Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

Build a business case: developing custom apps

Heavily funded spooks might be more motivated

All this trickery is complex even in the context of mobile attacks but Rupp told El Reg that such attacks already present a threat to business executives and government officials using mobile phones might be targeted by the over-the-air attacks, which threaten both corporate and official secrets.

Rupp said state-sponsored attackers are already using baseband processor attacks in airports but declined to go into details beyond saying that attacks could be carried out without the need to trick smartphones owners into opening an email or visiting a malicious website. Attacks might involve building a rogue GSM base-station from commodity hardware or run from the infrastructure of a 'co-operative" telco. It might also be possible to run attacks against baseband processors of phones using Wi-Fi or Bluetooth interfaces, according to GSMK Cryptophone.

"Once you have control over the app CPU, you can in principle use that to load any code you want from the network," Rupp explained. "Since you have already successfully escalated your privileges on the system, no user interaction is necessary."

The security tech

In response to these threats, the mobile security firm has developed a new Android-based secure mobile phone, the GSMK CryptoPhone 500. The phones incorporates GSMK's voice and message encryption technology as well as software designed to detect and block attacks against baseband processors, marketed by the firm as a Baseband Firewall.

This baseband firewall can be loosely compared to antivirus for a PC. The mobile security technology relies on behaviour and heuristics. For instance, if the baseband processor is sending out communications on radio when the CPU is quiet this would be flagged as suspicious. The technology watches memory shared between a baseband processor and the CPU of a mobile phone, in order to monitor and correlate events. Rupp said that the possibility of false alarms from the technology can't be excluded, although this possibility has been reduced by testing.

The secure mobile phone features a version of Android put together by GSMK that includes granular security management and streamlined, security-optimised components and communication stacks. A hardware module controller and permission enforcement module control access to network, data and sensors (such as the phone's camera, microphone, etc), giving users more control of individual security policies.

GSMK CryptoPhone is in talks with government and industry clients about the possibility of licensing its security enhancements on other mobile phone platforms. The GSMK CryptoPhone 500 was launched at the CeBIT trade fare in Hanover, Germany on Tuesday.

The GSMK CryptoPhone 500 is based on a modified Samsung Galaxy S3 and costs €2,400. The baseband firewall could run on any Samsung smartphone and might, with some effort, be ported to other smartphone platforms. ®

Bootnote

El Reg's Bill Ray read what GSMK had to say and remains skeptical about the level of the threat against baseband processors. "I'm not convinced it's a very big deal. It still requires an awful lot of effort and is targeted at specific hardware combinations," he said.

Next gen security for virtualised datacentres

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?