back to article Malware-flingers can pwn your mobile with over-the-air updates

Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, this would be extremely difficult to pull off. A three-year research …


This topic is closed for new posts.
  1. LarsG

    They found this 'problem' and then produced a marketable phone/ firewall!

    In the real world is this really an issue or is this just scare mongering to help sell a product?

    1. Anonymous Coward
      Anonymous Coward

      In the real world is this really an issue or is this just scare mongering to help sell a product?

      The latter. Risk = Impact x likelihood, and to perform on-air injections into baseband code a couple of factors need to occur at the same time:

      - you must be local. You have to take over the phone-to-cell data stream. Bad marks there for providers, if we could lock a phone to stick to crypto only this would not be an issue to start with, but the GSM standard is broken so far that phones don't even show anymore when they go unencrypted. On the plus side, you don't need to be in view.

      - you need seriously expensive kit. I may be wrong here, but the analysis kit I have seen costs the price of an upperclass car (think 6 digits and up), I'm not sure if your average softradio + OpenBTS combination will be up to this.

      - you hope the target has a phone with the vulnerability or you're hosed. That requires research, but is not impossible to do.

      - a data tap bug establishes more connections, which can be discovered. These discoveries tend to be triggered by an investigation into why battery life has dropped.

      In summary, it seems like hard work. If you're prepared to do that much effort, a bit of social engineering and creativity will get you up close so you can just bug the target (which also helps with non-call conversations).

      Now, the "solution". They start with Android, which pretty much hoses the concept from the start (iOS is only marginally better). Secondly, using a tech solution for a human problem starts an arms race, and the client who spends that much on a phone without bling will automatically draw attention to themselves - the opposite of what you want to achieve if you really seek discretion. There are better ways to waylay surveillance - "secure" phones (so far an unproven assertion by the supplier) are far too visible.

      Would you trust a secure phone not be equipped "Clipper alike"? If I was in a nations intelligence service, that's exactly the phone I would backdoor as it would give me more focused intel.

      1. Christian Berger

        Actually the cost for signalling attack hardware has now dropped to the cost of some cheap Motorola featurephone, about 15 Euros, or 70 Euros if you want to have the modification so you have better performance.

        The USRP SDR based solutions or the ones based on actual BTSes are more expensive, but they enable you to do everything the network can do.

    2. JCitizen

      I already know of one similar example...

      The subject(target) realized their Mac Air was under attack, and during the effort to regain control of the Mac, the attacker used the subject's own smart phone to re-acquire the Mac through blue-tooth. Now these were heavy hitters in what amounts to be an obvious(because of the subject's IP in security related products), attempt at either shutting down the business or stealing IP as in industrial espionage. Either way this person was put out of business, and cannot function in a modern IT world right now.

      After seeing this, I can believe anything! I haven't got a link, because the user wants anonymity; which is understandable because of a certain standing in the security community.

  2. frank ly

    Something similar happened to me

    Sometime last year, an organisation called HTC pushed out a software change to my Incredible-S phone, codenamed 'ICS Update', which noticeably slowed it down and changed the GUI in way that made it confusing to use as well as reducing the battery life.

    They did this by using 'social engineering' in conjunction with an entity called Google that fed stories to the press saying that ICS was smoother and faster and had efficiencies that improved battery life, even on older phones. You have to be careful and you can't trust anyone.

  3. Christian Berger

    "...but the operating systems used are pretty old and thus fairly robust."

    I'm sorry, but just because software is old, it doesn't mean its good. Windows for example had perfectly well documented exploitable flaws in its API for decades (LNK Autostart "bug" used in Stuxnet).

    Baseband code isn't looked at by many people. Large parts of it were developed in the early 1990s when people didn't know about security. It was never tested against malicious attackers.

    In fact if you look into the whole picture, you will even find deliberate security holes. For example your operator can use the SIM toolkit to just change the number you are dialling to everything you want. This probably even works for other operators when you are roaming. Trusting that your call actually arrives at the number you have called is the trusted element in many "secure" systems. You'd be surprised how many PCAnywhere installations relied on call-back for security.

    Mobile phones (both smart and dumb ones) aren't secure devices, they probably will never be. That's why the part the operators care about is in an extra module (the SIM). We need to stop thinking that those devices and networks are just secure black boxes.

  4. MacGyver

    This just in...

    In the future phone hacks will "pushed" into the device via a targeted electron beam designed to flip the state of the individual electrons in memory as such to "install" the malware, only our patented Tin-Foil cover will stop it.

  5. hugo tyson

    Baseband code is old, but...

    ...that's mainly because if you change it at all, you have re-do all the certification.

    So they're very very reluctant to change anything. At all. Ever.

    1. Christian Berger

      Re: Baseband code is old, but...

      Well actually they do change things to support new features and iron out bugs. Your shiny new LTE stick still has all the old GSM code for voice and CSCD in it. And that code can be used if the system decides to switch to GSM.

  6. Anonymous Coward
    Anonymous Coward

    and yet the makers of Spooks or <insert spy show/film> have worked so hard to make things realistic so you never see them hack (or crack if they're trying to be clever) into someone's phone!

  7. artbristol

    Specific hardware combinations

    If a single attack works against iPhone 4, 4S and 5 (for example - I'm not trying to single out Apple), then that's 30% of mobile users already. So it's actually quite dangerous.

  8. Katie Saucey
    Big Brother

    "....or run from the infrastructure of a 'co-operative' telco."

    Should be safe from snooping, unless there's a carpet cleaning van following nearby with umpteen broadcast wires/dishes on it, 'cause there is no way the gov could ever get the carries in on this...right? right? </sarcasm>

  9. Timo

    I think the current mobile manufacturers already have this patented.

    Wife has a Huawei android handset. That thing gets OTA updates, officially signed and everything. That malware that gets installed manages to drop calls, lock up, shut itself off, reboot randomly. So much that I'm wondering why a haxor would want to mess with it (won't even stay up long enough to be useful.)

    What do hackers think they can do... make it shut down more than it already does????

    My other instinct is to ask "if the manufacturers can't even figure out how to write software, then how is a hacker going to do it?", but I think the answer there is that the manufacturers only really bother on the hardware, and software is an afterthought. So virtually anyone else could do better. Maybe they'll fix bugs instead?

  10. Chairo

    Baseband vulnerabilities

    can and have be used to bypass carrier SIM locks, so it is a safe bet that any hole in this code will be fixed with very high priority.

    Manufacturers might not care if their customers get p0wned or not, but the DO care about their bottom-line.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022