Over the weekend, we learned how the purported “NSA-proof” Blackphone was rooted in a very short time. The hacker, @TeamAndIRC, behind discovering the vulnerability came under fire from BlackBerry users when he claimed the BlackBerry platform was just as unsecure. This was, as the hacker claims, apparently due to obscurity and lower userbase than other mobile platforms.
News is now trickling out from the BlackHat 2014 conference held in Las Vegas last week regarding a massive vulnerability for upwards of two billion devices. Security firm Accuvant researchers Mathew Solnik and Marc Blanchou told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.
For an attacker to gain remote access to a device, they would need access to the handset’s unique International Mobile Station Equipment Identity (IMEI) number and a secret token. The researchers claim it’s not actually that hard to get an IMEI number nor several carrier’s secret token.
Using a WAP message broadcast from a base station, the Accuvant researchers allegedly could wirelessly upload code to a phone and then execute the code to exploit memory bugs in the software to gain full control of the device without the target user even realizing it.
To demonstrate the exploit, a phony femtocell was used that could be used to access Android, BlackBerry and a small number of iOS devices using the faulty security protocols. Mathew Solnik asked attendees in the audience to turn off their mobile phones during the demonstration, set the femtocell to its lowest power setting, and still picked up more than 70 handsets in the audience that were ripe for hacking.
The researchers claim they found Android to be generally wide open to exploits, as was BlackBerry and a host of embedded systems. Apparently, iOS devices were tougher to exploit – with most handsets immune – but some iPhones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.
Furthermore, the researchers found phones were victim to a man-in-the-middle attack where they could be enticed into checking in with their OMA-DM servers, and the connections only used HTTP instead of HTTPS. This allowed the handset to be redirected to another server of the attacker’s choice for future updates.
The researchers said most manufacturers had cleaned up the flaw, but that some were still dragging their feet. It will be interesting to learn whether or not BlackBerry has already corrected the vulnerability. BlackBerry uses Red Bend’s OTA software, which the company issued a patch to thwart this vulnerability in June 2014. However, any BlackBerry devices that haven’t updated since the patch and do not have non-HTTPS access restricted may still be vulnerable to the OMA-DM exploit.