Black Hat: Most Smartphones Come with a Poorly Secured Back Door
A system designed to let carriers remotely install software on phones, or change their settings without a user noticing, is open to abuse.
A powerful remote-control system installed on most smartphones could be used by hackers to secretly take control of many devices, allowing theft of data or eavesdropping on communications.
Wireless carriers install the mechanism, known as ODM, in phones, tablets, and even cars as a way to distribute software updates and make configuration changes. Researchers with the computer security company Accuvant uncovered a series of flaws with ODM that could be exploited to gain the same remote-control powers.
In their tests, the Accuvant researchers could take over devices made by Apple and other major manufacturers. They gained the power to install any software on the devices, which would allow them to steal sensitive data. “An attacker can take full control,” said Mathew Solnik, a research scientist at Accuvant who presented the research at the Black Hat computer security conference Wednesday with colleague Marc Blanchou.
The attacks could also be used to reconfigure settings on a device—for example, to cause all data to flow via a server designed to collect communications. Many such settings are installed into a devices “baseband” and are more or less impossible to erase. “Even if you ‘factory reset,’ you still can’t get rid of it,” says Solnik.
An estimated two billion cellular devices around the world have the ODM protocol installed, according to the researchers. Somewhere between 70 and 90 percent of those devices have been equipped with the same software package, made by Red Bend Software of Waltham, Massachusetts, to handle the remote-control functionality.
Despite its crucial role, that package hasn’t been updated substantially since 2004, said Solnik. He and Blanchou performed their proof-of-principle attacks using a suite of flaws found in that software, as well as in the design of the ODM protocol itself.
An attack requires either using a carrier’s infrastructure to communicate with phones or using a base station of your own. That’s easier than it might sound. Accuvant’s researchers were able to use off-the-shelf hardware and an open-source software package to create a system that would connect to phones within a 30-foot radius at relatively low cost (see “Build Your Own Cellular Network”). “With a single silent message, someone who is not your carrier can access the full functionality of your device,” said Solnik.
Android devices were found to be most vulnerable. The researchers could take over Apple devices only on Sprint’s network. Fully unlocked devices bought directly from a phone manufacturer were the most secure, because most didn’t have ODM software installed.
Accuvant disclosed its findings 90 days ago to Red Bend, the device manufacturers, and the wireless carriers affected. Several, including Red Bend, have already released patches to fix the problems, although it is unknown how widely they have been distributed.
Solnik believes attacks via ODM will remain possible even after those patches are applied. Flaws discovered in the way the ODM protocol connects to a device can’t be fixed until the industry agrees on a new design, he says.
The problems uncovered by Accuvant could also be of interest to law enforcement and surveillance agencies, which increasingly use malware to collect data. In the United States, it has become common for them to use mobile base stations to intercept text messages, phone calls, and data sent by nearby phones. Solnik told MIT Technology Review the same technology could be used as a platform for attacks like those he developed. For example, it could silently push malware onto phones. “It would be a similar type of device,” he said.