14 DAY TRIAL // Modern versions of Samsung Galaxy smartphones can have their phone calls recorded using a simple Man-in-the-Middle attack carried out via malicious base stations.
A base station, sometimes referred to as IMSI-catcher, is a device that mimics telephony towers, fooling phones into connecting to their network.
These devices are used for testing and debug purposes in laboratory conditions, but they are also available for sale to anyone interested in buying them.
Only the recent Samsung phones are affected
At the PacSec security conference in Tokyo, two German researchers, Daniel Komaromy and Nico Golde, showcased how base stations can easily fool Samsung's most recent line of Galaxy phones and have them connect to its network.
The attack was carried out with OpenBTS base stations and on the latest versions of Samsung's Galaxy S6, Galaxy S6 Edge, and Galaxy Note 4 families.
The thing all these phones have in common is Samsung's line of "Shannon" baseband chips, used to handle telephony features.
Conversations can be recorded by rerouting calls through a proxy
According to the researchers, the attack takes place if hackers use the OpenBTS base station to push a malicious firmware update to the baseband chip.
This firmware can tell the device to reroute all phone calls through a proxy. If this kind of attack is carried out by malicious parties, and not just to show off at a security conference, the people in charge of the proxy can record phone calls and spy on their victims without being noticed.
Researchers provided a demo of their work, but only reported technical details to Samsung's team. The company has started work on a patch to fix the issue.
Using IMSI-catchers to spy on mobile phone calls is not a new technique, with John McAffee having previously detailed the technique and accused some Chinese airlines of using it on their planes.
The PacSec security conference is famous in hacker circles, last year offering $425,000 / €395,000 to the presenters for the bugs they disclosed. This year, after many companies set up their own bug bounty programs, the prizes are much lower, but the conference has already provided two serious hacks, one for the Google Chrome browser for Android, and one that affects barcode scanners.
