back to article Samsung S6 calls open to man-in-the-middle base station snooping

Modern Samsung devices including the S6, S6 Edge and Note 4 can have phone calls intercepted using malicious base stations, according to initial research findings from two researchers. Daniel Komaromy and Nico Golde demonstrated the attacks on Samsung's 'Shannon' line of baseband chips today at the Mobile Pwn2Own competition …

  1. bazza Silver badge

    Oh Good Grief!

    Please, will someone somewhere just implement something properly, just for once?

    1. JetSetJim

      Re: Oh Good Grief!

      It is rather worrying that someone with a computer and a small antenna, plus the OpenBTS code, can install a BTS and make it look like it's connected to a proper mobile network *and* allow calls to a PSTN (I have my doubts that it actually is as the connections to the MSC/GSN/MME/SGW - dependent on tech - are not automatically handed out to anyone that wants one). Call setup signalling does not stop at the BTS, and requires cooperation from a core network node, which includes authentication and encryption.

      Perhaps they've done something clever to make a firmware patch that bypasses a lot of this (including getting it distributed by the BTS rather than the device management function sitting in the core), but I still think there is detail missing from the article as to other dependent bits in the implementation.

  2. Anonymous Coward
    Black Helicopters

    Tinfoil hat time

    US corporation with close ties to Government produces baseband processors with a previously unknown "flaw" that facilitates MITM attacks against millions of handsets from multiple manufacturers? Sometimes just because you're paranoid...

    1. Anonymous Coward
      Anonymous Coward

      Re: Tinfoil hat time

      ... and if it wasn't for you darn kids ...

    2. Anonymous Coward
      Black Helicopters

      Re: Tinfoil hat time

      I wonder if this is a feature that allows Harris Corp's Stingray (and others) to do what they do?

    3. MacroRodent

      Re: Tinfoil hat time

      US Corporation? The article says "... demonstrated the attacks on Samsung's 'Shannon' line of baseband chips ...". Samsung is South Korean.

  3. Pascal Monett Silver badge

    Malicious base stations

    Apparently they are like Glassholes : to be destroyed on sight.

  4. Anonymous Coward
    Anonymous Coward

    Confusion - S or Q?

    > The Register would speculate that since the Qualcomm silicon in question isn't unique to Samsung kit, other researchers are probably setting to work on other phones as you read this.

    Earlier in the article you said it was the Samsung Shannon chipset. Qualcomm or Samsung? Inquiring minds need to know ...

    1. king_tut

      Re: Confusion - S or Q?

      I'm hearing from sources that this is definitely a Shannon problem. Generic Qualcomm _can_ suffer from this, but only if manufacturers are idiots and don't ship in a secure mode.

      1. dotdavid

        Re: Confusion - S or Q?

        "but only if manufacturers are idiots"

        Uh-oh, we're doomed!

        1. Dan 55 Silver badge

          Re: Confusion - S or Q?

          Yes, it is Samsung we're talking about...

  5. king_tut

    Data as well

    This is bigger than voice. Normally the baseband processor (BPC) and OS running on it swaps data with the main OS by reading/writing to some shared memory in RAM, plus some semaphores etc and a couple of hardware interrupts. Unfortunately it's common for no-one to lock down the permissions the BPC has, so that it actually has read/write access to a device's entire RAM. It can then search for crypto keys or data in the clear and exfiltrate them, root the main OS, etc.

    The solution for this problem is simple, and it comes to re-evaluating your threat model. Don't treat the BPC and Qualcomm OS running on it as trusted components - treat them as potentially malicious. Limit read/write access from the BPC using the ARM xPUs, specifically the Memory Protection Unit. Unfortunately this is not wholly trivial, as when Qualcomm changes the memory ranges they use then you have to update your memory regions on the protection unit - Qualcomm and memory ranges are a bit like MS-RPC and firewalls...

    I guarantee that few phone devs have done the relevant work, as it's a security thing which won't be prioritised, and most trust Qualcomm. Which has been found to be idiotic, if they don't implement any kind of signing checks for BPC updates...

