Heavily funded spooks might be more motivated
All this trickery is complex even in the context of mobile attacks but Rupp told El Reg that such attacks already present a threat to business executives and government officials using mobile phones might be targeted by the over-the-air attacks, which threaten both corporate and official secrets.
Rupp said state-sponsored attackers are already using baseband processor attacks in airports but declined to go into details beyond saying that attacks could be carried out without the need to trick smartphones owners into opening an email or visiting a malicious website. Attacks might involve building a rogue GSM base-station from commodity hardware or run from the infrastructure of a 'co-operative" telco. It might also be possible to run attacks against baseband processors of phones using Wi-Fi or Bluetooth interfaces, according to GSMK Cryptophone.
"Once you have control over the app CPU, you can in principle use that to load any code you want from the network," Rupp explained. "Since you have already successfully escalated your privileges on the system, no user interaction is necessary."
The security tech
In response to these threats, the mobile security firm has developed a new Android-based secure mobile phone, the GSMK CryptoPhone 500. The phones incorporates GSMK's voice and message encryption technology as well as software designed to detect and block attacks against baseband processors, marketed by the firm as a Baseband Firewall.
This baseband firewall can be loosely compared to antivirus for a PC. The mobile security technology relies on behaviour and heuristics. For instance, if the baseband processor is sending out communications on radio when the CPU is quiet this would be flagged as suspicious. The technology watches memory shared between a baseband processor and the CPU of a mobile phone, in order to monitor and correlate events. Rupp said that the possibility of false alarms from the technology can't be excluded, although this possibility has been reduced by testing.
The secure mobile phone features a version of Android put together by GSMK that includes granular security management and streamlined, security-optimised components and communication stacks. A hardware module controller and permission enforcement module control access to network, data and sensors (such as the phone's camera, microphone, etc), giving users more control of individual security policies.
GSMK CryptoPhone is in talks with government and industry clients about the possibility of licensing its security enhancements on other mobile phone platforms. The GSMK CryptoPhone 500 was launched at the CeBIT trade fare in Hanover, Germany on Tuesday.
The GSMK CryptoPhone 500 is based on a modified Samsung Galaxy S3 and costs €2,400. The baseband firewall could run on any Samsung smartphone and might, with some effort, be ported to other smartphone platforms. ®
El Reg's Bill Ray read what GSMK had to say and remains skeptical about the level of the threat against baseband processors. "I'm not convinced it's a very big deal. It still requires an awful lot of effort and is targeted at specific hardware combinations," he said.
"...but the operating systems used are pretty old and thus fairly robust."
I'm sorry, but just because software is old, it doesn't mean its good. Windows for example had perfectly well documented exploitable flaws in its API for decades (LNK Autostart "bug" used in Stuxnet).
Baseband code isn't looked at by many people. Large parts of it were developed in the early 1990s when people didn't know about security. It was never tested against malicious attackers.
In fact if you look into the whole picture, you will even find deliberate security holes. For example your operator can use the SIM toolkit to just change the number you are dialling to everything you want. This probably even works for other operators when you are roaming. Trusting that your call actually arrives at the number you have called is the trusted element in many "secure" systems. You'd be surprised how many PCAnywhere installations relied on call-back for security.
Mobile phones (both smart and dumb ones) aren't secure devices, they probably will never be. That's why the part the operators care about is in an extra module (the SIM). We need to stop thinking that those devices and networks are just secure black boxes.
Something similar happened to me
Sometime last year, an organisation called HTC pushed out a software change to my Incredible-S phone, codenamed 'ICS Update', which noticeably slowed it down and changed the GUI in way that made it confusing to use as well as reducing the battery life.
They did this by using 'social engineering' in conjunction with an entity called Google that fed stories to the press saying that ICS was smoother and faster and had efficiencies that improved battery life, even on older phones. You have to be careful and you can't trust anyone.
They found this 'problem' and then produced a marketable phone/ firewall!
In the real world is this really an issue or is this just scare mongering to help sell a product?