Secret Controls Can Be Used to Hijack Cellphones, Cars


LAS VEGAS — Two billion cellphones in use today have hidden, often poorly secured controls that could let hackers access the devices, two researchers said yesterday (Aug. 6) at the BlackHat security conference here.

In a presentation entitled "Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol," Mathew Solnik and Marc Blanchou of Denver-based Accuvant Labs explained that the problems derive from poor implementation of the Open Mobile Alliance Device Managerment (OMA-DM) protocol.

MORE: Mobile Security Guide: Everything You Need to Know

OMA-DM is used by cellular carriers worldwide to provision, troubleshoot and send software updates to phones. For example, if you bought an Android phone from a carrier rather than from Google, Blanchou and Solnik explained, then the phone's software updates come through OMA-DM. (Most iPhones and iPads do not use the standard, except for devices sold by Sprint.)

This call has been intercepted

Yet the security of those software updates can be trivial to bypass. Many carriers verify updates with a "signature" that is a combination of the targeted device's unique ID number and a secret encoding token, but some carriers, the researchers said, use a single token for all updates to all devices on their networks.

Comparing verification codes sent to two or more phones with the phones' easily found ID numbers will yield the carrier's encoding token. Once that's obtained, an attacker can then "sign" software and target individual phones with bogus updates that could eavesdrop on calls, steal personal or financial data or even seize total control.

The phones' regular communications with the carriers' OMA-DM servers are also vulnerable. Due to poor implementation of secure-transmission standards, it's often possible to stage "man-in-the-middle" attacks in which a hacker secretly intercepts and modifies messages traveling between the phone and the carrier.

Using such methods, Blanchou and Solnik said, a sophisticated attacker could undertake what they called "malicious network reconfiguration" — forcing devices to switch to other Internet access points, other preferred cellular networks or even other OMA-DM servers, including those controlled by attackers.

Not just phones, and not getting better

Cellphones are not the only devices to use OMA-DM. Most devices that uses cellular networks — tablets, Wi-Fi hotspots, embedded "Internet of things" devices, laptops with wireless cards — do as well.

Most significantly, many vehicles with remote-assistance features such as OnStar are also using the standard. While hacker takeover of a cellphone is inconvenient and often costly, hacker takeover of a vehicle can be fatal.

The vulnerabilities are only becoming more numerous, Solnik and Blanchou said, with the transition from 3G to 4G networks.

Normally, cellular security improves with technological advances — witness the dramatic decline in "cloned" phones once carriers switched from analog to digital networks a little more than a decade ago. That's not the case with OMA-DM, the researchers explained.

While there isn't a large "attack surface" on 3G networks, at least in North America, the attack surface greatly increases with 4G and LTE networks, which are very similar to the traditional Internet data protocols that hackers are familiar with.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.