Hackers equipped with inexpensive radio hardware and open source software can compromise your mobile phone, listen to your conversations, intercept your data, or rack up huge bills on premium services, all without you knowing. Ralf-Philipp Weinmann, a cryptologist at the University of Luxembourg Laboratory of Cryptology and Security, has discovered a new type of over-the-air attack on mobile phones, and at the 2010 DeepSec conference in Vienna demonstrated how the exploit could be used against nearly any mobile phone.
Using a US$1,500 base transceiver station, Weinmann, who has previously exposed security weaknesses in the iPhone, demonstrated that common “devastating” programming errors in the Layer 3 communication stack of mobile devices can be exploited to gain control over the devices. He said that a motivated hacker could take advantage of these flaws to make an almost undetectable attack on the vast majority of cell phone models.
A base transceiver station is part of the cellular network that is typically found at the cell antenna site. Weinmann’s scenario calls for a cheap rogue transceiver that could be deployed in any crowded or sensitive area such as an airport, financial district, near embassies, and so on. The exploit would allow hackers to take control of mobile phones anywhere within the range of the rogue transceiver. The rogue transceiver only needs to be online for a few seconds to perform the attack.
The GSM over-the-air interface between the mobile device and the base transceiver station is called the Um interface. Layer 3 of the GSM Um interface handles connection management, mobility management, and radio resources. Weinmann’s research shows that there are many vulnerabilities in GSM baseband codebases, so it is practical to take advantage of memory corruptions over the Um interface to execute malicious code on the mobile device, compromising security.
Most service providers and customers worry about attacks against the application processor in mobile phones – nobody wants to download a virus or Trojan horse app on their smartphone. Protection against this type of attack is being built into devices by the vendors, but the baseband processor (which handles the Um interface and communications with the wireless network) has been neglected, says Weinmann. Malicious base stations are not part of the attack model that was assumed by the service providers and vendors, leaving them vulnerable.
Weinmann say that the reason for the vulnerabilities is that the baseband code base was created in the 1990s, with a 1990s attitude towards security. Network elements such as the transceiver are considered trusted devices with almost no exploit mitigation built in. He found that the Layer 3 buffers could easily be overwritten, allowing for remote code execution.
Once hackers have compromised a mobile device, they are able to monitor the user's complete communications, and could even eavesdrop on the owner by instructing the cellphone to answer incoming calls automatically without the user noticing. Other techniques might even allow the hackers to compromise the cellular base station and infect more phones from there. Detecting such hacks is difficult, as there are few built-in forensic tools in mobile devices or base stations.
Weinmann see this scenario as a developing threat. While cellular base stations are expensive, old gear and some types of new hardware such as femtocells are relatively cheap and readily available. In addition, open-source software for running GSM base stations is becoming more widely available (for example OpenBTS provided service at Burning Man from 2008 to 2010).
Weinmann and the University of Luxembourg are working together with a number of undisclosed mobile phone and cellular chipset vendors to fix the security flaws and to prevent similar flaws in the future. Weinmann says that serious code security audits and exploit mitigations by the major baseband chip vendors can go a long way toward reducing this type of security problem.