Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

Choosing a cloud hosting partner with confidence

Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, according to El Reg's mobile correspondent, Bill Ray, this would be extremely difficult to pull off.

A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors - AKA phone modems - in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim's phone.

Compromised phones can then be used to record conversations or gain access to sensitive data. It would also be possible to monitor content being accessed through pwned smartphones.

GSMK CryptoPhone's research into mobile phone security was sponsored by the German Federal Ministry of Research. It found flaws in baseband processors from Qualcomm and Infineon that might be used to cause crashes, freeze applications, zap data from phones or - in the most extreme cases - push malicious code through over the air communications.

GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs it has unearthed to give these manufacturers an opportunity to patch at least the most pressing vulnerabilities it has unearthed.

Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.

According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.

El Reg mobile man: It wouldn't be a trivial feat

Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust. El Reg mobile correspondent Bill Ray said he'd not heard of anyone successfully taking control of a baseband processor to install malware but added the caveat that such an attack is at least theoretically possible. "Getting from there into data stored on the phone would also not be trivial, so applicable only to specific models of handset and requiring a lot of effort," Ray said.

Bjoern Rupp, chief exec of GSMK CryptoPhone, explained: "While the attack is indeed not trivial, we have implemented a demonstrable exploit in the form of test malware which we successfully injected over the air interface, realising a very compact, minimally invasive attack which was optimised for minimal code payload in order to test our defence concept under realistic conditions."

Rupp said GSMK CryptoPhone had unearthed the flaws through a fuzzing process on the 2G and 3G interfaces of phones that involved attacking bugs in the security of baseband processors rather than in the mobile OS running on the smartphone or feature's phones main CPU. Tests by GSMK CryptoPhone suggest that 80 per cent of smartphones and feature phones are potentially vulnerable to attacks against mobile phone components that are more or less independent of the operating system run by a smartphone or less advanced feature phone.

"We tested various attacks against products made by Apple (iPhone/iPad), HTC, Motorola and Nokia," Rupp explained. "We have been able to compromise entire product ranges using the same baseband processor family. The consequences of the vulnerabilities that we identified range from attacker-induced crashes to infinite loops, remote 'freezing' and 'zapping' of mobile devices, and last but not least of course the 'royal league' of attacks, remote code execution via the air interface."

GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone's main CPU.

"Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command)," Rupp explained.

Attacking the main CPU of a mobile from the baseband processor can be compared to attacking the CPU of a PC through its graphic processor.

"Just like on PCs, modern (smart)phone designs are based on a shared memory architecture," Rupp told El Reg. "In other words, the baseband processor and the application processor share the same physical memory to communicate with each other. Even though there are various protection techniques like DEP (Data Execution Prevention) in place that should in principle prevent that, memory pages which contain executable code can be written to.

"All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented. Once you have gained initial data access to the baseband processor beyond the strict limits of the 2G/3G protocols (eg, via a buffer overflow attack), it is possible to write data in these memory areas, and get [injected code] executed by the processor later on."

Rupp said that mobile attacks against baseband processors are technically difficult but possible. "Advanced but well-established attack techniques that allow you to circumvent privilege separation and thus execute privileged processor operations without having to coordinate that with the operating system. By manipulating memory mapping of the target system, you can also gain many insights into what else you can do," Rupp said.

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
Apple grapple: Congress kills FBI's Cupertino crypto kybosh plan
Encryption would lead us all into a 'dark place', claim G-Men
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.