Software flaw puts mobile phones and networks at risk of complete takeover
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Code-execution vuln resides in code used in cell towers, radios, and basebands.
Dan Goodin
A newly disclosed vulnerability
could allow attackers to seize control of mobile phones and key parts of
the world's telecommunications infrastructure and make it possible to
eavesdrop or disrupt entire networks, security experts warned Tuesday.
The bug resides in a code library used in a
wide range of telecommunication products, including radios in cell
towers, routers, and switches, as well as the baseband chips in
individual phones. Although exploiting the heap overflow vulnerability
would require great skill and resources, attackers who managed to
succeed would have the ability to execute malicious code on virtually
all of those devices. The code library was developed by
Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
"The vulnerability could be triggered remotely
without any authentication in scenarios where the vulnerable code
receives and processes ASN.1 encoded data from untrusted sources,"
researchers who discovered the flaw wrote in an advisory published Monday evening.
"These may include communications between mobile devices and
telecommunication network infrastructure nodes, communications between
nodes in a carrier's network or across carrier boundaries, or
communication between mutually untrusted endpoints in a data network."
Security expert HD Moore, who is principal at a
firm called Special Circumstances, described the flaw as a "big deal"
because of the breadth of gear that are at risk of complete takeover.
"The baseband vulnerabilities are currently
biggest concern for consumers, as successful exploitation can compromise
the entire device, even when security hardening and encryption is in
place," he wrote in an e-mail. "These issues can be exploited by someone
with access to the mobile network and may also be exposed to an
attacker operating a malicious cell network, using products like the
Stingray or open source software like OsmocomBB."
The library flaw also has the potential to put
carrier equipment at risk if attackers figured out how to modify
carrier traffic in a way that was able to exploit the vulnerability and
execute malicious code. Moore went on to say the threat posed to
carriers is probably smaller given the challenges of testing an exploit
on the specific equipment used by a targeted carrier and the difficulty
of funneling attack code into the vulnerable parts of its network.
"A carrier-side attack would require a lot
more effort and funding than targeting the mobile phone basebands," he
said. "For specific attack scenarios, carriers may be able to block the
traffic from reaching the vulnerable components, similar to how SMS
filtering is done today."
Dan Guido, an expert in cellular phone
security and the CEO of a firm called Trail of Bits, agreed that the
vulnerability will be hard to exploit. But Moore also described ASN.1 as
the "backbone" of today's mobile telephone system. Even in the absence
of working code-execution capabilities, attackers could use exploits to
trigger denial-of-service outages that could interrupt key parts of a
network or knock them out altogether.
Right now, only gear from hardware manufacturer Qualcomm is known to be affected, according to this advisory
from the Department of Homeland Security-backed CERT. Researchers are
still working to determine if a long list of other
manufacturers—including AT&T, BAE Systems, Broadcom, Cisco Systems,
Deutsche Telekom, and Ericsson—are similarly affected. For the moment,
there's little end users can do to insulate themselves from the threat
other than to monitor advisories from device makers and carriers.
Objective Systems has released a "hotfix" that
corrects the flaw, but both Guido and Moore said the difficulty of
patching billions of pieces of hardware, many scattered in remote places
throughout the world, meant the vulnerability is likely to remain
unfixed for the indefinite future.
"This kind of infrastructure just does not get
patches," Guido said. "So [the vulnerability] is a stationary target
that others can develop against. It's easy to set goals towards it."
Comments
Post a Comment