New Vulnerability May Affect Cell Phones, Cell Towers, Routers and Switches

A bug in a software library used in a wide variety of communications products such as cell towers, routers and switches and even the radio chips inside of cell phones was recently announced.

The library in questions implements  standard known as ASN.1 and was developed by Objective Systems.

While we are all used to, for example, patching our iPhones or Android phones, what we are talking about here is patching the chip inside the phone that controls the radio that talks to the cell tower.  THAT is something that we are not used to patching.

If someone were to figure out how to exploit this flaw – and the experts say that this is not easy – then they are in control of the guts of the phone – possibly even bypassing encryption.  This is why this is such a big deal.  The same applies to any of the other affected communications equipment.

Right now we know that Qualcomm chips can be exploited, but researchers are furiously at work testing AT&T, Ericsson, Cisco and other implementations to see if they are also vulnerable.

While Objective Systems has released a patch, it is not likely that all of the equipment that uses the affected code will ever be patched.  Some of the equipment is on telephone poles in the middle of nowhere and other equipment is in old phones that are no longer ‘supported’ by the cell carrier.  It is even possible that for some of the equipment, the manufacturer did not provide a mechanism to field upgrade the firmware in these chips.

What is even worse is that it is unlikely that the owner of the equipment, whether that is you or me when it comes to a cell phone, Verizon when it comes to a cell tower or your IT department when it comes to an Internet router would ever know that the equipment has been compromised because we don’t have any monitoring software that operates at that level.

That is a bit disconcerting.  But not surprising, unfortunately.

Information for this post came from Ars Technica.

Leave a Reply

Your email address will not be published.