ARLINGTON, VA–A number of researchers showed off interesting new attack techniques at the Black Hat DC conference this week, including one that enables an attacker to execute malicious code on handsets over the air.
Perhaps the most interesting technique discussed at the show was a novel attack developed by researcher Ralf-Philipp Weinmann that takes advantage of some weaknesses in the baseband processors in various smartphones, including iPhones. The technique is highly technical and Weinmann said that it took him roughly a year to perfect it. The attack requires a lot of reverse engineering of the baseband processor and GSM protocol stack, as well as quite a bit of hardware knowledge.
But the end result is that Weinmann is able to execute a memory-corruption attack against vulnerable handsets over the air. To do this, he set up a fake base station running software called OpenBTS that was spoofing a network operator. He then was able to send specially crafted packets over the air that can crash a phone, cause it to reboot and give the attacker the ability to install a rootkit or backdoor to enable persistent access to the device.
The technique is most effective against handsets that have a specific architecture in which the baseband processor and the application processor share the same RAM chip, Weinmann said. Weinmann, a post-doctoral student at the University of Luxembourg, said that the attack was made practical by the recent availability of open source software to operate GSM base stations and cheap hardware. The hardware that he used to execute the attack cost roughly $1,500.
During his demonstration at the conference, as soon as Weinmann turned on his malicious base station, many of the iPhones owned by members of the audience connected to the base station, something that makes the attack easier to execute. To make this most effective, Weinmann said an attacker could place the base station, which is fairly small, in a crowded or sensitive area and wait for handsets to begin connecting to it.
In a separate talk, a pair of researchers demonstrated another attack that allows them to take control of the data transmitted by vulnerable mobile devices. The attack is somewhat similar to Weinmann’s in that it uses a a rogue BTS, but the technique developed by Jose Pico and David Perez takes advantage of the lack of mutual authentication in GPRS and EDGE. The pair showed a video in which they were able to force a handset to connect to their base station and then monitor the communications from the device.