Researcher warns of 'Baseband Apocalypse'

A security researcher is warning that recent advances in open-source mobile base stations could leave smartphones vulnerable to attack over-the-air, exploiting vulnerabilities in the previously unreachable baseband processor.

Ralf-Philipp Weinmann, a cryptologist and security researcher currently studying at the LACS Laboratory in the University of Luxembourg, is to take to the stage at this year's Black Hat DC conference with a presentation that will bring a chill to the heart of anyone in the telecommunications industry: an over-the-air attack against smartphones using a malicious base station.

The security model assumed by the GSMA and ETSI telecommunications organisations, Weinmann argues, doesn't take into account the possibility of malicious data being received from a mobile base station - all base stations are considered sacrosanct, and all data received trusted implicitly.

This security model worked fine while the only base stations available came from big-name telecommunications vendors and used locked-down code, but recent advances in open-source base station programming have lead to end users being able to create base stations of their very own - something Weinmann believes could lead to something he terms 'the Baseband Apocalypse.'

Weinmann's presentation is to demonstrate what he claims is: "the first over-the-air exploitations of memory corruption in GSM/3GPP stacks that result in malicious code being executed on the baseband processors."

In short, Weinmann will be demonstrating a hacked base station that transmits malicious code to all smartphones within range, causing them to crash in such a way that arbitrary code is executed on the smartphone itself - allowing him to take control of the device, extract photographs, videos, or contact information, or simply to wipe the gadget completely.

While the malicious code would need to be targeted to particular handsets - what makes an iPhone give up its worldly goods would make an Android phone simply crash, and vice-versa - the underlying exploit is both universal and extremely difficult to guard against.

Although it's likely to be a while before the Internet's underbelly gets its hands on the wherewithal to recreate Weinmann's research, one thing is certain: the world's mobile telecommunications bodies need to investigate his claims, and quickly.