Researcher Hacks Smartphone Radio Chips

At Black Hat a researcher is to demonstrate a technique for hacking into the baseband processors that power smartphone radios

Smartphones are vulnerable to hacking from a new direction, according to a University of Luxembourg researcher, who is to demonstrate his new hacking technique at the Black Hat conference in Washington, D.C. on Tuesday.

Research associate Ralf-Philipp Weinmann is to show how malicious mobile phone towers can be used to hack directly into a handset’s baseband processor, the chip used to send and receive radio signals.

Baseband vulnerabilities

Weinmann’s research has already resulted in smartphone security patches. Last November, for instance, Apple patched a bug affecting the iPhone 3G and later models that could have allowed malicious code to be executed on the baseband processor, crediting Weinmann for reporting the issue.

The bugs to be used in Tuesday’s demonstration affect the firmware used in Qualcomm and Infineon chips to process GSM signals, Weinmann has told the press. He said he will demonstrate the use of the auto-answer feature to turn a handset into a covert listening tool.

In the abstract published on the Black Hat website, Weinmann said the key to baseband hacking has been the introduction of relatively low-cost open-source packages for running GSM base stations, such as OpenBTS.

“Attack scenarios against smartphones have concentrated on vulnerable software executed on the application processor,” Weinmann wrote. “The operating systems running on these processors are getting hardened by vendors as can best be seen in the case of Apple’s iOS, which both uses data execution prevention and code signing to make exploitation of memory corruptions and running malicious software harder. In contrast, the GSM/3GPP stack running on the baseband processor has been neglected.”

He said the possibility of setting up a relatively cheap, malicious base station has not been taken into account in existing security models.

New type of attack

“Malicious base stations are not considered in the attack model assumed by the GSMA and the ETSI; similarly vendors of baseband stacks seem to not have taken malicious input from the network side into account,” he wrote.

He said his demonstration will show the first over-the-air exploitations of memory corruption in GSM/3GPP stacks that result in malicious code being executed on the baseband processors.

Recent iPhone hacks include a demonstration in April of last year showing Google’s Android operating system running on a first-generation iPhone.

In March of last year, at the Pwn2Own contest at CanSecWest Applied Security conference in Vancouver, Weinmann demonstrated an iPhone hacking technique that bypassed the code signing and data execution prevention features that normally prevent arbitrary code from running.

Working with security firm Zynamics, he “chained existing code bits” (TXT file) in a technique known as return-into-libc or return-oriented-programming.