Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

5 things you didn’t know about cloud backup

Heavily funded spooks might be more motivated

All this trickery is complex even in the context of mobile attacks but Rupp told El Reg that such attacks already present a threat to business executives and government officials using mobile phones might be targeted by the over-the-air attacks, which threaten both corporate and official secrets.

Rupp said state-sponsored attackers are already using baseband processor attacks in airports but declined to go into details beyond saying that attacks could be carried out without the need to trick smartphones owners into opening an email or visiting a malicious website. Attacks might involve building a rogue GSM base-station from commodity hardware or run from the infrastructure of a 'co-operative" telco. It might also be possible to run attacks against baseband processors of phones using Wi-Fi or Bluetooth interfaces, according to GSMK Cryptophone.

"Once you have control over the app CPU, you can in principle use that to load any code you want from the network," Rupp explained. "Since you have already successfully escalated your privileges on the system, no user interaction is necessary."

The security tech

In response to these threats, the mobile security firm has developed a new Android-based secure mobile phone, the GSMK CryptoPhone 500. The phones incorporates GSMK's voice and message encryption technology as well as software designed to detect and block attacks against baseband processors, marketed by the firm as a Baseband Firewall.

This baseband firewall can be loosely compared to antivirus for a PC. The mobile security technology relies on behaviour and heuristics. For instance, if the baseband processor is sending out communications on radio when the CPU is quiet this would be flagged as suspicious. The technology watches memory shared between a baseband processor and the CPU of a mobile phone, in order to monitor and correlate events. Rupp said that the possibility of false alarms from the technology can't be excluded, although this possibility has been reduced by testing.

The secure mobile phone features a version of Android put together by GSMK that includes granular security management and streamlined, security-optimised components and communication stacks. A hardware module controller and permission enforcement module control access to network, data and sensors (such as the phone's camera, microphone, etc), giving users more control of individual security policies.

GSMK CryptoPhone is in talks with government and industry clients about the possibility of licensing its security enhancements on other mobile phone platforms. The GSMK CryptoPhone 500 was launched at the CeBIT trade fare in Hanover, Germany on Tuesday.

The GSMK CryptoPhone 500 is based on a modified Samsung Galaxy S3 and costs €2,400. The baseband firewall could run on any Samsung smartphone and might, with some effort, be ported to other smartphone platforms. ®

Bootnote

El Reg's Bill Ray read what GSMK had to say and remains skeptical about the level of the threat against baseband processors. "I'm not convinced it's a very big deal. It still requires an awful lot of effort and is targeted at specific hardware combinations," he said.

The essential guide to IT transformation

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?