1. amkas90's Avatar
    Hackers Can Control Your Phone Using a Tool That?s Already Built Into It | Threat Level | WIRED

    According to wired article, BB Z10 and HTC One M7 among the two most vulnerable phones....

    -------

    A lot of concern about the NSA�s seemingly omnipresent surveillance over the last year has focused on the agency�s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited.

    Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device.

    The attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off. But it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.

    The vulnerabilities lie within a device management tool carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor�which the researchers will not identify until they present their findings next week at the Black Hat security conference in Las Vegas. The tool is used in some form in more than 2 billion phones worldwide. The vulnerabilities, they say, were found so far in Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers. They haven�t looked at Windows Mobile devices yet.

    The researchers say there�s no sign that anyone has exploited the vulnerabilities in the wild, and the company that makes the tool has issued a fix that solves the problem. But it�s now up to carriers to distribute it to users in a firmware update.

    Carriers use the management tool to send over-the-air firmware upgrades, to remotely configure handsets for roaming or voice-over WiFi and to lock the devices to specific service providers. But each carrier and manufacturer has its own custom implementation of the client, and there are many that provide the carrier with an array of additional features.

    To give carriers the ability to do these things, the management tool operates at the highest level of privilege on devices, which means an attacker who accesses and exploits the tool has the same abilities as the carriers.

    The management tools are implemented using a core standard, developed by the Open Mobile Alliance, called OMA device management. From these guidelines, each carrier can choose a base set of features or request additional ones. Skolnik says they found that some phones have features for remotely wiping the device or conducting a factory reset, altering operating system settings and even remotely changing the PIN for the screen lock.

    They�ve also found systems that allow the carrier to identify nearby WiFi networks, remotely enable and disable Bluetooth or disable the phone�s camera. More significantly, they�ve found systems that allow the carrier to identify the applications on a handset, as well as activate or deactivate them or even add and remove applications. The systems give the carrier the option of making these changes with our without prompting the consumer. Carriers also can modify settings and servers for applications pre-installed by the carrier�something hackers could exploit to force the phone to communicate with a server of their choosing.

    Furthermore, some of the systems can monitor the web browser�s home page and in some cases retrieve synced contacts. Others include a call redirect function that can direct the phone to a specific phone number. Carriers typically use this feature to program shortcuts to their own phone numbers. For example, Verizon might program its phones so �299″ dials customer service. But Skolnik found this feature can be used to redirect any number; phone numbers also can be programmed to launch an application.

    �Pretty much whatever number � if we programmed it, when you dial it, it would do whatever functionality we programmed it to do,� Skolnik says. �Whether you have the number 1 programmed for your mother, it would then do what we choose.�

    The more features the management tool offers the carrier, the more an attacker can do as well. But at a minimum, every device they examined would allow an attacker to change all of the cellular network functionality. In many cases, they could also control firmware updates.

    And even the phones that use only the most basic management system have memory corruption vulnerabilities that would still allow a hacker to execute code or install malicious applications, they found.

    Two phones that provided the highest level of exploitation were the HTC One M7 and the Blackberry Z10. Among iOS devices, they found that only iPhones offered by Sprint and running an operating system prior to version 7.0.4 were vulnerable. The 7.0.4 version of the software, which Apple released in November, partially solved the issue.

    Carriers recognize the risk these management tools present, and many have added encryption and authentication to bolster security. Accessing the management system in the device, for example, often requires a password. And the researchers found every carrier in the US encrypts communication between a device and the carrier�s server. But these protections are so poorly implemented that the researchers could undermine them.

    �Pretty much all the safeguards put into place to protect the clients in nearly all major devices we found can be bypassed,� Skolnik says.

    In the case of the authentication, for example, they found that the systems use passwords that are generated in part using a public identifier�that is, the IMEI, or the cell phone�s serial number. That number is readily available by any base station that communicates with the phone. Skolnik says that although each carrier�s system uses a slightly different method for generating passwords, they�re all based on the same core.

    �They�re all taking a certain public identifier and a certain pre-shared token or secret and using that to derive the password,� he says. �There is some secret sauce added, but because it�s derived from this token that is already public knowledge, that can be reverse-engineered and reproduced�. We can more or less pre-calculate all passwords for any device in order to manage the client.�

    They also found many ways to undermine the encryption. �It does require a deep understanding of what it�s doing, but once you understand how it works, you can pretty much turn off or just bypass or man-in-the-middle the encryption itself,� Skolnik says.

    Although the vulnerabilities are basic from a security perspective, exploiting them is not. Each requires extensive knowledge of the OMA-DM standard implementation and how cellular networks work. A successful hack also requires setting up a cellular base transceiver station or finding a vulnerability in a femtocell to take it over and use it for the attack. And cracking the encryption is also not trivial. Nonetheless, anyone with the same level of knowledge and skill as the researchers could conduct the attacks.

