Feeds

'Up to two BEEELLION' mobes easily hacked by evil base stations

Android, BlackBerry, and Apple fall to OMA-DM flaw – claim

Top 5 reasons to deploy VMware with Tegile

Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.

Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been released.

Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.

They found that, to access handsets remotely, the attacker needs to know the handset's unique International Mobile Station Equipment Identity (IMEI) number and a secret token.

According to the duo, it's not actually that hard to get an IMEI number nor several carrier's secret token. A combination of lazy networks and susceptible operating system versions opens up an extraordinary number of devices to attack, it's claimed.

Following a WAP message broadcast from a base station, the researchers could wirelessly upload code to a phone, it's claimed, and then execute the code to exploit memory bugs in the software to gain full control of the device – without any visible signs that skullduggery was going on.

The duo demonstrated a phony femtocell that could be used to access Android, BlackBerry and a small number of iOS devices using the faulty security protocols. During the demonstration Solnik warned the audience to turn off their mobiles, set the femtocell to its lowest power setting, and still picked up more than 70 handsets that were ripe for hacking.

Some handsets were worse than others, they found. Android was generally wide open to exploits, as was Blackberry and a host of embedded systems, the conference was told. iOS was a tougher nut to crack – most handsets were immune – but some phones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.

The duo also found phones could be enticed into checking in with their OMA-DM servers, but that these connections just used HTTP, not a more secure link. This allowed the handset to be redirected to another server of the attacker's choice for future updates.

Solnik said most manufacturers and carriers had now patched up their OMA-DM systems but that a few were still vulnerable. Generally, manufacturers and carriers were keen to fix the flaw, but a few were dragging their feet, we're told. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.