  6. Alan Denman

    re - the Qualcomm silicon

    Those darned Chinese again we keep getting warned about by the US?

    Nope, a US design. Have we ever found any non US made holes?

    1. Anonymous Coward
      Anonymous Coward

      Re: re - the Qualcomm silicon

      "Have we ever found any non US made holes"

      Who is 'we'? And are you sure they'd tell us?

  7. mr. deadlift

    i am having a tough time believing this one, for several reasons.

    one, i may be a simpleton,

    two, mitm's are still viable vector in this day n age, ???

    trois, pledge()

    holy moly i'm missing something, how can the hardware defer so much security (adj.) between components without a pertinent syn, ack security (verb.) challenge.

    it seems to me that would be the kind of thing you pay wisp devs to hard code to units, again, i may be wrong here.

    i guess if you want your roaming in billy basic SE Asia, APac or E Europe this is the price you pay?

  8. Cuddles

    Firmware update?

    "The malicious base station then pushes firmware to the phone's baseband processor"

    While in this particular case it was used for a MitM attack, far more worrying is the fact that apparently any random can install arbitrary code to a phone simply by pretending to be a mobile mast. Why is it even possible to push software onto a phone without notification or input from the user? Low-level software like firmware has far more potential for screwing things up if it's faulty or malicious, so there should be more security for it, not less, or apparently none at all.

  9. M7S
    Black Helicopters

    Anything can happen in the next half hour....

    (Altogether now)

    Stingray, Stingray ,da da da da dah-da dah-da,

    Stingray, Stingray........

  10. phil dude
    Joke

    Bourne....

    "....Berlin....Pamela Landy...."

    P.

    1. Known Hero
      Facepalm

      Re: Bourne....

      An ohh how we technical types in the cinema chuckle at the Bullshit that when they turn on a little box and they suddenly have complete control over the targets phone.

      1. Charlie Clark Silver badge

        Re: Bourne....

        I don't know if you've caught any of "Hunted" but the ability of the spooks to clone phones thanks to I-Cloud is quite worrying.

        Let's face it, if someone is able to put up fake base stations then intercepting all our data isn't going to be that hard for them. With or without additional "help" from the manufacturers.

      2. phil dude
        Coat

        Re: Bourne....

        I thought Bourne cloned the sim-card?

        Or some other movie magic...?

        P.

  11. Bucky 2

    Bad News for T-Mobile Customers

    Once we buy the phone, we're essentially SOL in terms of automatic updates.

    Yeah, I suppose I can theoretically download and install a new OS myself, but I'd lose WiFi calling, and with my luck, probably brick my phone anyway.

    1. xybyrgy

      Re: Bad News for T-Mobile Customers

      I assume you've already read this page (about Android 6.0), and found it lacking your phone. Just part of the scheme to get you to buy more expensive phones. :(

      https://support.t-mobile.com/community/phones-tablets-devices/software-updates

      Unfortunately, you can't port an identical LG Stylo from MetroPCS ($150) to TMobile ($289) and get onthe upgrade train...

  12. Anonymous Coward
    Anonymous Coward

    Sorry but

    IMSI catchers have been around for at least a decade. How is this even news?

    1. JetSetJim

      Re: Sorry but

      Because this isn't an IMSI catcher.

  13. DCLXV

    This doesn't seem coincidental

    https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor

  14. Orwell44

    VAT doesn't count as tax paid

    Since VAT is charged on top of the daily rate and the client then simply offsets it against their own VAT bill - this is not actual net revenue generated for HMRC and is not the same as paying income tax.

    However a one month period is too short, I would see three months as reasonable.

    But the tax avoidance by personal service companies is too blatant to ignore, they even get all the dividend tax breaks intended for genuine entrepreneurs. it's time that a minimum tax percentage was paid by everyone regardless of the journey that the money has taken to their bank account.

    Landlords should pay National Insurance as well.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like