Sign in with
Sign up | Sign in

Secret Controls Can Be Used to Hijack Cellphones, Cars

By - Source: Tom's Guide US | B 0 comment


LAS VEGAS — Two billion cellphones in use today have hidden, often poorly secured controls that could let hackers access the devices, two researchers said yesterday (Aug. 6) at the BlackHat security conference here.

In a presentation entitled "Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol," Mathew Solnik and Marc Blanchou of Denver-based Accuvant Labs explained that the problems derive from poor implementation of the Open Mobile Alliance Device Managerment (OMA-DM) protocol.

MORE: Mobile Security Guide: Everything You Need to Know

OMA-DM is used by cellular carriers worldwide to provision, troubleshoot and send software updates to phones. For example, if you bought an Android phone from a carrier rather than from Google, Blanchou and Solnik explained, then the phone's software updates come through OMA-DM. (Most iPhones and iPads do not use the standard, except for devices sold by Sprint.)

This call has been intercepted

Yet the security of those software updates can be trivial to bypass. Many carriers verify updates with a "signature" that is a combination of the targeted device's unique ID number and a secret encoding token, but some carriers, the researchers said, use a single token for all updates to all devices on their networks.

Comparing verification codes sent to two or more phones with the phones' easily found ID numbers will yield the carrier's encoding token. Once that's obtained, an attacker can then "sign" software and target individual phones with bogus updates that could eavesdrop on calls, steal personal or financial data or even seize total control.

The phones' regular communications with the carriers' OMA-DM servers are also vulnerable. Due to poor implementation of secure-transmission standards, it's often possible to stage "man-in-the-middle" attacks in which a hacker secretly intercepts and modifies messages traveling between the phone and the carrier.

Using such methods, Blanchou and Solnik said, a sophisticated attacker could undertake what they called "malicious network reconfiguration" — forcing devices to switch to other Internet access points, other preferred cellular networks or even other OMA-DM servers, including those controlled by attackers.

Unlocking Android phones remotely from a laptop

Not just phones, and not getting better

Cellphones are not the only devices to use OMA-DM. Most devices that uses cellular networks — tablets, Wi-Fi hotspots, embedded "Internet of things" devices, laptops with wireless cards — do as well.

Most significantly, many vehicles with remote-assistance features such as OnStar are also using the standard. While hacker takeover of a cellphone is inconvenient and often costly, hacker takeover of a vehicle can be fatal.

The vulnerabilities are only becoming more numerous, Solnik and Blanchou said, with the transition from 3G to 4G networks.

Normally, cellular security improves with technological advances — witness the dramatic decline in "cloned" phones once carriers switched from analog to digital networks a little more than a decade ago. That's not the case with OMA-DM, the researchers explained.

While there isn't a large "attack surface" on 3G networks, at least in North America, the attack surface greatly increases with 4G and LTE networks, which are very similar to the traditional Internet data protocols that hackers are familiar with.

Over-the-air jailbreak of iPhone 5c

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS