Hacking a Mobile Device’s Second Operating System

Great article on mobile phone insecurity last week on the OS News website. According to the article there are not one, but two operating systems at work in mobile communication devices that use 3G or LTE. The second operating system controls the radio and is based on 80’s communication standards and code written in the 90’s!

This age gap has led to the second operating system being very insecure. Exploits can work against the ARM controlled radio system just as they do any other device run operating system.

The standards were written in a time when security was much less of a priority and many things were trusted by default:

“For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.”

According to the article, remote code exploits for the radio system have been found that are as small as 73 bytes. But the bigger problem is the blind trust that the radio places in the towers.

A rogue tower could be obtained and setup by an attacker:

“While we can sort-of assume that the base stations in cell towers operated by large carriers are “safe”, the fact of the matter is that base stations are becoming a lot cheaper, and are being sold on eBay – and there are even open source base station software packages. Such base stations can be used to target phones.”

But what could an attacker actually do with it?

“Put a compromised base station in a crowded area – or even a financial district or some other sensitive area – and you can remotely turn on microphones, cameras, place rootkits, place calls/send SMS messages to expensive numbers, and so on. Yes, you can even brick phones permanently.”

With the absolute saturation of smart phones in urban areas, an attack like this could cause a lot of problems. And with the capabilities this would offer, one would have to assume that military and government cyber teams will be looking into this, if they have not already.