A software flaw was recently discovered by security researchers, who are warning that a large part of the world’s telecommunications equipment may be vulnerable to attack. The flaw is found in software used by cell towers, radios, mobile phones and other infrastructure.
The vulnerability was discovered to be part of a compiler that’s used to “generate high-level-language from ASN.1 syntax”. As Ars Technica reports, ASN.1, short for abstract syntax notation one, is a widely used software standard, embedded in numerous telecommunications devices including our personal phones. The researchers note:
The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources. These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.
There doesn’t seem to be any evidence that this flaw is currently being exploited “in the wild”, nor would it be easy for an attacker to do so. However, governmental agencies or malicious agents with vast technological capabilities could use this exploit, especially if they’re combining it with a malicious cell network. The researchers warn that the vulnerable software is the “backbone” of many of today’s telecom networks, including those based on GSM, LTE, VoIP, and even those used in aviation, aerospace, data security and others. An attacker who successfully uses this flaw could compromise any device using the ASN.1 standard, potentially gaining full access to it, regardless of local encryption or security measures.
So far the flaw has been confirmed to be present in Qualcomm-powered devices. However, the company that developed the affected compiler, Objective Systems, has a much bigger customer list including HP Enterprise, Honeywell, Alcatel-Lucent, AT&T, BT, Cisco, Deutsche Telekom and others. Between them, these companies power a huge part of the telecom infrastructure, and there’s a reasonable fear that many of those systems may feature the same flaw.
The real problem is that while some mobile phones and important devices may get updates and patches to fix the vulnerability, the large majority of affected devices aren’t designed to be patched. As such, the researchers warn, this vulnerability may remain unpatched forever and offer an attractive target for malicious actors.
Update: Qualcomm has reached out to us claiming that their hardware is not affected thanks to the way they implemented the affected code. However, this is at odds with what the US Department of Homeland security is saying in their advisory. Qualcomm has said it will issue a patch nonetheless, but it's unclear how far this patch will spread and which devices will benefit from it.
Here's Qualcomm's comment:
The vulnerability is in the ASN1C code that is provided by a third party called Objective Systems. Qualcomm integrated their code into the cellular stack of our products. The vulnerability is an integer overflow that can cause buffer overflow. However due to the ASN.1 PER encoding rule specified in the cellular standards and implemented in our products, we believe the vulnerability is not exploitable. This is because in order to exploit it, an attacker needs to send a large value in a specially crafted network signaling message; but the encoding rule specified in the 3G/4G Standards and in our products does not allow such a large value to get through. However, we are still actively working with the vendor and propagating the patch to the affected products.