Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol

Presented at Black Hat Europe 2014, Oct. 16, 2014, 10:15 a.m. (60 minutes).

Since the introduction of the smart phone, the issue of control has entered a new paradigm. Manufacturers and enterprises have claimed control over not just how your phone operates, but the software that is allowed to run on it. However, few people know that service providers have a hidden and pervasive level of control over your device. These hidden controls can be found in over 2 billion cellular devices worldwide. Organizations have been quietly deploying these controls in smart phones, feature phones, basebands, laptops, embedded M2M devices, and even certain cars. Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale.

We've reverse engineered embedded baseband and application space code. We've torn apart the Over-the-Air communications and implemented our own code to speak the relevant protocols. Layer by layer, we've deconstructed these hidden controls to learn how they work. While performing this work, we've unearthed subtle flaws in how the communication is handled and implemented. After understanding these flaws, we've written proof-of-concept exploits to demonstrate the true risk this software presents to the end user.

In this presentation, we will discuss and disclose how Over-the-Air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and embedded M2M devices. You will come away from this talk armed with detailed insight into these hidden control mechanisms as well as the tools to help assess and protect from the new threats this hidden attack surface presents. These tools will include the ability to dynamically test proprietary system applications and simulate different aspects of a cellular environment.


Presenters:

  • Mathew Solnik - Accuvant Labs
    Mathew Solnik works in consulting and research with Accuvant LABS. Mathew's primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware level, and OS level security. Prior to joining LABS Mathew was a Senior Member of Technical Staff at Appthority, Inc. where he helped design and build an automated mobile threat and malware analysis platform for use in the Enterprise and Defense space. Previous to Appthority, Mathew has held positions in multiple areas of IT and security - including consulting for iSEC Partners where he performed the first Over-The-Air Car Hack (as been featured in a previous Black Hat talk) and R&D for Ironkey where he handled in house penetration testing and design review for multiple DARPA funded projects.

Links:

Similar Presentations: