Ars Technica reports that the bug, found within a telephony standard known as “Abstract Syntax Notation One” (ASN.1), was disclosed by security experts this week. It lies in a library of code used by a wealth of telecoms equipment. Devices ranging from cell towers and transmitters and networking switches to individual consumer smartphones contain code that includes the bug.
ASN.1 is used as a data representation for networking and telecoms applications. A compiler created by Objective Systems, ASN1C, translates ASN.1 representations into executable C and C++ code for running by devices. A flaw in its output leads the generated code vulnerable to heap overflow bugs that could allow attackers to hijack devices.
A successful exploit of the bug would allow an external attacker to gain control of any of the affected phones, routers or cell towers. They could access the network remotely and without any authentication. It has not yet been determined whether the flaw is present in other forms of ASN1C output. It also produces code written in the Java and C# programming languages.
In a security advisory, the researcher who discovered the bug noted that not every device will be vulnerable. Devices can only be targeted if they implement the affected code in an unsafe way and allow the processing of ASN.1 data from untrusted sources. Despite these limitations, security researchers have warned that the bug could have devastating consequences. Developers using the ASN1C library have been urged to audit their code to determine if their application is at risk.
Objective Systems has already released a hotfix for the ASN1C 7.0.1.x series of compilers. Customers using the compilers need to contact the company directly to obtain the hotfix. The availability of a patch doesn’t mean the flaw will disappear though. The range of equipment affected means many products will never be properly secured. Not every smartphone manufacturer will release updates and it’s difficult to see cell towers in remote regions around the world receive the fix.
Currently only processor manufacturer Qualcomm is known to be affected by the discovery. Its modems are used in the processors inside millions of smartphones across the world. Researchers are currently checking the products of several other major telecoms firms including Alcatel-Lucent, AT&T, BAE Systems, Broadcom, BT, Cisco and Ericsson to determine if they are also affected. Two companies, Honeywell and Hewlett Packard Enterprise, have already been confirmed as not affected.
The vulnerability in ASN1C indicates how dependence on a common standard can have grave consequences for security. Because ASN.1 is used by so many products across every part of the telecoms industry, vendors won’t be able to fully patch every device on their networks. Some carriers are likely to have affected gear in use for years, giving hackers the ability to take control of thousands of smartphones at a time.
UPDATE – 21/07/2016
In a statement, Qualcomm has clarified how the vulnerability impacts its products. It believes it is “not exploitable” because an attacker would need to send a large value through the network to trigger the integer overflow that opens the vulnerability.
The value is transmitted using a specially crafted network signaling message. However, mechanisms implemented by Qualcomm as defined in the 3G/4G Standards would prevent the value from getting through as such large values are automatically blocked. Qualcomm said it is continuing to work actively to deploy the patch to its products but there is currently no indication of an immediate security risk being present.