A Comsecuris researcher revealed a baseband vulnerability affecting Huawei smartphones, laptop wireless WAN modules and internet of things components that enables memory corruption attacks over the air. How can these attacks take place, and how much risk do they present to users?
Baseband is firmware used in smartphones to connect to cellular networks, send and receive data, and make voice calls. It is also used in internet of things (IoT) devices and automobiles to provide network connectivity. Any vulnerabilities in baseband potentially expose modems to a range of attacks, enabling the attacker to monitor a device's communications, place calls, send text messages or exfiltrate data unbeknownst to the user.
Researcher Ralf-Philip Weinmann, managing director at security firm Comsecuris, demonstrated at the Infiltrate Conference how a baseband vulnerability in Huawei smartphones, laptop wide WAN modules and IoT components could be exploited to execute memory corruption attacks against affected devices over the air.
The overall risk to users is not high at present, as memory corruption attacks are highly technical; Weinmann said that it took him roughly a year to perfect it because he had to reverse-engineer the baseband processor and Global System for Mobile communication protocol stack. However, during Weinmann's demonstration, many of the audience's iPhones connected to his malicious base station when he turned it on. The fake base station ran software called OpenBTS on hardware that cost around $1,500.
This type of setup would allow an attacker to spoof a network operator and send specially crafted packets over the air to crash a phone, cause it to reboot and give the attacker the ability to install a rootkit or backdoor. The technique is most effective against handsets that have a specific architecture in which the baseband processor and the application processor share the same RAM chip.
At the heart of Weinmann's memory corruption attacks are baseband vulnerabilities he found in the Kirin application processor used in HiSilicon Balong integrated 4G LTE modems. HiSilicon Technologies is a subsidiary of Huawei Technologies.
The flawed firmware is present in a number of high-end Huawei Honor smartphones -- an estimated 33 million Honor smartphones were shipped in the third quarter of 2016, with as many as 50% of them likely to be using the flawed HiSilicon Balong modem. The modem may also be found in a number of laptops, IoT and automobile deployments.
Weinmann suspects HiSilicon may have accidentally released the Kirin firmware source code as part of a developer .TAR archive associated with the Huawei H60 Linux kernel data, making it easier to reverse-engineer. He has also disclosed additional critical vulnerabilities to Huawei, whose investigation is still ongoing.
Mobile communications present a significant and growing attack surface that needs across-the-board review and analysis, but testing this technology is risky due to wiretapping laws that make it illegal to intercept licensed frequencies used by wireless carriers.
Lessons learned from this particular research on memory corruption attacks are that users should be wary of connecting to networks at conferences or in other crowded areas, and devices should not be configured to automatically connect to new networks. For vendors, source code development controls and procedures must be watertight to prevent code inadvertently leaking into the public domain.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Find out why managing mobile devices is now an enterprise affair
Discover the top enterprise mobile security systems
Learn about the mobile security tools that last
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
WhatsApp vulnerabilities can enable hackers to bypass end-to-end encryption and spoof messages. Expert Michael Cobb explains how these attacks work ... Continue Reading
Disabling Google location tracking involves more than turning off Location History. Learn how to manage your account settings to stop tracking ... Continue Reading
Compared to TLS 1.2, TLS 1.3 saw improvements in security, performance and privacy. Learn how TLS 1.3 eliminated vulnerabilities using cryptographic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.