Feeds

'Up to two BEEELLION' mobes easily hacked by evil base stations

Android, BlackBerry, and Apple fall to OMA-DM flaw – claim

Choosing a cloud hosting partner with confidence

Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.

Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been released.

Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.

They found that, to access handsets remotely, the attacker needs to know the handset's unique International Mobile Station Equipment Identity (IMEI) number and a secret token.

According to the duo, it's not actually that hard to get an IMEI number nor several carrier's secret token. A combination of lazy networks and susceptible operating system versions opens up an extraordinary number of devices to attack, it's claimed.

Following a WAP message broadcast from a base station, the researchers could wirelessly upload code to a phone, it's claimed, and then execute the code to exploit memory bugs in the software to gain full control of the device – without any visible signs that skullduggery was going on.

The duo demonstrated a phony femtocell that could be used to access Android, BlackBerry and a small number of iOS devices using the faulty security protocols. During the demonstration Solnik warned the audience to turn off their mobiles, set the femtocell to its lowest power setting, and still picked up more than 70 handsets that were ripe for hacking.

Some handsets were worse than others, they found. Android was generally wide open to exploits, as was Blackberry and a host of embedded systems, the conference was told. iOS was a tougher nut to crack – most handsets were immune – but some phones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.

The duo also found phones could be enticed into checking in with their OMA-DM servers, but that these connections just used HTTP, not a more secure link. This allowed the handset to be redirected to another server of the attacker's choice for future updates.

Solnik said most manufacturers and carriers had now patched up their OMA-DM systems but that a few were still vulnerable. Generally, manufacturers and carriers were keen to fix the flaw, but a few were dragging their feet, we're told. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.