    That said, the researchers don�t believe anyone has exploited the vulnerabilities so far.

    �During our disclosure with the vendors, different vendors have processes to look through to see if there are any traces of someone exploiting the vulnerabilities and we haven�t heard that there are any traces that anyone has seen so far,� says Ryan Smith, chief scientist at Accuvant.

    Skolnik and Blanchou have notified the firm that makes the management tool used by so many, and the company has already issued a fix. They also notified baseband manufacturers, who have written code that would implement that fix. Carriers are in the process of distributing a fix to existing phones.

    �It�s important that all users � stay up to date with all the latest patches,� Skolnik says. �Users should contact their carrier to see if an update is already available.�
    sentimentGX4 likes this.
    07-31-14 12:08 PM
  2. Minhaaj Rehman's Avatar
    Merkels IT dept and German intelligence must be dorks to let Merkel use that if above was true.

    Posted via CB10
    07-31-14 12:23 PM
  3. Tre Lawrence's Avatar
    Oh my.

    Re: Merkel and co... I doubt her device would be carrier-influenced, would it?
    07-31-14 12:29 PM
  4. Minhaaj Rehman's Avatar
    True. They use telepathy for cellular connections.

    Posted via CB10
    07-31-14 12:31 PM
  5. Tre Lawrence's Avatar
    True. They use telepathy for cellular connections.

    Posted via CB10
    LOL. Would explain their football success.
    07-31-14 12:34 PM
  6. Minhaaj Rehman's Avatar
    They call it the zeitgeist

    Posted via CB10
    07-31-14 12:37 PM
  7. Heinz Katchup's Avatar
    Time for a #BBFactCheck on this hatchet job. Make them eat their words I say.

    Posted via CB10
    07-31-14 12:45 PM
  8. Ment's Avatar
    Hackers need to stop exposing NSA tools...
    07-31-14 12:50 PM
  9. anischab's Avatar
    They call it the zeitgeist

    Posted via CB10
    How did you know >/

    BlackBerry*Q10, T-Mobile Germany - SQN100-3, Running OS 10.2.1.2941
    07-31-14 01:18 PM
  10. Minhaaj Rehman's Avatar
    I speak fluent German?

    Posted via CB10
    07-31-14 01:21 PM
  11. g33kphr33k's Avatar
    Amusingly, Active Sync on my Exchange box can issue some things to the phone such as "wipe yourself" but you have to read the small print when signing up to the services.

    Carrier issued commands affect the device at the "what you can and can't do on our network" so it controls some low level functions. I wouldn't have believed they can change or unlock my pin on my device though but issued remote wiping might be part of the standard for control on a network?

    Posted via CB10
    07-31-14 01:26 PM
  12. BlackberryAtQuadra's Avatar
    And the latest iOS isn't vulnerable, it's bullet proof, what a surprise! How convenient!?
    They examined all phones, but due to great hurry to tell the world, haven't managed to examine windows phones.
    You need to read almost all of the text to found out who are the "two researchers". And after that it continues with lots of pronouns ... no names.
    I've wasted 5 min of my time for nothing! Does author really thinks that someone believe this?
    ...

    I am anxiously waiting for update from my carrier, and if don't receive it very soon, I am going to call my carrier with angry tone in my voice, as advised by "two researchers" !
    07-31-14 01:36 PM
  13. Heinz Katchup's Avatar
    So basically carriers ruin device owner's security.

    Posted via CB10
    07-31-14 01:49 PM
  14. BlackberryAtQuadra's Avatar
    They call it the zeitgeist

    Posted via CB10
    hahaha this is good!
    I quote Urban Dictionary:
    "i just watched zeitgeist on youtube, and i'm speechless. holy **** is all i can say."

    Now I understand why Angela can't be taped any more Thanks!
    07-31-14 01:56 PM
  15. Tre Lawrence's Avatar
    And the latest iOS isn't vulnerable, it's bullet proof, what a surprise! How convenient!?
    They examined all phones, but due to great hurry to tell the world, haven't managed to examine windows phones.
    You need to read almost all of the text to found out who are the "two researchers". And after that it continues with lots of pronouns ... no names.
    I've wasted 5 min of my time for nothing! Does author really thinks that someone believe this?
    ...

