News

Black Hat: How iPhone, Android, Other GSM Phones Are Vulnerable To Attack

• By William Jackson
• 01/21/2011

A demonstration of an attack against an Apple iPhone at the Black Hat Technical Security DC 2011 Conference in Arlington, Va., demonstrated that software in many GSM-based smart phones contains vulnerabilities that could open the phones to remote exploits.

GSM is the Global System for Mobile Communications standard that many popular smart phones use, including the iPhone and phones using the Android operating system.

Ralf-Philipp Weinmann, a researcher at the University of Luxembourg who has spent several years reverse-engineering GSM code in search of vulnerabilities, demonstrated results of his work in progress Wednesday, launching an exploit of an overflow vulnerability against his own iPhone 4.

Weinmann connected to the phone using a phony base station and caused it to crash. An attempt to activate the auto answer feature of the phone failed. Weinmann said that because of the nature of the vulnerability, there is a 50 percent chance of success with each attempt.

But "vulnerabilities in the GSM code base are plentiful and shallow," he said, meaning that they are easy to access. Many can be exploited using open-source code and $1,500 worth of hardware.

"Phones have been an interesting target for a while," he said, and smart phones are becoming more interesting as they contain larger amounts of information and have access to more network resources.

For several years now, experts have predicted that cell phones and other mobile computing devices would become the next frontier of hacking, but wide-scale threats have failed to appear so far. That could change as the phones become more powerful and common and as their user profile changes.

"You want to target phones used not only by the teenage crowd but by corporate executives as well," Weinmann said.

For his attack, Weinmann used the GSM signaling connection to deliver commands over the air interface. The GSM codebase for most baseband stacks date to the 1990s and contain little protection against modern threats. Although Weinmann spent several years finding vulnerabilities, he said that with better tools the process now could be shortened to months. He has shared some of his work with vendors, who have begun patching software. But many phones still remain vulnerable.

For his attack, Weinmann created a small cellular base station using OpenBTS, a software-based GSM access point, or base transceiver station. In an actual attack, the base station would mimic the target's commercial carrier network. Although Weinmann did not impersonate a carrier in his demonstration, he still found that a number of audience members' phones were connecting to his base station because there was no other cellular access available in the room.

A malicious base station could have a range of a mile or more if it has a good antenna. Although it depends on the target phone, the attack can be done quickly after the base station establishes a connection. "To pull it off, you just need a small time frame, like 30 seconds," he said.

In its current state, the exploit is unreliable. But it theoretically could be used to remotely turn a phone into a bugging device that could record audio and upload files via a data connection.

Because there is no central infrastructure for such an attack, cell carriers can do little to protect users, and users can't do much if their phone is using software with vulnerabilities, Weinmann said.

"I can't do anything defensive against this except not use the phone," he said.