Carrier Software Flaws Imperil Smartphones: Report
Wireless carriers pose a threat to mobile phone security, researchers have disclosed.
Mathew Solnik and Marc Blanchou of Accuvant this week told an audience at the Black Hat security conference in Las Vegas that Android, BlackBerry and some iOS devices are vulnerable.
The problem lies in a device management tool using the OMA Device Management Standard, which carriers embed into mobile devices in order to configure them and push over-the-air firmware updates, among other things.
The tool apparently is used in about 2 billion mobile phones worldwide.
"Until this is fixed, certain things like banking should not be done on a smartphone that doesn't have an aggressive patching policy," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
Android devices are particularly at risk because they dominate the market, the carriers control the upgrade cycle, and hackers can get access to the source code to refine their attacks, Enderle warned.
What the Vulnerability Allows
The management tool also is used to remotely configure handsets for roaming or voice over WiFi, as well as to lock a device to a specific carrier.
Each carrier and device manufacturer has its own custom implementation of the standard, and some implementations provide carriers with various extra features. These include remote wipe and remote factory reset, as well as remotely changing OS settings and even the PIN for the screen lock, Accuvant found.
Other features let a carrier identify nearby WiFi networks, disable the phone's camera, identify and activate, deactivate, and edit or remove applications on a handset with or without the device owner's knowledge or consent.
Some versions of the tool let carriers modify settings and servers for preinstalled applications, a feature hackers can exploit.
Other custom features let carriers retrieve synced contacts, offer a call redirect function -- which hackers can abuse, or program phone numbers to launch an application.
Many carriers have added encryption and authentication, but Accuvant found it easy to get around them.
Getting the Carriers on Board
Accuvant has notified the carriers and the company that makes the software, and the situation is being remedied.
The company that makes the software has issued a fix that solves the problem, according to Accuvant. In addition, baseband manufacturers have written code to implement the fix, and carriers are in the process of distributing the fix to existing phones.
The actual risks for consumers "tend to be overblown for two reasons," said Jan Dawson, chief analyst at Jackdaw Research.
"First, a consumer would have to be specifically targeted by someone with the motive, means and opportunity to take advantage of the vulnerability, which is ... very unlikely. Second, these vulnerabilities tend not to be publicized until they're patched," he told TechNewsWorld.
Implications for BYOD
Companies with Bring Your Own Device, or BYOD, policies "should, regardless of any specific vulnerability, make sure their devices are running the latest software from OEMs and carriers," Dawson said.
Enterprises should implement a network access control solution to lock out any device that has not been kept up-to-date with patching, Enderle suggested.
They also should review the update process with the carriers they use and drop those that don't issue timely updates, he said, and "it would be prudent to be aggressive with this policy."
Trouble With a Capital 'T'
Things "will likely get much worse going forward," Enderle predicted. "Phones are now the most vulnerable attack point [containing] identity information, and they are almost always connected outside of a firewall, making them the easiest target."
Corporations need to be on their toes -- 24 percent of the 1,100 security practitioners responding to the 2014 BYOD & Mobile Security Study conducted by the Information Security community on LinkedIn, said their organizations had no mobile device policy.
Also, 21 percent said privately owned devices were widely used in their organizations but were not supported by IT.