Hidden within hundreds of millions of mobile phones around the world is control software used by carriers to help set up devices and features. According to new research set to be presented at the Black Hat USA security conference this week in Las Vegas by researchers working at Accuvant, the carrier control software itself has security vulnerabilities in it that could be exposing the world’s mobile phone users to risk.
Carriers embed mobile device management (MDM)-type software into most mobile devices, Matthew Solnik, research scientist at Accuvant, told eWEEK. Carriers typically include features that enable them to configure phones for their network and can also be used to push firmware, over-the-air (OTA) updates, Solnik said. Other features that can be part of the carrier MDM software could enable remote lock, device wiping, diagnostics and resetting. The software could also potentially limit a device’s ability to use camera, GPS or WiFi.
Accuvant’s research found that at least 70 percent of the carriers it looked at use the same back-end carrier system with the same software, which also has a few nontrivial vulnerabilities.
“The authentication that is in use is insecure as it is using a public device identifier, such as IMEI (International Mobile Station Equipment Identity), as a critical point to get the client’s password,” Solnik said.
Solnik said that using IMEI, researchers can potentially pre-calculate and determine the passwords for mobile devices.
Going a step further, Accuvant’s researcher found that in the places where the carrier back end employs Secure Sockets Layer (SSL) encryption, the hostnames are not being properly validated. Solnik said that it’s possible for an attacker to perform a man-in-the-middle attack, intercepting traffic with the ability for the attacker to impersonate the carrier.
The attack would require the hacker to have a cellular base station and proximity to the end-user device that varies based on the power of the base station. With right equipment, an attacker could take control of a carrier’s MDM software and get full control over a user device, Solnik said. Even if a user has his or her lock screen on, the carrier MDM attack found by Accuvant could still be used.
“If the phone is on and is connected to a carrier network, the use of a lock screen does not have impact,” Solnik said. “We can actually affect the lock screen itself.”
In terms of impact, Solnik said nearly all smartphones in the market are at risk, including iOS and Android phones, though the risk does vary based on carrier.
“For Apple IOS, this is only on a single carrier,” Solnik said. “So iOS is the least affected of the bunch.”
Solnik said that for users who purchased a mobile device that was not locked to a specific carrier, then most likely there is a much lower chance the carrier MDM client is installed.
“If you bought a phone from a carrier and it has subsequently been unlocked and it still runs the carrier software, it is likely still vulnerable,” he said.
Disclosure
Accuvant has been working diligently to properly disclose its findings to service providers to mitigate the risk. Ryan Smith, vice president of research and chief scientist at Accuvant, told eWEEK that the mobile phone industry is extremely fragmented and there are perhaps 15 vendors that can work together to put software onto a device.
“All of the vendors we’ve spoken with have been incredibly helpful; they all want to get their customers patched,” Smith said.
There are a pair of primary software vendors that need to patch their software for the vulnerabilities, Smith said. He noted that once those vendors produce a patch, it needs to get distributed to the cellular baseband manufacturers and the carriers. From there, the actual handset vendors have to implement the code.
“It’s a huge spinning wheel, and we’ve been overwhelmed by the response and how well it is being coordinated,” Smith said.
Additionally, even though Accuvant will be discussing the cellular phone risks, the company is not releasing any exploit tools at Black Hat to take advantage of the cellular vulnerabilities.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.