Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

Protecting against web application threats using SSL

Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, according to El Reg's mobile correspondent, Bill Ray, this would be extremely difficult to pull off.

A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors - AKA phone modems - in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim's phone.

Compromised phones can then be used to record conversations or gain access to sensitive data. It would also be possible to monitor content being accessed through pwned smartphones.

GSMK CryptoPhone's research into mobile phone security was sponsored by the German Federal Ministry of Research. It found flaws in baseband processors from Qualcomm and Infineon that might be used to cause crashes, freeze applications, zap data from phones or - in the most extreme cases - push malicious code through over the air communications.

GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs it has unearthed to give these manufacturers an opportunity to patch at least the most pressing vulnerabilities it has unearthed.

Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.

According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.

El Reg mobile man: It wouldn't be a trivial feat

Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust. El Reg mobile correspondent Bill Ray said he'd not heard of anyone successfully taking control of a baseband processor to install malware but added the caveat that such an attack is at least theoretically possible. "Getting from there into data stored on the phone would also not be trivial, so applicable only to specific models of handset and requiring a lot of effort," Ray said.

Bjoern Rupp, chief exec of GSMK CryptoPhone, explained: "While the attack is indeed not trivial, we have implemented a demonstrable exploit in the form of test malware which we successfully injected over the air interface, realising a very compact, minimally invasive attack which was optimised for minimal code payload in order to test our defence concept under realistic conditions."

Rupp said GSMK CryptoPhone had unearthed the flaws through a fuzzing process on the 2G and 3G interfaces of phones that involved attacking bugs in the security of baseband processors rather than in the mobile OS running on the smartphone or feature's phones main CPU. Tests by GSMK CryptoPhone suggest that 80 per cent of smartphones and feature phones are potentially vulnerable to attacks against mobile phone components that are more or less independent of the operating system run by a smartphone or less advanced feature phone.

"We tested various attacks against products made by Apple (iPhone/iPad), HTC, Motorola and Nokia," Rupp explained. "We have been able to compromise entire product ranges using the same baseband processor family. The consequences of the vulnerabilities that we identified range from attacker-induced crashes to infinite loops, remote 'freezing' and 'zapping' of mobile devices, and last but not least of course the 'royal league' of attacks, remote code execution via the air interface."

GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone's main CPU.

"Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command)," Rupp explained.

Attacking the main CPU of a mobile from the baseband processor can be compared to attacking the CPU of a PC through its graphic processor.

"Just like on PCs, modern (smart)phone designs are based on a shared memory architecture," Rupp told El Reg. "In other words, the baseband processor and the application processor share the same physical memory to communicate with each other. Even though there are various protection techniques like DEP (Data Execution Prevention) in place that should in principle prevent that, memory pages which contain executable code can be written to.

"All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented. Once you have gained initial data access to the baseband processor beyond the strict limits of the 2G/3G protocols (eg, via a buffer overflow attack), it is possible to write data in these memory areas, and get [injected code] executed by the processor later on."

Rupp said that mobile attacks against baseband processors are technically difficult but possible. "Advanced but well-established attack techniques that allow you to circumvent privilege separation and thus execute privileged processor operations without having to coordinate that with the operating system. By manipulating memory mapping of the target system, you can also gain many insights into what else you can do," Rupp said.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.