Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Flaw Puts Mobile Phones and Networks At Risk Of Complete Takeover (arstechnica.com)

Posted by msmash on from the security-woes dept.

Dan Goodin, reporting for Ars Technica: A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One."The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."

7 of 52 comments (clear)

  1. Yay for Open Standards! by TechyImmigrant · · Score: 4, Insightful

    I've done my bit to try to eradicate ASN.1 from standards I work on. But there's always 2 or 3 vocal people going to great lengths to keep it in there. It's become more clear over time that they don't only work for their stated employers.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    1. Re:Yay for Open Standards! by Anonymous Coward · · Score: 4, Insightful

      Or they don't want to break everything by removing support for ASN.1.

      But the open source community has never been on for maintaining compatibility, so it's understandable

    2. Re:Yay for Open Standards! by TechyImmigrant · · Score: 3, Informative

      >Or they don't want to break everything by removing support for ASN.1.

      Clean sheet specs for security systems. There's nothing to break. Adopting ASN.1 based technologies is a poor compromise because is undermined the purpose of the spec. See TFA for an example of how this works.
       

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    3. Re:Yay for Open Standards! by umghhh · · Score: 2

      If I understand this correctly you blame the encoding standard which may or not be useful in some applications for faults in a library?
      What I found really bad is that somebody modded you into insightful for expressing this silliness.

  2. Re:Yet again.. by ScentCone · · Score: 4, Funny

    Yet again..ASN.1 rears it's head.

    And the hackers are already using that vulnerability to insert random apostrophes into posts made from mobile devices.

    --
    Don't disappoint your bird dog. Go to the range.
  3. Untrusted sources by willoughby · · Score: 3, Insightful

    So... could the Feds use a Stingray to distribute this to a targeted phone?

    1. Re:Untrusted sources by FeelGood314 · · Score: 3, Interesting

      Get rid of ASN.1 ?? Heaven forbid we have a standard that explicitly states the sizes of fields and makes it easy for computers to tokenize data. I want more html and human readable text standards so I can worry every night about cross-site scripting and other vulnerabilities they cause.
      Some of us old people actually want to have some fighting chance to make our systems secure.