Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Communications Privacy

Software Flaw Puts Mobile Phones and Networks At Risk Of Complete Takeover (arstechnica.com) 52

Dan Goodin, reporting for Ars Technica: A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One."The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network."
This discussion has been archived. No new comments can be posted.

Software Flaw Puts Mobile Phones and Networks At Risk Of Complete Takeover

Comments Filter:
  • by TechyImmigrant ( 175943 ) on Wednesday July 20, 2016 @11:59AM (#52547981) Homepage Journal

    I've done my bit to try to eradicate ASN.1 from standards I work on. But there's always 2 or 3 vocal people going to great lengths to keep it in there. It's become more clear over time that they don't only work for their stated employers.

    • by Anonymous Coward on Wednesday July 20, 2016 @12:08PM (#52548033)

      Or they don't want to break everything by removing support for ASN.1.

      But the open source community has never been on for maintaining compatibility, so it's understandable

    • by dgatwood ( 11270 )

      Yeah, it's baffling how many security people seem to like ASN.1 as a means of encoding various cryptographic data. It's an awful format. It isn't human-readable, and the parser is fairly complex, which means that creating one is likely error-prone.

      • by dgatwood ( 11270 )

        Oh, and it is used exclusively in a few niche technologies, which means the odds of bugs getting found and fixed are relatively small.

        • by Anonymous Coward

          ASN.1 is just a notation standard, not unlike BNF. It's the code generator that parses ASN.1 that has a problem.

          • by dgatwood ( 11270 )

            Not sure how this changes the facts—that ASN.1 is a niche language used in a few narrow areas, that it doesn't get a lot of attention because only a tiny percentage of engineers understand or use it, and that we'd all be better off if everyone just used more sensible data formats, such as JSON, XML property lists, or any number of other similar formats that are well understood, broadly used, and thus thoroughly debugged. The same is true for all the usual binary formats that people define using ASN.

    • by Anonymous Coward

      Get rid of ASN.1 ?? Heaven forbid we have a standard that explicitly states the sizes of fields and makes it easy for computers to tokenize data. I want more html and human readable text standards so I can worry every night about cross-site scripting and other vulnerabilities they cause.

      Some of us old people actually want to have some fighting chance to make our systems secure.

      • by TroII ( 4484479 )

        I can't tell whether you're being sarcastic or what, but obscurity is not security; quite the contrary, it reduces the likelihood that a bug or backdoor, if there, will ever be found. Human-readable protocols are good.

    • by umghhh ( 965931 )
      If I understand this correctly you blame the encoding standard which may or not be useful in some applications for faults in a library?
      What I found really bad is that somebody modded you into insightful for expressing this silliness.
      • If I understand this correctly you blame the encoding standard which may or not be useful in some applications for faults in a library?
        What I found really bad is that somebody modded you into insightful for expressing this silliness.

        Yes I did. This is because the ASN.1 encoding standard is and has been shown to be exactly the sort of format that is hard to implement parsers for correctly and securely. Worse, it doesn't need to be that way in most of the places it is used. It is used in protocols that are typically throwing around fixed size fields. But you have to specify the size of the field in the data and a parser has to read it and trust the input and set aside memory on the fly as the data comes in and declares itself to be of wh

    • by Anonymous Coward

      Those who do not understand ASN1 are doomed to re-invent it. Poorly.
      Look at abominations like binary xml.

      • Those who do not understand ASN1 are doomed to re-invent it. Poorly.
        Look at abominations like binary xml.

        Those who implement ASN.1 are doomed to introduce more critical security flaws into the world.

  • Untrusted sources (Score:4, Insightful)

    by willoughby ( 1367773 ) on Wednesday July 20, 2016 @12:31PM (#52548165)

    So... could the Feds use a Stingray to distribute this to a targeted phone?

    • Re: (Score:3, Interesting)

      Get rid of ASN.1 ?? Heaven forbid we have a standard that explicitly states the sizes of fields and makes it easy for computers to tokenize data. I want more html and human readable text standards so I can worry every night about cross-site scripting and other vulnerabilities they cause.
      Some of us old people actually want to have some fighting chance to make our systems secure.
    • by t8z5h3 ( 1241142 )
      unknown but it maybe why yesterday the government was moving from android to Apple IOS.
  • "They";

    - Could,
    - might,
    - it's possible

    Fuck off with the paranoia and prove it in the wild before more scare-mongering to make everyone buy new shit every few years. I am just so getting tired of it.

  • This flaw resides in a version of the library implemented on a specific platform, namely Windows running on x86 [github.com] hardware. Makes a good case for not running your infrastructure on a software monoculture. This isn't the first such discovery, see Microsoft ASN.1 Library Length Overflow Heap Corruption [attrition.org] from July 2003.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...