Post «Popular Android phones can be tricked into snooping on their owners» in blog Прогноз погоды

People

John Smith

John Smith, 48

Joined: 28 January 2014

Interests: No data

Jonnathan Coleman

Jonnathan Coleman, 32

Joined: 18 June 2014

About myself: You may say I'm a dreamer

Interests: Snowboarding, Cycling, Beer

Andrey II

Andrey II, 41

Joined: 08 January 2014

Interests: No data

David

David

Joined: 05 August 2014

Interests: No data

David Markham

David Markham, 65

Joined: 13 November 2014

Interests: No data

Michelle Li

Michelle Li, 41

Joined: 13 August 2014

Interests: No data

Max Almenas

Max Almenas, 53

Joined: 10 August 2014

Interests: No data

29Jan

29Jan, 31

Joined: 29 January 2014

Interests: No data

s82 s82

s82 s82, 26

Joined: 16 April 2014

Interests: No data

Wicca

Wicca, 36

Joined: 18 June 2014

Interests: No data

Phebe Paul

Phebe Paul, 26

Joined: 08 September 2014

Interests: No data

Артем Ступаков

Артем Ступаков, 93

Joined: 29 January 2014

About myself: Радуюсь жизни!

Interests: No data

sergei jkovlev

sergei jkovlev, 59

Joined: 03 November 2019

Interests: музыка, кино, автомобили

Алексей Гено

Алексей Гено, 8

Joined: 25 June 2015

About myself: Хай

Interests: Интерес1daasdfasf, http://apple.com

technetonlines

technetonlines

Joined: 24 January 2019

Interests: No data



Popular Android phones can be tricked into snooping on their owners

21:00 | 8 November expand

Popular Android phones can be tricked into snooping on their owners

Security researchers have found several popular Android phones can be tricked into snooping on their owners by exploiting a weakness that gives accessories access to the phone’s underlying baseband software.

Attackers can use that access to trick vulnerable phones into giving up their unique identifiers, such as their IMEI and IMSI numbers, downgrade a target’s connection in order to intercept phone calls, forward calls to another phone or block all phone calls and internet access altogether.

The research, shared exclusively with TechCrunch, affects at least 10 popular Android devices, including Google’s Pixel 2, Huawei’s Nexus 6P and Samsung’s Galaxy S8+.

The vulnerabilities are found in the baseband firmware, the software that allows the phone’s modem to communicate with the cell network, such as making phone calls or connecting to the internet. Given its importance, the baseband is typically off-limits from the rest of the device, including its apps, and often come with command blacklisting to prevent non-critical commands from running. But the researchers found that many Android phones inadvertently allow Bluetooth and USB accessories — like headphones and headsets — access to the baseband. By exploiting a vulnerable accessory, an attacker can run commands on a connected Android phone.

“The impact of these attacks ranges from sensitive user information exposure to complete service disruption,” said Syed Rafiul Hussain, one of the co-authors of the paper, in an email to TechCrunch.

Hussain and his colleagues Imtiaz Karim, Fabrizio Cicala and Elisa Bertino at Purdue University and Omar Chowdhury at the University of Iowa are set to present their findings next month.

“The impact of these attacks ranges from sensitive user information exposure to complete service disruption.”
Syed Rafiul Hussain, Purdue University

Baseband firmware use a special language, known as AT commands, which control the device’s cellular functions. These commands can be used to tell the modem which phone number to call. But the researchers found that these commands can be manipulated. The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.

In their testing, the researchers discovered 14 commands that could be used to trick the vulnerable Android phones into leaking sensitive device data, and manipulating phone calls.

But not all devices are vulnerable to the same commands or can be manipulated in the same way. The researchers found, for example, that certain commands could trick a Galaxy S8+ phone into leaking its IMEI number, redirect phone calls to another phone and downgrade their cellular connection — all of which can be used to snoop and listen in on phone calls, such as with specialist cellular snooping hardware known as “stingrays.” Other devices were not vulnerable to call manipulation but were susceptible to commands that could be used to block internet connectivity and phone calls.

The vulnerabilities are not difficult to exploit, but require all of the right conditions to be met.

“The attacks can be easily carried out by an adversary with cheap Bluetooth connectors or by setting up a malicious USB charging station,” said Hussain. In other words, it’s possible to manipulate a phone if an accessory is accessible over the internet — such as a computer. Or, if a phone is connected to a Bluetooth device, an attacker has to be in close proximity. (Bluetooth attacks are not difficult, given vulnerabilities in how some devices implement Bluetooth has left some devices more vulnerable to attacks than others.)

“If your smartphone is connected with a headphone or any other Bluetooth device, the attacker can first exploit the inherent vulnerabilities of the Bluetooth connection and then inject those malformed AT commands,” said Hussain.

Samsung recognized the vulnerabilities in some of its devices and is rolling out patches. Neither Huawei nor Google provided comment at the time of writing.

Hussain said that iPhones were not affected by the vulnerabilities.

This research becomes the latest to examine vulnerabilities in baseband firmware. Over the years there have been several papers examining various phones and devices with baseband vulnerabilities. Although these reports are rare, security researchers have long warned that intelligence agencies and hackers alike could be using these flaws to launch silent attacks.

Popular Android phones can be tricked into snooping on their owners Popular Android phones can be tricked into snooping on their owners Popular Android phones can be tricked into snooping on their owners Popular Android phones can be tricked into snooping on their owners Popular Android phones can be tricked into snooping on their owners Popular Android phones can be tricked into snooping on their owners
Popular Android phones can be tricked into snooping on their owners

 


Read more→

Posted on 08.11.2019 21:00

Comments

To show the previous comments (%s from %s)
Show new comments

Last comments

Walmart retreats from its UK Asda business to hone its focus on competing with Amazon
Peter Short
Good luck
Peter Short

Evolve Foundation launches a $100 million fund to find startups working to relieve human suffering
Peter Short
Money will give hope
Peter Short

Boeing will build DARPA’s XS-1 experimental spaceplane
Peter Short
Great
Peter Short

Is a “robot tax” really an “innovation penalty”?
Peter Short
It need to be taxed also any organic substance ie food than is used as a calorie transfer needs tax…
Peter Short

Twitter Is Testing A Dedicated GIF Button On Mobile
Peter Short
Sounds great Facebook got a button a few years ago
Then it disappeared Twitter needs a bottom maybe…
Peter Short

Apple’s Next iPhone Rumored To Debut On September 9th
Peter Short
Looks like a nice cycle of a round year;)
Peter Short

AncestryDNA And Google’s Calico Team Up To Study Genetic Longevity
Peter Short
I'm still fascinated by DNA though I favour pure chemistry what could be
Offered is for future gen…
Peter Short

U.K. Push For Better Broadband For Startups
Verg Matthews
There has to an email option icon to send to the clowns in MTNL ... the govt of India's service pro…
Verg Matthews

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short


Site search