A hacker has demonstrated a serious GPS vulnerability that can enable them to take over the device entirely. Ralf-Phillip Weinmann demoed this vulnerability at Black Hat earlier this week.
If you are one of those who are holding a GPS enabled device, and if you are happy that the feature is of much help for you, then you might have to start looking at the security concerns that are involved in it. Recently at the Black Hat computer security conference in Las Vegas on Jul 25, Ralf-Philipp Weimann, a researcher at the University of Luxembourg, reported that he has found a vulnerability in the existing GPS devices, especially Android devices, that could allow a hacker to take full control of the device remotely. These GPS signals from the GPS are not processed by the GPS radios, but they are done by the main processors. He believes that the complex mechanism by which phones get location fixes likely also hides vulnerabilities that could allow the mechanism to be used to install and run malicious code on the device.
So, what’s the problem here?
The real problem here is that the signals received from a GPS satellite are extremely weak. The transmitter power is 27W (equivalent to a weak light bulb) and it is at least 20,000 km away! The signal on the ground is so weak (10-16 W or -160dBW) that it sits 20dB below the background noise level. This means that if you try to “see” it by
scanning the spectrum, you won’t notice anything. Special signal processing hardware (called “correlators”) is used to bring that signal above the noise within the receiver so that it can be used to make measurements. Hence instead of directly using GPS satellites, most mobile devices receive much faster assisted GPS (A-GPS) signals from cellular networks to determine approximate location.
In describing the attack, Weinmann pointed out that, for example, a malicious WiFi network could instruct a phone to relay all future A-GPS requests, even once the device has left the WiFi network’s range. This even further drives home the point that you should not join any networks you don’t trust.
Weimann discovered that the messages that pass between a phone and its network during this process aren’t exchanged over a secure connection, but rather over a non-secure Internet port. That makes it possible to trick a phone into swapping A-GPS messages with an attacker instead.
He showed that many smartphones process these messages on their main processor, not the GPS chip or the radio chip dedicated to communicating with the cellular network. This means the messages could potentially be used to trigger crashes that would allow the device to be taken over remotely, said Weimann, who added that he has identified some candidate bugs already.
Yet it is happier that the vulnerability has been seen soon. It is earlier yet before any serious disaster. But mobiles are more complex to desktops, hence exploitation for the time being is not going to be a big problem for mobile until everyone is alert. We wish the mobile manufacturers and other developers fix this issue pretty soon!
Source: Technology Review