There aren’t many security flaws out there that can put any and every device on any cellular network at risk, and most of the ones that do exist have already been patched up in one way or another, with the exception of the SS7 vulnerability. What if an attacker could seize complete control over not just any device on a network, but all devices on the network at once, using the same network equipment that the carrier is using to connect those devices? Such a vulnerability does exist, but it is incredibly hard to exploit. Despite the impracticality of actually using the exploit in any capacity, security researchers recently raised the alarm on this network-wide heap overflow vulnerability.
For those unfamiliar, a heap overflow is when memory that’s hot-allocated by an application when it runs is attacked by overflowing it with instructions or by inducing a syntax trip-up, causing a full stop that allows just about any code to be run. Just such a bug exists in the software and hardware used in a great many cell towers, cell phone baseband hardware, and routers. While the exploit takes considerable skill and equipment to take advantage of, anybody that pulls it off could run any code they wanted from tower to tower and node to node on the network, including on users’ devices such as smartphones and tablets on that network. Listening in, intercepting all manner of data, and even disruption of the network can all be done from there.
Security experts put out an advisory Tuesday on popular open-source site GitHub, where the full exploit can be viewed. Even with all the steps available, the difficulty involved should discourage many a would-be hacker. Still, the fact that the vulnerability is so widespread is cause for concern in and of itself. As of right now, researchers only know for certain that the glitch exists in Qualcomm gear, but other manufacturers are in testing. A hotfix has been issued by Objective Systems, creator of the language that contains the exploit, but there’s no telling how long it will take to get the patch out to all affected equipment.
Update:
Qualcomm has provided some clarification explaining what’s happening with the vulnerability on the equipment that was tested and referred to by the security experts in the Github post. According to Qualcomm and Objective Systems, the encoding rule outlined in the cellular standards which is used in Objective Systems’ products, called the ASN.1 PER encoding rule, is believed to prevent the vulnerability from being exploitable, as the exploit would require the hacker to send “a large value in a specially crafted network signaling message” for it to work. Qualcomm states that the encoding rule specified in the 3G/4G cell standards does not allow for the sending of a large enough value to where the vulnerability could be exploited. They also state that despite their belief the vulnerability cannot be exploited, they are still continuing to work with vendors to patch the vulnerability in the products that are affected by it.