    I am anxiously waiting for update from my carrier, and if don't receive it very soon, I am going to call my carrier with angry tone in my voice, as advised by "two researchers" !
    I wouldn't be quick to discount it. I don't know the one guy, but Solnik is legit, and Accuvant is for real.
    07-31-14 01:59 PM
  16. BlackberryAtQuadra's Avatar
    I wouldn't be quick to discount it. I don't know the one guy, but Solnik is legit, and Accuvant is for real.
    Sorry If I sounded as disqualifying Solnik or Accuvant.
    My point is the style of text. Everything in the text is so blurry and without any real references. I seems to me like someone exploit names and work for agenda not dreamed by researchers.
    Obviously I am not convinced and I wouldn't be even if the author would have used famous Albert Einstein name as a researcher. I need verifiable facts not authorities as proofs.
    Teleo likes this.
    07-31-14 02:30 PM
  17. trsbbs's Avatar
    Why would the Z10 be more vulnerable then any other BB10 phone?

    Using a BlackBerry Z10! The "UnDroid"!
    07-31-14 02:37 PM
  18. Heinz Katchup's Avatar
    Why would the Z10 be more vulnerable then any other BB10 phone?

    Using a BlackBerry Z10! The "UnDroid"!
    I agree. Thread title should be changed.

    Posted via CB10
    lift likes this.
    07-31-14 02:40 PM
  19. trsbbs's Avatar
    I agree. Thread title should be changed.

    Posted via CB10
    Nothing wrong with the thread title at all. The article does indeed say that.

    I want to know why the Z10 is highlighted.
    What is BlackBerry going to do?

    Could be trash time for my BlackBerry Z10. I pay for a VPN, encrypt the phone and use tough passwords. Then this comes up!!!

    Using a BlackBerry Z10! The "UnDroid"!
    07-31-14 02:51 PM
  20. Thunderbuck's Avatar
    Merkels IT dept and German intelligence must be dorks to let Merkel use that if above was true.

    Posted via CB10
    Merkel's device uses Secusmart as an additional hardware encryption layer. I'm not an expert but I think there's a good chance that would interfere with this exploit.
    kbz1960 and app_Developer like this.
    07-31-14 02:53 PM
  21. Heinz Katchup's Avatar
    Nothing wrong with the thread title at all. The article does indeed say that.

    I want to know why the Z10 is highlighted.
    What is BlackBerry going to do?

    Could be trash time for my BlackBerry Z10. I pay for a VPN, encrypt the phone and use tough passwords. Then this comes up!!!

    Using a BlackBerry Z10! The "UnDroid"!
    I know that the article says the Z10. But wouldn't all BB10 phones be affected?
    07-31-14 02:53 PM
  22. Thunderbuck's Avatar
    Why would the Z10 be more vulnerable then any other BB10 phone?

    Using a BlackBerry Z10! The "UnDroid"!
    The Z10 may be the only one the researchers evaluated.
    techvisor and app_Developer like this.
    07-31-14 02:53 PM
  23. anon(3993749)'s Avatar
    I think it's pretty obvious why they concluded the Z10 is more vulnerable.
    From the article, the issue seems to be with a 3rd party tool that carriers use. That tool, according to the article, has since been updated and the vulnerability is gone. This explains why devices running iOS 7.0.4 and older are still vulnerable.
    Coming back to the the Z10 they tested, it was most likely still running an OS (10.1 maybe) from an era when all other smartphones were affected by this. I hope we find out more about this next week when they publish the report.

    Posted via CB10
    Last edited by TheoRadu; 07-31-14 at 05:31 PM.
    07-31-14 03:13 PM
  24. collinc93's Avatar
    There is a pile of BS so high that it would need excavators to move it...
    newcollector, lift and melb_me like this.
    07-31-14 04:40 PM
  25. Bla1ze's Avatar
    This seems to refer to the Quip thing and the ability to run Android apps thing that was noted pretty much a year ago now at the same event.

    https://threatpost.com/inside-the-se...erry-10/101542
    07-31-14 04:55 PM
82 123 ...

Similar Threads

  1. Unlocked Black AT&T Z10 STL100-3
    By MB64 in forum Buy, Sell, Trade - Sold / Archived
    Replies: 27
    Last Post: 08-12-14, 05:34 PM
  2. Available Now: BBM For Windows Phone (Video)
    By RafiqK in forum General BBM Chat
    Replies: 4
    Last Post: 08-01-14, 10:56 AM
  3. My BlackBerry Z10 hub is not working at all.
    By Ahmadii in forum BlackBerry Z10
    Replies: 5
    Last Post: 07-31-14, 12:47 PM
  4. Is there a VLC player for BB Z10?
    By praveen kaushik1 in forum BlackBerry 10 Apps
    Replies: 1
    Last Post: 07-31-14, 10:02 AM
  5. BBM beta for Windows Phone begins its public roll out
    By CrackBerry News in forum CrackBerry.com News Discussion & Contests
    Replies: 0
    Last Post: 07-31-14, 08:22 AM
LINK TO POST COPIED TO CLIPBOARD