Black Hat 2014 videos The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed.
Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been released.
Mathew Solnik and Marc Blanchou at security firm Accuvant told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.
They found that, to access handsets remotely, the attacker needs to know the handset's unique International Mobile Station Equipment Identity (IMEI) number and a secret token.
According to the duo, it's not actually that hard to get an IMEI number nor several carrier's secret token. A combination of lazy networks and susceptible operating system versions opens up an extraordinary number of devices to attack, it's claimed.
Following a WAP message broadcast from a base station, the researchers could wirelessly upload code to a phone, it's claimed, and then execute the code to exploit memory bugs in the software to gain full control of the device – without any visible signs that skullduggery was going on.
The duo demonstrated a phony femtocell that could be used to access Android, BlackBerry and a small number of iOS devices using the faulty security protocols. During the demonstration Solnik warned the audience to turn off their mobiles, set the femtocell to its lowest power setting, and still picked up more than 70 handsets that were ripe for hacking.
Some handsets were worse than others, they found. Android was generally wide open to exploits, as was Blackberry and a host of embedded systems, the conference was told. iOS was a tougher nut to crack – most handsets were immune – but some phones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.
The duo also found phones could be enticed into checking in with their OMA-DM servers, but that these connections just used HTTP, not a more secure link. This allowed the handset to be redirected to another server of the attacker's choice for future updates.
Solnik said most manufacturers and carriers had now patched up their OMA-DM systems but that a few were still vulnerable. Generally, manufacturers and carriers were keen to fix the flaw, but a few were dragging their feet, we're told. ®