MIAMI—A previously undisclosed baseband vulnerability impacting Huawei smartphones, laptop WWAN modules and IoT components was revealed Thursday at the Infiltrate Conference by researcher Ralf-Phillip Weinmann, managing director at security firm Comsecuris. In one attack scenario, the vulnerability could be used by attackers to execute a memory-corruption attack against vulnerable devices over the air.
Successful exploits, however, have a number of difficult requirements that reduce the overall risk to users.
Weinmann said the baseband vulnerability is within the HiSilicon Balong integrated 4G LTE modems. Hisilicon Technologies is a subsidiary of Huawei Technologies. The Balong application processor is called Kirin. The flawed firmware is present in a number of high-end Huawei Honor smartphones including the P10, Huawei Mate 9, Honor 9, 7, 5c and 6, Weinmann said.
The researcher could not confirm how many of the specific models are impacted by the flaw. He estimated tens of millions of Honor smartphones could be vulnerable to attack by the chipset. He said 33 million Honor smartphones were shipped in third quarter of 2016 alone and that as many as 50 percent of the phones are likely using the HiSilicon Balong chipset.
Baseband is firmware used by cellular modem manufacturers and used on smartphones to connect to cellular networks, send and receive data, and make voice calls. Baseband vulnerabilities expose modems to a range of vulnerabilities, according to Weinmann, who has been researching baseband vulnerabilities for years.
Baseband vulnerabilities give attackers the ability to monitor a phone’s communications, place calls, send premium SMS messages or cause large data transfers unbeknownst to the owner of the phone.
In his talk, Weinmann gave an overview of several baseband vulnerabilities found in the Kirin application processor, citing them as an examples of a new and vulnerable attack surface worth the security community’s attention.
In addition to Huawei smartphones, an undisclosed number of laptops manufactured by a leading computer maker that use the HiSilicon Balong integrated modem are also vulnerable to attacks. The modem is also slated to be used in a number IoT and automobiles deployments, Weinmann said.
“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”
Weinmann suspects HiSilicon may have inadvertently released the Kirin firmware source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data. Further analysis allowed him to find additional vulnerabilities within the baseband’s POSIX compliant operating system.
Huawei did not return requests for comment.
In his investigation, Weinmann determined the firmware VxWorks was used, and found the command execution program C-Shell. “When I found this, I was struck by how weird this was. This allows you to call arbitrary exported functions. It’s a not full shell and didn’t quite allow you to do much more than toy around with things.”
Despite the limited C-Shell functions, he was able to dump and modify memory, get task info, start new tasks and load dynamic kernel modules from standard input.
In his talk, Weinmann demonstrated several ways to hack phones reusing some of the IMS NIC functionality to establish cellular data connections from baseband without any visibility from the Android OS.
Since 2011, at his Black Hat presentation, Weinmann has warned of such baseband hacks. In the past, he has found bugs found in the firmware on mobile phone chipsets sold by Qualcomm and Infineon Technologies running on both iPhones and Android devices.
One attack scenario discussed is complex and involves setting up a fake base station using open-source software called OpenLTE that spoofs a network operator. He then is able to send specially crafted packets over the air that can crash a phone via a stack buffer overflow in the LTE stack. That causes the phone to reboot and gives the attacker the ability to install a rootkit or backdoor to enable persistent access to the device.
Another attack scenario requires physical access to the phone, carrier private key pair data, and the ability to install software tools on the firmware. “It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network. Without this key material, a base station cannot pose as a legit network towards the device.” For this reason, in this context the vulnerability represents a low threat, he said.
Weinmann was able bring down the cost and complexity of his testing by creating his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago. This, he said, was to have a Lua scripting interpreter run in the baseband allowing for further exploration.
Offensive testing of this technology is also risky, considering wiretapping laws that make it federal offense to illegally intercept licensed frequencies used by wireless carriers.
More specific details regarding the vulnerability are being withheld until Huawei has a chance to address and patch the vulnerability, Weinmann said. “I have chosen to only disclose lower-severity findings for now. Higher severity findings are in the pipeline.”