A Comsecuris researcher revealed a baseband vulnerability affecting Huawei smartphones, laptop wireless WAN modules and internet of things components that enables memory corruption attacks over the air. How can these attacks take place, and how much risk do they present to users?
Baseband is firmware used in smartphones to connect to cellular networks, send and receive data, and make voice calls. It is also used in internet of things (IoT) devices and automobiles to provide network connectivity. Any vulnerabilities in baseband potentially expose modems to a range of attacks, enabling the attacker to monitor a device's communications, place calls, send text messages or exfiltrate data unbeknownst to the user.
Researcher Ralf-Philip Weinmann, managing director at security firm Comsecuris, demonstrated at the Infiltrate Conference how a baseband vulnerability in Huawei smartphones, laptop wide WAN modules and IoT components could be exploited to execute memory corruption attacks against affected devices over the air.
The overall risk to users is not high at present, as memory corruption attacks are highly technical; Weinmann said that it took him roughly a year to perfect it because he had to reverse-engineer the baseband processor and Global System for Mobile communication protocol stack. However, during Weinmann's demonstration, many of the audience's iPhones connected to his malicious base station when he turned it on. The fake base station ran software called OpenBTS on hardware that cost around $1,500.
This type of setup would allow an attacker to spoof a network operator and send specially crafted packets over the air to crash a phone, cause it to reboot and give the attacker the ability to install a rootkit or backdoor. The technique is most effective against handsets that have a specific architecture in which the baseband processor and the application processor share the same RAM chip.
At the heart of Weinmann's memory corruption attacks are baseband vulnerabilities he found in the Kirin application processor used in HiSilicon Balong integrated 4G LTE modems. HiSilicon Technologies is a subsidiary of Huawei Technologies.
The flawed firmware is present in a number of high-end Huawei Honor smartphones -- an estimated 33 million Honor smartphones were shipped in the third quarter of 2016, with as many as 50% of them likely to be using the flawed HiSilicon Balong modem. The modem may also be found in a number of laptops, IoT and automobile deployments.
Weinmann suspects HiSilicon may have accidentally released the Kirin firmware source code as part of a developer .TAR archive associated with the Huawei H60 Linux kernel data, making it easier to reverse-engineer. He has also disclosed additional critical vulnerabilities to Huawei, whose investigation is still ongoing.
Mobile communications present a significant and growing attack surface that needs across-the-board review and analysis, but testing this technology is risky due to wiretapping laws that make it illegal to intercept licensed frequencies used by wireless carriers.
Lessons learned from this particular research on memory corruption attacks are that users should be wary of connecting to networks at conferences or in other crowded areas, and devices should not be configured to automatically connect to new networks. For vendors, source code development controls and procedures must be watertight to prevent code inadvertently leaking into the public domain.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out why managing mobile devices is now an enterprise affair
Discover the top enterprise mobile security systems
Learn about the mobile security tools that last
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading