Serious weaknesses in Verizon Wireless Network Extenders could be used by an attacker to eavesdrop on conversations made on the cellular network or view text messages, photos and other data.
The weaknesses discovered on the low-power cellular base stations by researchers at iSEC Partners are receiving widespread attention for their ability to bypass the authentication mechanism protecting cellphone networks. The researchers will show how they can hack the devices to intercept active voice, SMS and data traffic flowing through any cellphone connecting to the devices in a demonstration at the Black Hat 2013 security conference July 31.
In an advisory issued by iSEC Partners, the researchers said they used an altered HDMI cable to exploit weaknesses in Verizon Network Extender models SCS-26UC4 and SCS-2U01, which were manufactured by Samsung. The researchers, which demonstrated the hack to Reuters, said the devices are plagued with architecture weaknesses and include a root password, which has been widely available on the Internet.
The attack uses the debug port and takes advantage of the fact that the devices failed to use the standard authentication protocol protecting the CDMA network. The researchers said the weaknesses are likely on dozens of similar models used by cell carriers nationwide.
Verizon issued a software update in March addressing the coding errors, according to a security advisory issued Monday by the U.S. Computer Emergency Readiness Team. The software update is being pushed out to all affected devices, the US-CERT said. Verizon also is deactivating any Wireless Network Extenders that fail to accept the over-the-air update.
"Verizon has updated the software for the Wireless Network Extender to lock down the boot process to prevent exploitation," the US-CERT said.
Verizon also updated the devices to support CAVE authentication, the standard protection used by Verizon's CDMA network that is more difficult to crack.
Despite the software update, the iSEC Partners security advisory said weaknesses persist. The attack they plan to demonstrate at Black Hat involves obtaining physical access to the Network Extender devices. The researchers said in their advisory that custom code could be used to obtain cellphone identifiers from phones within range of the device.
iSEC Partners said end-to-end encryption between the handset and the carrier network would make it much more difficult to perform eavesdropping and data loss would be much less severe.
"Hardening the device can only go so far, as the system architecture itself is flawed," said the iSEC Partners advisory. "As long as data from the cellular handset transmitting the Network Extender is available in plaintext, it will be vulnerable -- even if communication is secured between the Network Extender and the internal Verizon network."
PUBLISHED JULY 16, 2013