How iPhone, Android and other GSM phones are vulnerable to attack

Black Hat demonstration shows weaknesses in mobile standard

A demonstration of an attack against an Apple iPhone at the Black Hat Technical Security DC 2011 Conference in Arlington, Va., demonstrated that software in many GSM-based smart phones contains vulnerabilities that could open the phones to remote exploits.

GSM is the Global System for Mobile Communications standard that many popular smart phones use, including the iPhone and phones using the Android operating system.


Related stories:

4 threats to wireless security

Can we get ahead of security needs for the Next Big Thing?


Ralf-Philipp Weinmann, a researcher at the University of Luxembourg who has spent several years reverse-engineering GSM code in search of vulnerabilities, demonstrated results of his work in progress Wednesday, launching an exploit of an overflow vulnerability against his own iPhone 4.

Weinmann connected to the phone using a phony base station and caused it to crash. An attempt to activate the auto answer feature of the phone failed. Weinmann said that because of the nature of the vulnerability, there is a 50 percent chance of success with each attempt.

But “vulnerabilities in the GSM code base are plentiful and shallow,” he said, meaning that they are easy to access. Many can be exploited using open-source code and $1,500 worth of hardware.

“Phones have been an interesting target for a while,” he said, and smart phones are becoming more interesting as they contain larger amounts of information and have access to more network resources.

For several years now, experts have predicted that cell phones and other mobile computing devices would become the next frontier of hacking, but wide-scale threats have failed to appear so far. That could change as the phones become more powerful and common and as their user profile changes.

“You want to target phones used not only by the teenage crowd but by corporate executives as well,” Weinmann said.

For his attack, Weinmann used the GSM signaling connection to deliver commands over the air interface. The GSM codebase for most baseband stacks date to the 1990s and contain little protection against modern threats. Although Weinmann spent several years finding vulnerabilities, he said that with better tools the process now could be shortened to months. He has shared some of his work with vendors, who have begun patching software. But many phones still remain vulnerable.

For his attack, Weinmann created a small cellular base station using OpenBTS, a software-based GSM access point, or base transceiver station. In an actual attack, the base station would mimic the target’s commercial carrier network. Although Weinmann did not impersonate a carrier in his demonstration, he still found that a number of audience members' phones were connecting to his base station because there was no other cellular access available in the room.

A malicious base station could have a range of a mile or more if it has a good antenna. Although it depends on the target phone, the attack can be done quickly after the base station establishes a connection. “To pull it off, you just need a small time frame, like 30 seconds,” he said.

In its current state, the exploit is unreliable. But it theoretically could be used to remotely turn a phone into a bugging device that could record audio and upload files via a data connection.

Because there is no central infrastructure for such an attack, cell carriers can do little to protect users, and users can't do much if their phone is using software with vulnerabilities, Weinmann said.

“I can’t do anything defensive against this except not use the phone,” he said.

Reader Comments

Sun, Oct 27, 2013 dadang ependi indonesia

Flees BBM

Tue, Mar 15, 2011 Non IPhone Owner

To IPhonewner: Can you read...Ralf-Philipp Weinmann, a researcher at the University of Luxembourg who has spent several years reverse-engineering GSM code in search of vulnerabilities. Love your IPhone hopefully you will run into someone like this guy in the wild and he will hack your phone. Ha Ha Oh Well

Tue, Feb 1, 2011 ralphrides

If the iPhone was so flawed why are Apple corporate secrets still so secret? Once Apple Corporate executives migrated to the iPhone, Apple rumors almost ceased. Is it because they were no longer corresponding via cell phones, Apple mail or using WLAN to do business, I think not.

Fri, Jan 28, 2011 Dragginbutt

What is lost to most is that Android based technology is being brought to market very rapidly with very little in the way of security standards being implemented. Just look at the number of Apps already in place. Once the new Tablets using Android come to market, there will be a whole new group of people very upset when they find out the trinket they just bought exposes them in ways that we have never seen.

Mon, Jan 24, 2011

Honestly the real trick that they don't mention in this article is that you can hijack a phone and turn on the mic to listen in on whatever is going on around the phone and the only way you can prevent it is to remove the battery... They didn't even scratch the surface of true capabilities that are already out there to exploit.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above