More than three year after the iPhone was first hacked , calculator security expert call back they ’ve found a whole new way to break into mobile earphone — one that could become a big worry for Apple , or for smartphone makers using Google ’s Android software .
In apresentation set for next workweek ’s Black Hat conference in Washington D.C. , University of Luxembourg research companion Ralf - Philipp Weinmann say he project to show his new technique on an iPhone and an Android gadget , showing how they could be converted into undercover spying systems . “ I will demo how to expend the auto - answer feature present in most phones to plow the telephone set into a distant listening machine , ” he said in an e - mail consultation .
Weinmann allege he can do this by breaking the telephone ’s “ baseband ” CPU , used to direct and receive radiocommunication signal as the machine communicate on its cellular internet . He has found bugs in the way the microcode used in microprocessor chip sold by Qualcomm and Infineon Technologies processes wireless signals on the GSM ( Global System for Mobile Communications ) networks used by the majority of the human race ’s wireless carriers .
This is a new area of enquiry . Until lately , mobile phone attacks had focused on another part of the phone : the programs and operating systems that runs on the equipment ’s CPU . By tricking someone into confabulate a malicious Website , for example , hackers could take reward of a Web browser app bug on the phone and set off mess around with the computer ’s retentivity .
With baseband hacking , security department researchers are looking at a sword new way to get into this memory .
“ [ It ’s ] like tipping over a rock that no one ever thought would be tilt over , ” said the Grugq — a pseudonymous , but well - respected , wireless phone hacker , and one of a handful of mass who have done inquiry in this sphere . “ There are a lot of bugs blot out there , ” he said , “ It is just a topic of actively see for them . ”
But chop a smartphone with a baseband attack is very foxy , to say the least . The mobile phone ’s radio communicates with a cell phone tugboat . So in Weinmann ’s flak , he has to first set up a fake cell phone tower and then win over his target phone to connect to it . Only then can he redeem his malicious code . And even then , the malicious computer code he write must run on the microcode that ’s used by obscure radio processors — something that most hackers know nothing about .
“ This is an extremely technical attack , ” said Don Bailey , a security adviser with Isec Partners . He say that while the work on baseband hacking is very exciting — and at last a bad deal for the roving telephone set industry — he does n’t expect any flack that target the general public to come out anytime soon .
But the enquiry into this orbit is just starting to take off , fuelled by raw open - origin software calledOpenBTSthat allows virtually anyone to set up up their own cellular meshing radio receiver column with about$2,000 worth of electronic computer hardware .
Five years ago gimmick shaper did n’t have to worry about this type of hacking , because it used to cost tens of one thousand of dollars to coiffure up a cellular tug . But OpenBTS has changed all that . “ Now it ’s a completely different game , ” Bailey said .
It ’s a risky game too . In the U.S. , federal wiretapping laws make it illegal to tap earpiece calls over the licensed frequency used by nomadic earpiece . In August , it take intense last - minute negotiation between attorney from the Electronic Frontier Foundation and the U.S. Federal Communications Commission before surety research worker Chris Paget could evidence a very dewy-eyed pillar parody technique at the Defcon hacking league in Las Vegas .
Two month from now another cyber-terrorist conference , Vancouver ’s CanSecWest , will receive hackers to break into fluid phones using a low power transmitter . If their baseband attacks work , they can gain ground hard cash prices . Conference arranger Dragos Ruiu state that Canada ’s program police force are “ more lenient ’ for researchers who require to set up miserable - power pillar for research aim .
Still , it remains a ticklish subject . “ Last year we were worried about falling afoul of regulation , ” he say . ”Now we ’ve figured out a nice safe way to do that so that we do n’t mess up anybody else ’s cell speech sound at the conference . ”
Ruiu expects some interesting final result from the contest , call Pwn2Own . “ It sound like the radio share of the phones are very rickety indeed and pretty vulnerable , ” he said .
