Cyber security experts have discovered a software flaw that would allow cyber criminals to gain control of mobile phones and telecommunication networks. This is a pretty serious vulnerability as the mobile devices and the communication network can be taken over completely.
The software flaw has been found in a code library that had been developed by Pennsylvania-based Objective Systems Inc. and which is used in telecommunications equipment like baseband chips in phones, routers, switches, and radios in cell towers. The ASN.1 parsing code generated by ASN1C compiler for C/C++ developed by Objective Systems contains the software flaws, which is a heap overflow vulnerability. Exploiting this vulnerability is not easy, but it can be done by cyber criminals with extremely good skills. Successful exploitation would allow them to execute malicious code on these devices, which could allow them to bring down the network or eavesdrop on communication traversing through the network.
Cyber security experts state that the code was used for implementing the Abstract Syntax Notation One (ASN.1) telephony standard. They added that when this code receives ASN.1 encoded data, even from unknown/ untrusted sources, the heap overflow vulnerability could get triggered even without requiring any authentication, and remotely too.
Nearly all types of communication are affected –
- communication between untrusted endpoints
- communications between nodes in a network
- communications across carrier boundaries
- communications between mobile devices and telecom network infrastructure nodes
For the cyber criminals, targeting the mobile phone basebands is much easier than attacking the carrier network, as carriers could prevent malicious traffic from reaching components that could get affected. ASN.1 is considered to be the “backbone” of mobile telephone system. Exploiting the vulnerability requires considerable skill that is not easy at all. However, in case cyber criminals find out a way to execute malicious code by modifying carrier traffic then they could unleash havoc on the network. Further, even without executing code, the attackers could cause denial-of-service that could disrupt or crash the network.
CERT, the Vulnerability Notes Database at Carnegie Mellon University, Sponsored by the Department of Homeland Security (DHS), has released an advisory stating that presently only equipment manufactured by Qualcomm has been found to be exploitable. Research is still on to find out whether equipment manufactured by other manufacturers are exploitable.
A hotfix has been released by Objective Systems to fix the flaw, and network operators are advised to immediately run the patch for their systems. Patching is quite difficult considering the amount of equipment, but it has to be done.
In order to protect themselves from such vulnerabilities, malware and virus attacks, users of mobile phones should keep their operating system updated with the latest software patches. Further, they should also install an antivirus solution that prevents sophisticated malware attacks that exploit vulnerabilities in the system. The AV solution must be robust enough to prevent attacks by unknown files through default deny technology and auto-sandboxing.
As observed in the case here, carrier networks must ensure the security of their networks through implementation of effective patch management systems and encryption technologies.