LAS VEGAS – Device manufacturers and service providers quietly maintain a pervasive level of remote control over the devices they sell to consumers so they can push over-the-air (OTA) updates for a variety of reasons, but problematically one popular product that enables this type of control is poorly secured and knowledgeable attackers can exploit it in order to compromise affected smart phones, basebands, laptops and other electronic devices.
In a briefing at the Black Hat conference, Accuvant Labs researchers Mathew Solnik and Marc Blanchou explained they could remotely hijack carrier mandated remote control functionalities and inject a laundry list of commands, differing slightly from phone to phone, initiating various functions on more than two billion connected consumer devices. Ultimately, exploiting some fairly simple vulnerabilities in the Open Mobile Alliance device management (OMA-DM) protocol, Solnik and Blanchou claimed they could assume complete control of affected devices.
Troublingly, Solnik and Blanchou said that one particular piece of OMA-DM hardware, developed by RedBend Software and known as vDirect Mobile, commands between 70 and 90 percent of the market.
In what they researchers called their favorite potential attack, they claimed they could deploy a Femtocell, nanoBTS or USRP B210 to transmit Wi-Fi signals, creating a network that phones believed to be cellular and essentially launching a rogue base station attack. Once they established a man-in-the-middle position and hooked an affected device, they could then send wireless application protocol (WAP) messages that appeared to be originating from the appropriate service providers, but actually are coming via Wi-Fi from the rogue base-station.
They used this test environment rather than on a real-life cellular network, but claim the attack would work on a number of networks including LTE, CDMA, and GSM as well as affect numerous platforms such as Android, Blackberry and iOS.
Of course, when a service provider pings a device via OTA, there is a verification process. Unfortunately for this particular OMA-MD product, the verification process is incredibly simple: the carrier authenticates itself by sending the client-side device a combination of the phone’s publicly broadcast international mobile station equipment identifier (IMEI) and a shared key. That shared key is a static number followed by the particular phone’s IMEI. In other words, the authentication mechanism allowing nearly unlimited modification of billions of consumer devices is more or less hardcoded.
In the end, the attack provides full client access to anyone with man-in-the-middle or DNS control. RedBend continually maintains this control over an unknown number of devices from their own test-servers, the researchers said, though only the service providers are actually supposed to send OTA updates to devices.
Devices can also be instructed to use HTTP test servers via crafted WAP messages – thus allowing the attacker to place him or herself in a MITM position. In theory, RedBend can use these test servers to access any device using one WAP push with no verification process.
Furthermore, an attacker can maintain a persistent MITM position, reconfiguring device settings so traffic always travels over networks that the attacker can see. They can do this by modifying access point names, proxies, preferred roaming lists, and home networks or by changing routes to preferred gateways. Once these actions are taken, users, particularly ones operating locked devices, have little chance of remedy and not even a factory reset will remove the attackers control of an exploited device.
The pair of researchers intended to prove their exploit with a live demonstration, but – as time ran out – they we unable to make the demo work.