The researchers ran a test base station in the room during their presentation at Black Hat that was powered down as much as possible to restrict its range of influence over phones in the area. They also used several layers of encryption to make sure that no unintended devices actually connect to the base station and asked people in the audience to shut off their phones.
Despite these precautions, 70 mobile phones attempted to connect to the rogue base station during the presentation, the researchers said, highlighting that hijacking mobile device connections in this way can be fairly easy. Even 3G or LTE devices can be tricked to connect to a GSM base station by jamming the 3G and LTE frequencies in the area, they said.
The OMA-DM functionality itself can be abused to modify APN and proxy settings, change routing and preferred gateway settings, install applications and more. However, since this functionality differs from carrier to carrier, the researchers focused on identifying memory corruption vulnerabilities in the Red Bend software code that could allow them to achieve remote code execution on devices regardless of carrier mandated customizations. They also managed to defeat the anti-exploitation defenses on iOS and Android.
On smart phones the management code runs in the user space (outside the kernel) like other applications, but has a privileged interface to the baseband -- the firmware that controls the phone's radio communications -- so by exploiting the OMA-DM software an attacker can potentially go even deeper and exploit baseband vulnerabilities, the researchers said.
In the U.S., three out of four Android devices sold through major carriers have this technology built into them, while iOS devices only have it on Sprint, Solnik and Blanchou said. BlackBerry devices also have it on most U.S. carriers. The researchers cautioned that the problem is global, as they tested phones from carriers in multiple countries, but they declined to name them because they're still in the process of responsible disclosure with some of them.
According to them, OMA-DM client software developed by companies other than Red Bend is also vulnerable, because most implementations, including Red Bend's have the same code base -- an open source project called the SyncML Reference Toolkit that hasn't been updated since 2004.
According to the researchers, Red Bend Software has been notified and has made patches available to manufacturers.
"Since receiving this report in mid-June, Red Bend has worked with its customers and confirmed that all identified risks have been mitigated," the company said in a statement on its website. "All new versions of vDirect Mobile provided to our customers contain these mitigations."
The risk to iOS devices on Sprint has been largely mitigated, the researchers said. However, addressing the problem on Android devices depends on when manufacturers will issue updates and carriers will distribute them to their affected customers.
Sign up for CIO Asia eNewsletters.