[Full-disclosure] CDMA and 4G Android hacking

On Wed, Aug 10, 2011 at 8:24 AM, Nick Kralevich <nnk@xxxxxxxxxx> wrote:
... I read about a recent attack you performed against
Android phones via CDMA and 4G.

i did not perform the attacks. only observed and toyed with the attackers.

I was wondering if you could share more information with us about the
attack, so that we could protect our users.  Any additional technical
details you could share with us would be greatly appreciated.

some suggestions:

the attackers were able to use non-privileged apps to continually
invoke voice search, possibly other services. as you know, voice
search sends voice data to google servers... over the 3G or 4G
connection, which in this situation provided the attackers with an
open mic. (and they can intercept, so you won't see anything on your
end.) why isn't voice search always over HTTPS? why can it be invoked

any apps that communicate in clear text are bad (exposing attack
surface to anyone on the network). apps that do unsigned updates in
the clear are even badder. why does google let these things into the

apps that store private information in clear text are bad. apps that
store sensitive authentication credentials for other services in the
clear on the device are even badder. why does google let these things
into the market?

escalations from unprivileged sandbox'ed app exploit (see above) to
kernel or uid0 are bad. perhaps you could offer a large bounty for

can i have a "paranoid mode" of operation? here is a short list of
only some things i had to do not to become a victim when using Android
over malicious networks last week:
 - root my phone to have access to what i need to secure it. (yet
rooting itself indicates vuln!)
 - kernel rootkit my phone to neuter certain syscalls, or block them
from certain apps by UID
 - hard disable certain devices entirely via /proc, /sys, or kernel rebuild
 - build my own kernel modules to do secure networking (tap, iptables)
 - reverse/hack insecure services and apps because Android permissions
are too coarse
 - monitor anomalies via adb shell and respond to incidents (kill
-STOP the spy processes, etc.)

i could go on, but i fear these concerns are falling on deaf ears. (or
to be generous, those that care find their objections overruled by

last but not least, you could always attend DEF CON and find these
issues yourself. i spent two days interacting with these attackers and
learning quite a bit. i am sure you would too...

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages