Security researchers have discovered a critical vulnerability in a code library used in a wide range of telecommunication products that could potentially allow hackers to seize control of cell phones and even key parts of the world's telecommunications infrastructure. The bug resides in a code library that is used in various communication products like radios in cell towers, routers, switches, as well as base band chips in mobile phones.
"The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources. These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network," say the researchers who discovered the flaw in a blog post.
The report goes on to say that due to the fact that the bugs are located in the core run time support library, it is difficult to analyse its exploitability in all scenarios and would require great skill and resources. However, if the attackers do manage to succeed, they would have the ability to execute malicious code on virtually all of the devices that use the code. If a more deadly attack is launched, the flaw has the potential to put carrier equipment at risk as well.
The code library which contains the flaw has been developed by Pennsylvania-based Objective Systems and is widely used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One. The company has released a patch that claims to correct the flaw, but the security experts who found the vulnerability opine that there is a great deal of difficulty in patching billions of pieces of hardware, most scattered in remote places throughout the world, implying that the vulnerability is likely to remain unfixed for a long time.
As per a vulnerability note by the Department of Homeland Security-backed CERT, as of now only equipment from hardware manufacturer Qualcomm is known to be affected. Qualcomm gear is widely used in the consumer electronics market especially in the smartphone and tablet market. Researchers are yet to determine if gear from other manufacturers like AT&T, BAE Systems, Broadcom, Cisco Systems, Deutsche Telekom, and Ericsson are also affected.