Feeds

'Up to two BEEELLION' mobes easily hacked by evil base stations

Android, BlackBerry, and Apple fall to OMA-DM flaw – claim

Secure remote control for conventional and virtual desktops

Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.

Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been released.

Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.

They found that, to access handsets remotely, the attacker needs to know the handset's unique International Mobile Station Equipment Identity (IMEI) number and a secret token.

According to the duo, it's not actually that hard to get an IMEI number nor several carrier's secret token. A combination of lazy networks and susceptible operating system versions opens up an extraordinary number of devices to attack, it's claimed.

Following a WAP message broadcast from a base station, the researchers could wirelessly upload code to a phone, it's claimed, and then execute the code to exploit memory bugs in the software to gain full control of the device – without any visible signs that skullduggery was going on.

The duo demonstrated a phony femtocell that could be used to access Android, BlackBerry and a small number of iOS devices using the faulty security protocols. During the demonstration Solnik warned the audience to turn off their mobiles, set the femtocell to its lowest power setting, and still picked up more than 70 handsets that were ripe for hacking.

Some handsets were worse than others, they found. Android was generally wide open to exploits, as was Blackberry and a host of embedded systems, the conference was told. iOS was a tougher nut to crack – most handsets were immune – but some phones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.

The duo also found phones could be enticed into checking in with their OMA-DM servers, but that these connections just used HTTP, not a more secure link. This allowed the handset to be redirected to another server of the attacker's choice for future updates.

Solnik said most manufacturers and carriers had now patched up their OMA-DM systems but that a few were still vulnerable. Generally, manufacturers and carriers were keen to fix the flaw, but a few were dragging their feet, we're told. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.