CELLULAR EXPLOITATION ON A GLOBAL SCALE: THE RISE AND FALL OF THE CONTROL PROTOCOL

Black Hat USA 2014

Presented by: Marc Blanchou, Mathew Solnik
Date: Wednesday August 06, 2014
Time: 10:15 - 11:15
Location: Lagoon K

Since the introduction of the smart phone, the issue of control has entered a new paradigm. Manufacturers and enterprises have claimed control over not just how your phone operates, but the software that is allowed to run on it. However, few people know that Service Providers have a hidden and pervasive level of control over your device. These hidden controls can be found in over 2 billion cellular devices worldwide. Organizations have been quietly deploying these controls in smart phones, feature phones, basebands, laptops, embedded M2M devices, and even certain cars. Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale.

We've reverse engineered embedded baseband and application space code. We've torn apart the Over-the-Air communications and implemented our own code to speak the relevant protocols. Layer by layer, we've deconstructed these hidden controls to learn how they work. While performing this work we've unearthed subtle flaws in how the communication is handled and implemented. After understanding these flaws, we've written proof-of-concept exploits to demonstrate the true risk this software presents to the end user.

In this presentation, we will discuss and disclose how Over-the-Air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and Embedded M2M devices. You will come away from this talk armed with detailed insight into these hidden control mechanisms. We will also release open source tools to help assess and protect from the new threats this hidden attack surface presents. These tools will include the ability to dynamically test proprietary system applications and simulate different aspects of a cellular environment.

Mathew Solnik

Mathew Solnik works in consulting and research with Accuvant LABS. Mathew's primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware level, and OS level security. Prior to joining LABS, Mathew was a Senior Member of Technical Staff at Appthority, Inc. where he helped design and build an automated mobile threat and malware analysis platform for use in the Enterprise and Defense space. Previous to Appthority, Mathew has held positions in multiple areas of IT and security - including consulting for iSEC Partners where he performed the first Over-The-Air Car Hack (as been featured in a previous Black Hat talk) and R&D for Ironkey where he handled in-house penetration testing and design review for multiple DARPA funded projects.

Marc Blanchou

Marc Blanchou does consulting and research with Accuvant LABS, a division performing security assessments and original research on multiple platforms and environments. Prior to Accuvant, Marc was a Principal Security Consultant with iSEC Partners where he performed security assessments on a wide range of products including Android, iOS, Blackberry, Windows, OS X, Linux and large web clients as well as server-side and various kernel related components. Marc was also a lead application developer on diverse projects and worked on products involving low latency code for a financial and a game company. For his Master's thesis at EPITECH, Marc developed a multi-platform flash file system in C which resulted in several commits to the Linux kernel and which was also accepted into the Microsoft BizSpark program. Marc has presented his research at multiple international security conferences including Black Hat (US and EU), RSA Conference, Hack In The Box, OWASP, and Ruxcon on various topics including compiler/hardware induced bugs in OSes/VMs, building better browser-based botnets and how to audit enterprise class products on Android and iOS. Marc is the author of Introspy-Android, an open-source tool to understand what an Android application is doing at runtime and help identifying vulnerabilities. Marc also authored and co-authored White Papers on password managers and mobile security.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats