Feeds

Android respawn horror: Hacker says hackers' phones hacked

Defcon visitors see handsets being scoped

The Essential Guide to IT Transformation

Claims that both CDMA and 4G networks were compromised at the recent Defcon security event in Las Vegas have raised little surprise, but the vulnerability of handsets is hotly debated.

The claim was made by coderman, a stalwart of security conferences, who reports that he witnessed an advanced man-in-the-middle attack operating on both CDMA and UMTS networks and masterminded by an amalgam of Anon and Lulz. This attack was apparently able to identify connected devices and run through known exploits before falling back to ask the user's permission to install.

The symptoms of infection include "3G/4G* signal anomalies", "Android [device] at full charged plugged in, but dropping to <50% charge once unplugged", "Android services that immediately respawn when killed" and "a hard freeze, and then take[ing] a long time to reboot".

Android users might recognise that as SNAFU, but according to coderman it indicates the user has fallen prey to hackers from the usually-desperate groups Anon and Lulz.

Other attendees are less certain, with many asking for more evidence (we did too, with equal lack of success). While it's hard to see if the attack happened as described much of it is plausible and follows a steady erosion of the security around cellular networks, which have stood the test of time well but are now recognised as weakening.

Critically the 2G networks do not authenticate both ways – the handset authenticates to the network, but not the other way round – so it's relatively easy for an attacker to set up a femtocell and intercept communications. Handsets will also drop the encryption level on request by the network, which is required for use in countries where strong encryption is still verboten but provides an opportunity for the attacker to simply switch off the encryption.

Handsets are supposed to display such a change of status to the user, but they don't.

Faking a call is still very hard, the secret shared between the SIM and the network authentication centre remains secure and hard to crack as ever, but once the encryption is off then data can be intercepted and false updates can be pushed out to smartphones.

In most cases such updates will require user permission to install, and will need to be signed or present additional dialogs, but users will generally agree to anything they're presented with. The Defcon attendees might be more cautious, but the technique should be expected elsewhere.

Certainly there are numerous reports of strange cell sites popping up during the conference.

Our man on the ground, Dan Goodin, didn't see any himself, but as handsets automatically connect to the nearest base station with the right operator code there's no obvious notification and little to stop calls and data being intercepted.

3G networks, including HSPA, are a lot more secure and authenticate in both directions. That makes interception harder, but not impossible. Interception is then dependent on the encryption being used; A5/3 is mandated in Europe and really hard to break, but not widely used. The USA still seems to be using A5/2, at best, for some reason.

So interception of cellular data is eminently plausible, and faking updates is also plausible, but when it comes to inserting malicious code into handsets one is just as dependent on the mobile OS as if one were connecting over a Wi-Fi connection.

Which is rather the point: we've already seen network intercept equipment coming down in price, and suggestions that mobile networks are about as secure as Wi-Fi, so it's not surprising that Defcon saw a lot of people trying out this new vector of attack. Whether they managed to insert malicious code into nearly every device they saw, as coderman claims, is more open to question, but mobile OS vendors need to be aware that they can't rely on the network to protect them anymore. ®

* The United States calls HSPA "4G"; there's no suggestion of LTE networks being attacked.

Build a business case: developing custom apps

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.