Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

Seven Steps to Software Security

Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, according to El Reg's mobile correspondent, Bill Ray, this would be extremely difficult to pull off.

A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors - AKA phone modems - in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim's phone.

Compromised phones can then be used to record conversations or gain access to sensitive data. It would also be possible to monitor content being accessed through pwned smartphones.

GSMK CryptoPhone's research into mobile phone security was sponsored by the German Federal Ministry of Research. It found flaws in baseband processors from Qualcomm and Infineon that might be used to cause crashes, freeze applications, zap data from phones or - in the most extreme cases - push malicious code through over the air communications.

GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs it has unearthed to give these manufacturers an opportunity to patch at least the most pressing vulnerabilities it has unearthed.

Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.

According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.

El Reg mobile man: It wouldn't be a trivial feat

Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust. El Reg mobile correspondent Bill Ray said he'd not heard of anyone successfully taking control of a baseband processor to install malware but added the caveat that such an attack is at least theoretically possible. "Getting from there into data stored on the phone would also not be trivial, so applicable only to specific models of handset and requiring a lot of effort," Ray said.

Bjoern Rupp, chief exec of GSMK CryptoPhone, explained: "While the attack is indeed not trivial, we have implemented a demonstrable exploit in the form of test malware which we successfully injected over the air interface, realising a very compact, minimally invasive attack which was optimised for minimal code payload in order to test our defence concept under realistic conditions."

Rupp said GSMK CryptoPhone had unearthed the flaws through a fuzzing process on the 2G and 3G interfaces of phones that involved attacking bugs in the security of baseband processors rather than in the mobile OS running on the smartphone or feature's phones main CPU. Tests by GSMK CryptoPhone suggest that 80 per cent of smartphones and feature phones are potentially vulnerable to attacks against mobile phone components that are more or less independent of the operating system run by a smartphone or less advanced feature phone.

"We tested various attacks against products made by Apple (iPhone/iPad), HTC, Motorola and Nokia," Rupp explained. "We have been able to compromise entire product ranges using the same baseband processor family. The consequences of the vulnerabilities that we identified range from attacker-induced crashes to infinite loops, remote 'freezing' and 'zapping' of mobile devices, and last but not least of course the 'royal league' of attacks, remote code execution via the air interface."

GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone's main CPU.

"Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command)," Rupp explained.

Attacking the main CPU of a mobile from the baseband processor can be compared to attacking the CPU of a PC through its graphic processor.

"Just like on PCs, modern (smart)phone designs are based on a shared memory architecture," Rupp told El Reg. "In other words, the baseband processor and the application processor share the same physical memory to communicate with each other. Even though there are various protection techniques like DEP (Data Execution Prevention) in place that should in principle prevent that, memory pages which contain executable code can be written to.

"All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented. Once you have gained initial data access to the baseband processor beyond the strict limits of the 2G/3G protocols (eg, via a buffer overflow attack), it is possible to write data in these memory areas, and get [injected code] executed by the processor later on."

Rupp said that mobile attacks against baseband processors are technically difficult but possible. "Advanced but well-established attack techniques that allow you to circumvent privilege separation and thus execute privileged processor operations without having to coordinate that with the operating system. By manipulating memory mapping of the target system, you can also gain many insights into what else you can do," Rupp said.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.