The still-live attacks were demonstrated at the Ruxcon hacking confab in Melbourne this weekend, with the demo offering a recording of the hack perpetrated in part on a live network. It exploits fall-back mechanisms designed to ensure continuity of phone services in the event of overloads.
The tested Frequency Division Duplexing LTE network is more popular than TDD-LTE and operates in Britain, the US, and Australia. The competing Time Division Duplexing (TDD) LTE network is more common in Asian countries and in regions where population densities are higher. (..)
The attacks are not just fit for laboratories. At this year's DEF CON hacker confab one researcher used IMSI catcher detection tools to find words (..)
Zhang says the attacks are possible because LTE networks allow users to be handed over to underused base stations in the event of natural disasters to ensure connectivity.
“You can create a denial of service attack against cellphones by forcing phones into fake networks with no services,” Zhang told the conference.
“You can make malicious calls and SMS and … eavesdrop on all voice and data traffic.”
The Third Generation Partnership Project (3GPP) telco body has known of the hack since at least 2006 when it issued a document describing Zhang’s forced handover attack, and accepts it as a risk. The 3GPP’s SA WG3 working group which handles security of LTE and other networks proposed in a May meeting that it would refuse-one-way authentication and drop encryption downgrade requests from base stations.
Zhang uses Ravishankar Borgaonkar, and Altaf Shaik’s IMSI catcher with a femtocell to pull off the attacks
She says manufacturers should ignore base station redirection commands and instead use automatic searchers to find the best available. This would prevent attackers from forcing LTE devices to connect to malicious stations.
It turns out that all LTE networks and devices are affected.
Another old but lesser-known issue is a hardware problem with the way memory is accessed (wired-drammer).
Now, researchers in Amsterdam have demonstrated how this type of hack can allow them, and potentially anyone, to take control of Android phones.
The vulnerability, identified by researchers in the VUSec Lab at Vrije Universiteit Amsterdam, targets a phone’s dynamic random access memory using an attack called Rowhammer. Although the attack is well-known within the cybersecurity community, this is the first time anyone’s used it on a mobile device. It’s troubling because the so-called DRAMMER attack potentially places all data on an Android phone at risk.
“The attacks that we are publishing now show that we need to think differently about how we protect software,” says Victor van der Veen, one of the researchers involved in the work. “A thing like Rowhammer shows that at any given time a trap can come up that nobody ever thought of.”
The group disclosed its findings to Google three months ago, and the company says it has a patch coming in its next security bulletin that will make the attack much harder to execute. But you can’t replace the memory chip in Android phones that have already been sold, and even some of the software features DRAMMER exploits are so fundamental to any operating system that they are difficult to remove or alter without impacting the user experience.
In other words, this isn’t easy to fix in the next generation of phones much less existing ones.
The Dutch research group had worked on Rowhammer attacks before, and shown they could target data stored in the cloud, and other computer scientists have worked in this area as well. But no one had tried attacking a phone. “When we started doing this people openly had questioned whether Rowhammer would even be possible on mobile chips because they have a different architecture,” says researcher Cristiano Giuffrida.
As the group envisioned it, the DRAMMER attack would start with a victim downloading a seemingly innocuous app laced with malware to execute the hack. The researchers decided that their app would not request any special permissions—to avoid raising suspicion—and therefore would have the lowest privilege status possible for an app. This made accessing the dynamic random access memory (DRAM) difficult, but the researchers found an Android mechanism called the ION memory allocator that gives every app direct access to the DRAM. The ION memory allocator also had the added benefit of allowing the group to identify contiguous rows on the DRAM, an important factor for generating targeted bit flips. “This is as reliable and deterministic as it gets,” Giuffrida says.
Once the researchers knew they could flip a bit, they had to figure out how to use that to achieve root access—giving them full control of the handset and the ability to do everything from access data to take pictures. The technique, which they call “memory massaging,” uses the resources all Android apps are given to reorganize what’s on the memory in inconspicuous ways that won’t alert the system to tampering. The researchers essentially filled up portions of the memory with data, being careful not to do it in a way that would potentially cause the app to be “killed” by the resource manager. The goal was to occupy enough memory that the allocator would become predictable and be forced to add to the memory in a position the researchers had chosen.
Perhaps the scariest and best known revelation is the Dirty COW Linux kernel vulnerability affecting all Linux OSs (which includes Android).
Sources / More info: tr-ltesms, wired-drammer
No comments:
Post a Comment