New Baseband Hack to Feature at PWN2OWN

A new method of unlocking the iPhone baseband will be revealed at this year's Pwn2Own conference, with a new, and potentially malicious, feature: the ability to turn your phone into a spying device. Ralf Philipp Weinmann, a research associate at the University of Luxembourg, will be discussing a huge bug in the firmware of baseband processors commonly used on iPhones and Android devices at the CanSecWest conference in Vancouver, Canada, which begins March 9. However, there's no update on the arrival of a deployable iPhone unlock, whether or not connected to this exploit.

Weinmann says he has identified some serious security holes in Qualcomm and Infineon firmware for GSM baseband processors. As a demonstration of how his exploit completely defeats the data protection engineered by the manufacturers into this firmware, Weinmann says he will show "how to use the auto-answer feature present in most phones to turn the telephone into a remote listening device."

Baseband hackers and security analysts alike are impressed with the sophistication of the exploit. "[It's] like tipping over a rock that no one ever thought would be tipped over, said a forensic and anti-forensic researcher who is known only as 'the Grugq' to protect his own identity. "There are a lot of bugs hidden" in the baseband firmware, he added. "It is just a matter of actively looking for them." Don Bailey, a security consultant with Isec Partners, calls Weinmann's work "an extremely technical attack," but notes that it's unlikely to turn into a problem for everyday phone users because an attacker would need his own cellular base station. However, he notes that using OpenBTS and as little as $2,000 worth of equipment, anyone can create their own tower: something that used to cost tens of thousands of dollars. "Now it's a completely different game," Bailey says.

Weinmann hacked a non-jailbroken iPhone in last year's Pwn2Own contest and exflitrated the SMS database in about 20 seconds. By loading a web page in Safari, Weinmann triggered an exploit that ran entirely inside the iPhone sandbox using the privileges of a non-root user called 'mobile'. With this exploit, Weinmann said, "I can do anything that 'mobile' can do." Weinmann is also credited with finding the TMSI overflow hole that was patched in iOS 4.2. The expectation is that the details on this exploit will also be kept secret until Apple patches the hole.