Software flaw puts mobile phones and networks at risk of complete takeover

Code-execution vuln resides in code used in cell towers, radios, and basebands.

Dan Goodin
Carl Lender
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.
The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
"The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."
Security expert HD Moore, who is principal at a firm called Special Circumstances, described the flaw as a "big deal" because of the breadth of gear that are at risk of complete takeover.
"The baseband vulnerabilities are currently biggest concern for consumers, as successful exploitation can compromise the entire device, even when security hardening and encryption is in place," he wrote in an e-mail. "These issues can be exploited by someone with access to the mobile network and may also be exposed to an attacker operating a malicious cell network, using products like the Stingray or open source software like OsmocomBB."
The library flaw also has the potential to put carrier equipment at risk if attackers figured out how to modify carrier traffic in a way that was able to exploit the vulnerability and execute malicious code. Moore went on to say the threat posed to carriers is probably smaller given the challenges of testing an exploit on the specific equipment used by a targeted carrier and the difficulty of funneling attack code into the vulnerable parts of its network.
"A carrier-side attack would require a lot more effort and funding than targeting the mobile phone basebands," he said. "For specific attack scenarios, carriers may be able to block the traffic from reaching the vulnerable components, similar to how SMS filtering is done today."
Dan Guido, an expert in cellular phone security and the CEO of a firm called Trail of Bits, agreed that the vulnerability will be hard to exploit. But Moore also described ASN.1 as the "backbone" of today's mobile telephone system. Even in the absence of working code-execution capabilities, attackers could use exploits to trigger denial-of-service outages that could interrupt key parts of a network or knock them out altogether.
Right now, only gear from hardware manufacturer Qualcomm is known to be affected, according to this advisory from the Department of Homeland Security-backed CERT. Researchers are still working to determine if a long list of other manufacturers—including AT&T, BAE Systems, Broadcom, Cisco Systems, Deutsche Telekom, and Ericsson—are similarly affected. For the moment, there's little end users can do to insulate themselves from the threat other than to monitor advisories from device makers and carriers.
Objective Systems has released a "hotfix" that corrects the flaw, but both Guido and Moore said the difficulty of patching billions of pieces of hardware, many scattered in remote places throughout the world, meant the vulnerability is likely to remain unfixed for the indefinite future.
"This kind of infrastructure just does not get patches," Guido said. "So [the vulnerability] is a stationary target that others can develop against. It's easy to set goals towards it."

Comments