Hacking a Mobile Device’s Second Operating System

Great article on mobile phone insecurity last week on the OS News website. According to the article there are not one, but two operating systems at work in mobile communication devices that use 3G or LTE. The second operating system controls the radio and is based on 80’s communication standards and code written in the 90’s!

This age gap has led to the second operating system being very insecure. Exploits can work against the ARM controlled radio system just as they do any other device run operating system.

The standards were written in a time when security was much less of a priority and many things were trusted by default:

“For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.”

According to the article, remote code exploits for the radio system have been found that are as small as 73 bytes. But the bigger problem is the blind trust that the radio places in the towers.

A rogue tower could be obtained and setup by an attacker:

“While we can sort-of assume that the base stations in cell towers operated by large carriers are “safe”, the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay – and there are even open source base station software packages. Such base stations can be used to target phones.”

But what could an attacker actually do with it?

“Put a compromised base station in a crowded area – or even a financial district or some other sensitive area – and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.”

With the absolute saturation of smart phones in urban areas, an attack like this could cause a lot of problems. And with the capabilities this would offer, one would have to assume that military and government cyber teams will be looking into this, if they have not already.

Advertisements

620,000 Android Phones in China hit by Most Costly Malware in History

Flag of the People's Republic of China

China may be the source for a lot of international cyber attacks and malware, but they get hit by it too. 620,000 Android phones in China were infected with a nasty virus that takes over the phone, collects personal information from it and begins to send costly  text messages to benefit the malware maker.

Yesterday, security research company NQ Mobile created a press release about the discovery of the Android malware they dubbed “Bill Shocker”. Based on their findings they claim, “Bill Shocker is an SDK designed by malware developers that infects several of the most popular apps in China, including Tencent QQ Messenger and Sohu News.”

Bill Shocker then downloads itself in the background and takes over control of the phone, including dialing and texting features. And “Once the malware has turned the phone into a “zombie,” the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user’s bundling quota, which subjects the user to additional charges,” the report says.

The malware could affect phones outside China and has the potential to be the most costly malware in history, according to NQ.

So what can you do to keep your phone safe? NQ offers several tips to avoid infection including:

  • Only download apps from trusted sources
  • Never accept application requests from unknown sources
  • Closely monitor permissions requested by any application
  • And be alert for abnormal behavior from your smart device

NQ Mobile also offers a mobile device security solution that is already protects against threats like Bill Shocker.

With mobile malware becoming more prevalent, Bring Your Own Device (BYOD) is really starting to increase the attack surface of corporate networks. Companies really need to take a good look at their Mobile user security policy if they haven’t done so already.

Android 4.0.4 Zero-Day Found, Galaxy S3 Pwned at Pwn2Own

Today at the EUSecWest conference “PWN2OWN” contest in Amsterdam, MWR labs used a zero-day exploit to pwn an Android based Galaxy S3. MWR Labs used Mercury (their custom made framework to find vulnerabilities) to grab text messages, contacts, pictures and more from the phone:

“MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.

The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.”

Check out their website for more information.

Security and Privacy Concerns for Mobile Devices

BYOD (Bring your own Device) is one of the latest tech fads. Bring in that tablet or smart phone from home and we will hook it right up to our corporate network for you! What a great thing, and the IT staff just loves it too!  🙂

But there are some serious concerns about mobile devices. For example in March of this year, Sen. Charles Schumer talked with both Apple and Google over privacy concerns. It seems that some mobile apps were grabbing private photos and contact information and downloading them to servers or other sites – without the user’s permission…

It sends shivers up the spine to think that one’s personal photos, address book, and who knows what else can be obtained and even posted online without consent,” Senator Schumer wrote in a letter to the FTC.

Listing the permissions that an App wants during install is helpful. For example, on an Android device you are shown what the app wants access to – network access, phone access – but does everyone take the time to read them before they install the latest “gotta have” app? And even though apps are checked before being placed on Apple’s Marketplace, one common tactic that malicious programmers have used is to download malware with app updates.

And it is not just private data concerns that have been raising alarms. What about the video and recording features of smart devices or even the upcoming “Google Glasses”? Sure these are great in emergency situations, but what about at private meetings, secured facilities or around classified information?

An article in June from NY Times mentions some of the techniques that could be used to block smart phone recording features. SpyFinder camera detectors, Google algorithms for un-tagging people in photos, personal infrared and white noise generators are all mentioned.

Smart devices are excellent to use and a great convenience. But do you want them sharing your private contact information or personal photos? Do you really want recording devices and a possible additional malware platform inside your facility?

These are some of the security and privacy concerns that must be considered for both the individual user and the corporate environment.