image image
Alexander Kozlov & Sergey Anufrienko at Hardwear USA 2024

Alexander Kozlov & Sergey Anufrienko



One SMS to root them all: exposing critical threats in millions of connected devices






Talk Title:

One SMS to root them all: exposing critical threats in millions of connected devices

Abstract:

In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise. We identified a number of security-related problems in user applications – MIDlets, and the OEM–developed firmware of these modems. We have found that it is possible to compromise confidentiality and integrity of user MIDlets while having physical access to the modem. The study revealed that it is possible to extract, substitute and bypass the digital signature of both user and manufacturer MIDlets and also elevate the execution privileges of any user MIDlet to the manufacturer level.


During the study of the modem firmware, a heap overflow vulnerability was discovered in the AT command and SUPL message handlers. The latter one allowed us to remotely execute arbitrary code on the modem by sending several SMS messages. This vulnerability also made it possible to unlock access to the OEM’s special AT commands to read and write to RAM and flash memory of the modem.


In order to demonstrate the possibility of remotely compromising the modem we developed our own SMS-based File System, which we installed into the modem through the vulnerability discovered in the SUPL message handler. Using it we could remotely activate the Over The Air Provisioning to install an arbitrary MIDlet onto the modem, that was protected from removal using standard mechanisms provided by the manufacturer but required a full reflash of the modem firmware to wipe it. Our research revealed several significant security flaws in Telit’s modems. This was the first time such a broad study of modems from this vendor had been carried out and constitutes a starting point for other researchers. A white paper on modem security internals is scheduled for publication in May 2024, following this study’s findings.


Speaker Bio:

Alexander Kozlov is principal Security Researcher at Kaspersky ICS CERT. Has extensive professional experience in Cryptography and Computer Security, with a special interest in reverse engineering and hardware.

Sergey Anufrienko is hacker and musician with over 20 years of expertise in programming, hardware and reverse engineering