecWest by exploiting the iPhone via Safari.
Hardware hacking expert Chris Paget successfully
faked several attendees cell phones into connecting to his phony GSM base station
during a live demonstration at Defcon18 in Las Vegas in July. Paget, who says GSM is broken, was demonstrating weaknesses in the GSM protocol by using a homegrown GSM base station. His so-called IMSI Catcher acted as a spoofed GSM tower and fake base station that fooled GSM smartphones into connecting to it.
GSM technology is used in 80 percent of the worlds mobile phone calls today and has been the subject of previous security research poking holes in it. The main problem is that GSM is broken. You have 3G and all of these later protocols with problems for GSM that have been known for decades. Its about time we move on, Paget said prior to his demonstration at DefCon.
Weinmanns attack takes it to another level: Mine is more malicious ... I could break the phone and take it over with this attack, says Weinmann. But he says his goal was make vendors and users aware of this threat, and he has no plans at this time to release his exploit.
I dont want other people to use it for malicious purposes, he says.
Weinmann also points to security deficiencies in GSM technology. GSM code was developed in the 1990s, and its security comes from the same [time frame], Weinmann says. Theres not much checking on input, and network elements are considered trusted ... GSM and 3GPP have many length fields as well, he says.
Like Pagets, Weinmanns hack was relatively inexpensive to pull off. He ran OpenBTS (Open Base Transceiver Station) GSM access point software, some cheap hardware, and a clocking module -- all for about $1,500. The attack injects messages into layer three of the GSM stack, which then turns on the auto-answer function on the affected phones.
Wienmann discovered multiple bugs in the baseband processors, which transmit and receive radio signals on the cell network, including so-called unchecked memory copies, use after free, and a major stack buffer overflow in QualComms cell baseband processor, which is used in many Android smartphones. He says Qualcomm has since fixed that bug and passed the fix to its OEMs. He also found an overflow bug in the Infineon TMSI baseband product, which is used in the iPhone.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Smartphone Hack Highlights More GSM Woes