The baseband firmware in your phone is the outermost layer of software, the "bare metal" code that has to be implicitly trusted by the phone's operating system and apps to work; a flaw in that firmware means that attackers can do scary things to your hone that the phone itself can't detect or defend against.



Now, a CERT advisory confirms an earlier report of a vulnerability in Qualcomm's baseband firmware, which is very widely deployed. Any patch for this vulnerability will have to be installed on billions of end points, many of them in hard-to-reach places, which means that attackers will be well-served by any work they do to exploit this vulnerability.

What's more, the vulnerability may affect other baseband radios, and researchers are closely examining them to see if they, too are susceptible to attack.

There are many conceivable ways to attack baseband radios, but the most obvious tactic would be to use a Stingray, Dirtbox, or other fake cellular tower.

For more than five years, security researchers have been warning that baseband radios are an avenue for unstoppable, undetectable attacks on all mobile devices and the networks they connect to. Though vulnerability reports of this sort are rare, that doesn't mean that bad guys — spy agencies, cyberweapons dealers, criminals — haven't figured out how to attack baseband radios.

Security expert HD Moore, who is principal at a firm called Special Circumstances, described the flaw as a "big deal" because of the breadth of gear that are at risk of complete takeover. "The baseband vulnerabilities are currently biggest concern for consumers, as successful exploitation can compromise the entire device, even when security hardening and encryption is in place," he wrote in an e-mail. "These issues can be exploited by someone with access to the mobile network and may also be exposed to an attacker operating a malicious cell network, using products like the Stingray or open source software like OsmocomBB." The library flaw also has the potential to put carrier equipment at risk if attackers figured out how to modify carrier traffic in a way that was able to exploit the vulnerability and execute malicious code. Moore went on to say the threat posed to carriers is probably smaller given the challenges of testing an exploit on the specific equipment used by a targeted carrier and the difficulty of funneling attack code into the vulnerable parts of its network.

Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++

[programa-stic/Github]



Objective Systems ASN1C generates code that contains a heap overlow vulnerability

[Vulnerability Notes Database/CERT]

Software flaw puts mobile phones and networks at risk of complete takeover

[Dan Goodin/Ars Technica]

(Image: Qualcomm MDM9615, Jojhnjoy, CC-BY-SA)

(Thanks, Nicksay!)