A few days ago I told you that at Pwn2Own a new method of a exploit the existing vulnerabilities in the basebands of some smartphones. Then I gave you only some general details without a clear explanation of the entire procedure that will be demonstrated at the Blackhat conference. Security expert Philip Weinmann discovered a new hack that exploits the basebands of the Quallcom and Infineon chips available in some smartphones now available on the market. This new hack will be demonstrated on an iPhone terminal and on an Android terminal, but we do not yet know which iPhone models are vulnerable.
The whole procedure involves making a fake telephone tower to communicate with the target devices. Until now, the manufacture of such a tower was very expensive, but in recent years the prices of the components have dropped a lot. If a few years ago it cost several thousand (good) dollars to manufacture such a tower, at the moment you can easily build this device for $2000. However, the device itself is worth nothing without the code written by Weinmann, code that exploits vulnerabilities in the GSM/3GPP codes of the baseband processor. After injecting the code, the terminals can be used for practically anything, and this for iPhone users is a good sign because unlocking solutions could be developed much further down the line.
To perform the attack, Weinmann sets up a rogue base transceiver station which is used to send malicious code over the air to the target devices. The code exploits vulnerabilities found in the GSM/3GPP stacks on the phones' baseband processors. Says Weinmann, industry bodies like the GSM Association and the European Telecommunications Standards Institute have not considered the possibility of attacks like this.
The problem with this technique lies in... well even technically. The code written by Weinmann is very advanced and few hackers in the world would know what it refers to and how to inject it. Of course, some members of the Dev Team could use this code considering that they have been making unlock solutions for years. To be honest, I am reluctant that this method will in any way help the Dev Team to reduce the waiting times for new unlock solutions, but hope dies last.
