Feeds

Malware-flingers can pwn your mobile with OVER-THE-AIR updates

German Fed-sponsored boffins: They have ways of hearing you talk

Choosing a cloud hosting partner with confidence

Heavily funded spooks might be more motivated

All this trickery is complex even in the context of mobile attacks but Rupp told El Reg that such attacks already present a threat to business executives and government officials using mobile phones might be targeted by the over-the-air attacks, which threaten both corporate and official secrets.

Rupp said state-sponsored attackers are already using baseband processor attacks in airports but declined to go into details beyond saying that attacks could be carried out without the need to trick smartphones owners into opening an email or visiting a malicious website. Attacks might involve building a rogue GSM base-station from commodity hardware or run from the infrastructure of a 'co-operative" telco. It might also be possible to run attacks against baseband processors of phones using Wi-Fi or Bluetooth interfaces, according to GSMK Cryptophone.

"Once you have control over the app CPU, you can in principle use that to load any code you want from the network," Rupp explained. "Since you have already successfully escalated your privileges on the system, no user interaction is necessary."

The security tech

In response to these threats, the mobile security firm has developed a new Android-based secure mobile phone, the GSMK CryptoPhone 500. The phones incorporates GSMK's voice and message encryption technology as well as software designed to detect and block attacks against baseband processors, marketed by the firm as a Baseband Firewall.

This baseband firewall can be loosely compared to antivirus for a PC. The mobile security technology relies on behaviour and heuristics. For instance, if the baseband processor is sending out communications on radio when the CPU is quiet this would be flagged as suspicious. The technology watches memory shared between a baseband processor and the CPU of a mobile phone, in order to monitor and correlate events. Rupp said that the possibility of false alarms from the technology can't be excluded, although this possibility has been reduced by testing.

The secure mobile phone features a version of Android put together by GSMK that includes granular security management and streamlined, security-optimised components and communication stacks. A hardware module controller and permission enforcement module control access to network, data and sensors (such as the phone's camera, microphone, etc), giving users more control of individual security policies.

GSMK CryptoPhone is in talks with government and industry clients about the possibility of licensing its security enhancements on other mobile phone platforms. The GSMK CryptoPhone 500 was launched at the CeBIT trade fare in Hanover, Germany on Tuesday.

The GSMK CryptoPhone 500 is based on a modified Samsung Galaxy S3 and costs €2,400. The baseband firewall could run on any Samsung smartphone and might, with some effort, be ported to other smartphone platforms. ®

Bootnote

El Reg's Bill Ray read what GSMK had to say and remains skeptical about the level of the threat against baseband processors. "I'm not convinced it's a very big deal. It still requires an awful lot of effort and is targeted at specific hardware combinations," he said.

Beginner's guide to SSL certificates

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
US government fines Intel's Wind River over crypto exports
New emphasis on encryption as a weapon?
To Russia With Love: Snowden's pole-dancer girlfriend is living with him in Moscow
While the NSA is tapping your PC, he's tapping ... nevermind
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Slap for SnapChat web app in SNAP mishap: '200,000' snaps sapped
This is what happens if you hand your username and password to a 3rd-party
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.