At the Black Hat conference this week, two Accuvant researchers have disclosed serious security flaws in the carrier control software used in over 2 billion cellular devices across platforms and carriers.
The vulnerabilities discovered by the pair impact Android, Blackberry and a small number of iOS-based devices, with risk varying by carrier and device make and model.
“Carriers embed control software into most mobile devices so that they can configure phones for their networks and push over-the-air firmware updates,” explained Ryan Smith, Accuvant vice president and chief scientist.
The found vulnerabilities could spell disaster for users. Dependent upon device and carrier, when exploited the vulnerabilities in this control software may enable attackers to install malicious software; access data; add, delete and run applications; wipe a device; and remotely change the PIN for the screen lock, among other items.
But Accuvant has been working to properly disclose its findings to service providers to mitigate the risk. The company that makes the software has issued a fix that solves the problem; baseband manufacturers have written code to implement the fix; and carriers are in the process of distributing the fix to existing phones.
Mobile phone users should make sure their devices are up to date with the latest patches,” Accuvant advises.
If no recent patches have been issued for a device, users should contact their carriers to find out if they are impacted and if a fix is available or has already been implemented. Organizations should leverage their MDM platforms to ensure users adopt the latest version of software for their phones.