14 DAY TRIAL // Security researchers have dissected the over-the-air (OTA) communication mechanisms, learned how it works and its flaws, and abused it with custom code that allowed execution of code leading to complete compromise of the mobile phone.
Mathew Solnik and Marc Blanchou of Accuvant Labs prepared the presentation for the Black Hat security conference taking place in Las Vegas this week, where they also demonstrated OTA code execution.
Reaching the phone wirelessly offers an attacker the possibility to deliver exploits for different vulnerabilities, ultimately ending with gaining complete control over the device.
The two researchers said in the abstract of the presentation that over two billion devices are affected by potential problems in the different control mechanism planted by the manufacturers for deploying software updates or changing encryption keys.
Should an attacker decide to reverse engineer these mechanisms, they would be likely to find a way to bypass protection in order to deliver the malicious code.
According to the two researchers, at fault is the Open Mobile Alliance Device Management (OMA- DM) protocol. This is used by most mobile phone manufacturers for software updates and for network administration.
“Layer by layer, we've deconstructed these hidden controls to learn how they work. While performing this work we've unearthed subtle flaws in how the communication is handled and implemented. After understanding these flaws, we've written proof-of-concept exploits to demonstrate the true risk this software presents to the end user,” says the duo.
In a video posted on YouTube, Accuvant researchers demonstrate a jailbreak over-the-air on a stock iPhone 5C; in the first step of the operation ASLR is bypassed and the heap and stack payloads are uploaded, along with the custom code created by the researchers.
The end result is root access to the device without causing any sign of suspicious activity on the screen, leaving the user completely unaware of the background operation.
In a different video, they perform an NIA-based lock screen bypass, where two phones are almost simultaneously unlocked.
If an attacker has all the code in place, all they need is the devices to detect the signal of the phone they want to intercept, a thing that can be done with a low-power cellular base station called femtocell.
The attacks are not limited to a specific mobile operating system platform, as Android, iOS, Blackberry and Embedded M2M devices; however, it appears that the abuse is easier to carry on some (Android, Blackberry) than others (iOS).
OTA jailbreak on iPhone 5C:
NIA-based lock screen bypass:
