Vulnerabilities in the baseband processors of a wide range of mobile phones may allow attackers to inject malicious code, monitor calls, and extract confidential data stored on the device, according to recent research from mobile security experts. However, this would be extremely difficult to pull off.
A three-year research project by GSMK CryptoPhone has discovered that certain baseband processors - AKA phone modems - in smartphones can be manipulated by over-the-air updates without requiring any physical access to the victim's phone.
Compromised phones can then be used to record conversations or gain access to sensitive data. It would also be possible to monitor content being accessed through pwned smartphones.
GSMK CryptoPhone's research into mobile phone security was sponsored by the German Federal Ministry of Research. It found flaws in baseband processors from Qualcomm and Infineon that might be used to cause crashes, freeze applications, zap data from phones or - in the most extreme cases - push malicious code through over the air communications.
GSMK CryptoPhone has reported its findings to Qualcomm and Infineon and is holding back on publishing details of the most serious of the security bugs it has unearthed to give these manufacturers an opportunity to patch at least the most pressing vulnerabilities it has unearthed.
Baseband processors act as radio modems that control real-time communication functions between devices including Wi-Fi and Bluetootth links. The baseband stack in a smartphone is, effectively, an entirely separate computing device with its own processor, memory and storage, and will be as vulnerable as any embedded system.
According to ARM, a modern smartphone will contain somewhere between eight and 14 ARM processors, one of which will be the application processor (running Android or iOS or whatever), while another will be the processor for the baseband stack.
El Reg mobile man: It wouldn't be a trivial feat
Baseband flaws have turned up before, but the operating systems used are pretty old and thus fairly robust. El Reg mobile correspondent Bill Ray said he'd not heard of anyone successfully taking control of a baseband processor to install malware but added the caveat that such an attack is at least theoretically possible. "Getting from there into data stored on the phone would also not be trivial, so applicable only to specific models of handset and requiring a lot of effort," Ray said.
Bjoern Rupp, chief exec of GSMK CryptoPhone, explained: "While the attack is indeed not trivial, we have implemented a demonstrable exploit in the form of test malware which we successfully injected over the air interface, realising a very compact, minimally invasive attack which was optimised for minimal code payload in order to test our defence concept under realistic conditions."
Rupp said GSMK CryptoPhone had unearthed the flaws through a fuzzing process on the 2G and 3G interfaces of phones that involved attacking bugs in the security of baseband processors rather than in the mobile OS running on the smartphone or feature's phones main CPU. Tests by GSMK CryptoPhone suggest that 80 per cent of smartphones and feature phones are potentially vulnerable to attacks against mobile phone components that are more or less independent of the operating system run by a smartphone or less advanced feature phone.
"We tested various attacks against products made by Apple (iPhone/iPad), HTC, Motorola and Nokia," Rupp explained. "We have been able to compromise entire product ranges using the same baseband processor family. The consequences of the vulnerabilities that we identified range from attacker-induced crashes to infinite loops, remote 'freezing' and 'zapping' of mobile devices, and last but not least of course the 'royal league' of attacks, remote code execution via the air interface."
GSMK Cryptophone said that code execution on the base processor can be a springboard for attacks on a phone's main CPU.
"Access from the main CPU (and OS) to the baseband processor is typically only via a serial port that accepts AT commands, even though there are various methods to start code on the baseband processor from the main CPU (one example is a known bug in the AT+XAPP command)," Rupp explained.
Attacking the main CPU of a mobile from the baseband processor can be compared to attacking the CPU of a PC through its graphic processor.
"Just like on PCs, modern (smart)phone designs are based on a shared memory architecture," Rupp told El Reg. "In other words, the baseband processor and the application processor share the same physical memory to communicate with each other. Even though there are various protection techniques like DEP (Data Execution Prevention) in place that should in principle prevent that, memory pages which contain executable code can be written to.
"All the techniques found on currently shipping baseband processors that we have looked into have issues or are only partially implemented. Once you have gained initial data access to the baseband processor beyond the strict limits of the 2G/3G protocols (eg, via a buffer overflow attack), it is possible to write data in these memory areas, and get [injected code] executed by the processor later on."
Rupp said that mobile attacks against baseband processors are technically difficult but possible. "Advanced but well-established attack techniques that allow you to circumvent privilege separation and thus execute privileged processor operations without having to coordinate that with the operating system. By manipulating memory mapping of the target system, you can also gain many insights into what else you can do," Rupp said.