We originally posted something on this but at the time with little info, however over the past few days we have seen a little more coming out over this issue regarding the OMA-DM (Open Mobile Alliance Device Management) protocol. The Register have picked up some more information on this that has come out of Blackhat 2014.
Security firm Accuvant researchers Mathew Solnik and Marc Blanchou told conference attendees that the problem lies in the Open Mobile Alliance Device Management (OMA-DM) protocol, which is used by about 100 mobile phone manufacturers to deliver software updates and perform network administration.
According to the duo, it’s not actually that hard to get an IMEI number nor several carrier’s secret token. A combination of lazy networks and susceptible operating system versions opens up an extraordinary number of devices to attack, it’s claimed.
Following a WAP message broadcast from a base station, the researchers could wirelessly upload code to a phone, it’s claimed, and then execute the code to exploit memory bugs in the software to gain full control of the device – without any visible signs that skullduggery was going on.
BlackBerry is not immune to this exploit, although no demonstration is shown using a BlackBerry but a Z10 has been noted to have been used, Android is seemingly an open book when it comes to this, iOS was noted to be harder to penetrate.
Some handsets were worse than others, they found. Android was generally wide open to exploits, as was Blackberry and a host of embedded systems, the conference was told. iOS was a tougher nut to crack – most handsets were immune – but some phones run by Sprint could be accessed wirelessly, and others could be vulnerable if the user is tricked into accepting an update.
You can pick two videos posted via the Accuvant youtube channel on them showing the exploit using a phony femtocell.