The researcher Ralf-Phillip Weinmann, managing director at security firm Comsecuris, has disclosed a zero-day baseband vulnerability affecting Huawei smartphones, laptop WWAN modules, and IoT components.
Baseband is firmware used on smartphones to connect to cellular networks, to make voice calls, and transmit data.
An attacker can exploit baseband flaws to eavesdrop mobile communications, take over the device making calls and sending SMS messages to premium numbers or to exfiltrate data.
The expert revealed the flaw this week at the Infiltrate Conference, the vulnerability could be exploited by attackers to execute a memory-corruption attack against affected devices over the air.
Fortunately, the attack is quite difficult to conduct.
The baseband vulnerability resides in the HiSilicon Balong integrated 4G LTE modems. The Balong application processor is called Kirin, it is produced by the Hisilicon Technologies, a subsidiary of Huawei Technologies. The affected firmware is present in several Huawei Honor smartphones, including the P10, Huawei Mate 9, Honor 9, 7, 5c and 6.
Weinmann believes that millions of Honor smartphones could be exposed to the to attack.
Weinmann presented multiple baseband vulnerabilities found in the Kirin application processor.
The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem, such as a number IoT devices.
“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”
Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data.
Weinmann demonstrated several attack scenarios against mobile phones.
A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator. The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing. Once the phone rebooted an attacker can gain persistence installing a rootkit.
In a second attack scenario, the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware.
“It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network. Without this key material, a base station cannot pose as a legit network towards the device.”
Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago. The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options.
Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology.
“I have chosen to only disclose lower-severity findings for now. Higher severity findings are in the pipeline.” Weinmann said.
(Security Affairs – Mobile Baseband, zero-day)