Deep Dive — Critical Android Base-Band Vulnerabilities❗
TL;DR: this is bad — remote code execution without user interaction over the cellular network, combined with the usual level of security confusion that goes with Android’s model. Unless your Android device is on the list of known-patched devices, or unless your vendor has explicitly announced that they are not using an affected cellular modem, assume you are in danger, and apply the workaround (turn off Wi-Fi calling & Voice-over-LTE AKA VoLTE).
Mobiles phones contain a sub-system designed for communicating with cellular networks. These sub-systems handle the radio communications between the phones and the cell towers, and they are highly independent from the rest of the phone, they don’t just have their own firmware, they contain an independent processor, and run their own mini OS. This mini OS has a privileged relationship with the phone’s primary OS, making it possible for malware to migrate from the base-band OS to the core Android OS, and to do so with system-level privileges.
Different cellular modem manufacturers use different hardware, firmware, and software for their base-band chips, so these kinds of vulnerabilities don’t generally affect all Android devices.
Google’s Project Zero have announced the existence of four critical bugs that allow an attacker knowing nothing more than a victim’s cellphone number to remotely take over the devices without any user interaction, and entirely stealthily. This is the kind of vulnerability that grey-hat companies like the NSO group leverage to create spyware products like the infamous Pegasus. That level of access would of course also be a positive boon for cyber criminals who could steal passwords, private keys, MFA codes, and more in order to steal identities, money, and cryptocurrency wallets.
Most unusually, the Project Zero team have chosen to withhold the details of the vulnerabilities despite the using 90-day window having expired. These bugs are so bad they are making a rare exception.
As well as not knowing how the bugs work, we only have a vague idea of what devices are and are not affected. We know that Google have patched the vulnerabilities in the latest software updates for their Pixel phones and that many Samsung devices are affected, but beyond that, there’s very little clarity.
Thankfully there is a workaround for anyone not using a Pixel device — turn off Wi-Fi calling and Voice-over-LTE (VoLTE).
If you’re using a non-Pixel Android device, apply the workaround now, and check with your manufacturer whether or not your device has a patch for CVE-2023-24033.
Links
- Project Zero’s Vulnerability Announcement — googleprojectzero.blogspot.com/…
- An excellent explanation of what a baseband chip is, and what little we know about these vulnerabilities: Dangerous Android phone 0-day bugs revealed – patch or work around them now! — nakedsecurity.sophos.com/…
❗ Action Alerts
- Last Tuesday was Patch Tuesday, and Microsoft released fixes for 74 vulnerabilities, including two zero-day bugs that are being actively exploited, so patch ASAP! — krebsonsecurity.com/… & nakedsecurity.sophos.com/…
Worthy Warnings
- Keep an eye out for firmware updates for your Windows laptops: https://kb.cert.org/vuls/id/782720 — kb.cert.org/… & TPM 2.0 vulns – is your super-secure data at risk? — nakedsecurity.sophos.com/…
Notable News
- Epic must pay $245M after luring customers into ‘Fortnite’ purchases — appleinsider.com/… (so-called Dark Patterns, i.e. UI designed to trick people)
- VPN access now open to all Google One subscribers — appleinsider.com/…
- 🇬🇧 WhatsApp have joined Signal is making it clear that they would rather leave the country than comply with the UK’s controversial proposed ‘Online Safety Bill’ which would ban true end-to-end encryption in the name of detecting CSAM — www.bbc.com/…
Excellent Explainers
- For added security, Apple are pushing cloud storage apps away from kernel extensions to their File Provider API, this article expertly explains what this change means for users: Apple’s File Provider Forces Mac Cloud Storage Changes — tidbits.com/…
Palate Cleansers
- From Allison: some hilarious but insightfully useful advice — mastodon.social/…
- From Steve: An Internet troll worth following: KenM on Reddit
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |