In 2013, the Pew Research Center’s Internet & American Life Project found that, for the first time, most American adults own a smartphone. With 55 percent of the survey’s respondents using either an iPhone or an Android-enabled device, and with only 44 percent indicating they do not use a microcomputer-based cellphone, it’s apparent that smartphones have become an integral part of everyday life for many.
Two researchers from Accuvant Labs — Matthew Skolnik and Marc Blanchou — have discovered, however, that this dependency on smartphones has put the data and private communiques of millions at risk of being stolen. Utilizing device management software that carriers and phone manufacturers embed into mobile devices for remote servicing, the researchers have discovered that by using a femtocell and a third-party software package, a hacker can remotely and covertly install malicious code into a device and take it over — something that could potentially affect over two billion smartphones worldwide.
A femtocell is a privately-owned small-range cellular-to-broadband connector used to extend cellular range in a residence or business. They are typically available for sale from the major wireless carriers and retailers for $150 to $250, and are thought to offer “5-bars” reception to any device located within 10 meters.
The ramifications of these findings are troubling, especially in light of recent revelations that the National Security Agency has worked to develop “back doors” or “zero-day vulnerabilities” in consumer devices and software to allow remote surveillance and the retrieval of data and settings in the devices of a targeted suspect. Additionally, news that some law enforcement agencies utilize “stingrays” or a false mobile tower to intercept and record cellular data without first receiving a court warrant suggests the possibility of further privacy intrusions, should the mobile device exploit become widely available.
The exploit utilizes a remote management tool carriers use to lock phones to their networks, distribute firmware updates, and manipulate cellphone settings to permit roaming or voice-over WiFi. This tool is used in Android and BlackBerry devices and in a small number of iPhones on the Sprint Network. With a femtocell, a hacker can use the third-party software — which the researchers will not identify until the Black Hat USA 2014 security conference next week in Las Vegas — to broadcast over-the-air code that would allow for the installation of a remotely-retrieved app package, permit the changing of settings, reset the phone to its factory settings, or even change the phone’s lock PIN, depending on the features the carrier enabled for the tool. It is not known whether this exploit could work on Windows Mobile devices.
For some devices, the researchers found that they could access the web browser’s home page, access synced contacts, and program the call redirect function. This means that “convenience numbers” — such as dialing 299 from a Verizon phone to reach customer service — could be programmed remotely to dial any number the hacker wished or to run any instruction set, such as opening an app.
This is not the first time a femtocell has been found to be capable of hacking a smartphone. At the 2013 BlackHat conference, researchers from iSEC Partners showed that a hacker can secretly intercept the voice calls, data, and text messages of any mobile device connected to a femtocell. As mobile devices automatically connect to the nearest tower, devices in range of an open femtocell would connect to it without the knowledge of the device’s owner.
During their presentation last year, the researchers were able to determine the origin and destination of a call, record the audio from both sides of the conversation, trick Apple’s iMessage into decrypting its messages so that they were readable to third parties, and clone CDMA phones in order to make the network believe that an imposter phone was actually the phone associated with an account.
While femtocell-based attacks are limited due to the limited range of a femtocell, they still offer the potential for major privacy invasion — particularly if utilized in a heavily-trafficked area or against a specific target. While patches have been made to remedy the security loopholes presented in both years’ presentations, implementation concerns may make the femtocell exploits still relevant.
For example, most carriers require a password to access a device’s management tools, with access to the carrier’s servers being encrypted. However, as the passwords are typically generated using a public identifier — such as the mobile device’s serial number, which would be transmitted to any base station the device connects to — it’s relatively simple, considering the level of expertise needed to use a femtocell for remote hacking, to determine what the password may be.
“They’re all taking a certain public identifier and a certain pre-shared token or secret and using that to derive the password,” Skolnik told Wired. “There is some secret sauce added, but because it’s derived from this token that is already public knowledge, that can be reverse-engineered and reproduced…. We can more or less pre-calculate all passwords for any device in order to manage the client.”
The encryption can be undermined in a similar way, but the researchers believe that no one has exploited these vulnerabilities yet.
“During our disclosure with the vendors, different vendors have processes to look through to see if there are any traces of someone exploiting the vulnerabilities and we haven’t heard that there are any traces that anyone has seen so far,” said Ryan Smith, chief scientist at Accuvant, to Wired.
The researchers found that the HTC One M7 and the Blackberry Z10 are most prone to management software hack. iPhones on the Spring Network that are running a version of iOS prior to 7.0.4 are also vulnerable. The carriers are currently preparing patches to address the vulnerability.