I have mentioned in the past how I follow closely the work of Prof. Seifert‘s lab in TU Berlin. They are the source of some of the most interesting security research over the last few years. The lab has been around long enough that their alumni are now around working in more interesting research.

The latest results from an alumni from that lab are the remote code execution exploits identified by Nico Golde in his most recent article. A series of implementation errors on the code that handles emergency broadcast notifications result in an integer underflow. This combined with a lack of bounds check, results in the remote code execution exploit. There are some challenges, such that the time window to execute the exploit is of about 5 seconds but, other than that, this is a rather interesting one. Apple already patched the issue, so this is now mainly a very interesting research work.

Despite the very interesting exploit documented by Nico, my favorite part of the article is the detailed analysis of the 3GPP and ETSI standard documents presented. It is a great illustration of very large and challenging problems in the world of standards in general. Standards often end up being incomplete due to the complexity of reaching an agreement among such a complex and heterogeneous set of stakeholders from the industry with different requirements and goals. On top of that, technology itself often poses a major challenge that, due to the complexity of finding an optimal solution, is just ignored or a less secure way around is chosen.

The article focuses specifically on the Public Warning System, the system that piggybacks on the paging channel (PCH) and cell broadcast channels in order to provide disaster warnings to the population in semi-real time. Providing security and authentication for such a system is very complex, mainly because, although an operator could cryptographically sign disaster alert broadcast messages, users roaming to a foreign network would have no means of verifying and decrypting (if necessary) such messages. As such, the choice in the standards was to simply leave security “out of the scope of the 3GPP specifications“. Despite everyone acknowledges that finding a solution is very challenging, leaving security out of the scope of a standard document is not rare.

etws_security1

3GPP TS 22.268 Release 11 – Page 9

By means of reverse engineering the code of Intel’s XMM7360, the cellular baseband used in all modern iPhones, the author was able to identify a combination of integer underflow and lack of bounds check that results in potential remote code execution for devices with iOS prior to 11.3.

Very interesting work that follows up on their previous research on cellular baseband exploitation. Good read!

Advertisements