CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP

This article discloses the exploitation of CVE-2017-2636, which is a race condition in the n_hdlc Linux kernel driver (drivers/tty/n_hdlc.c). The described exploit gains root privileges bypassing Supervisor Mode Execution Protection (SMEP).

Security reflections from Mobile World Congress

Michael Downs, Director of Telecoms Security, EMEA

Mobile World Congress is not just a name, it is perfectly descriptive.  The entire mobile world squeezes into a few square kilometres of Barcelona for four days. Given this concentration of senior execs, it’s a good place to form an opinion on industry trends and try to understand the place security has in the future of mobile.    

Transport was a massive theme this year.  Someone mentioned there were more car companies here than at a recent major motor show, and everything from chip-set manufacturers to infrastructure providers were touting their connected mobility play.  It seems to be the most obvious large scale early application for the Internet of Things as companies see problems that can be solved with data connections, namely accidents, congestion and general resource waste. The promise is great. 

However, from a security point of view, I got the impression the priorities for many of these propositions was traditional elements such as speed to market, efficiency of UI, prioritizing functionality, hardware power, connection speeds etc.  Not many of the people on the booths I questioned could truly answer the question of what they were doing to keep connected cars, trucks and buses secure from abuse.  Maybe it was an unfair question, but given the scale of what is being proposed, this raised a few eyebrows amongst our experts.  The consequences of attacks on a fleet of trucks, or the targeting of a car’s systems, don’t bear thinking about.  Theoretically, such attacks are possible in the same way an attacker would abuse existing Diameter or SS7 networks.  Everything is assigned a number in the network the same way a phone is, providing a marker from which to develop an attack profile.

This theme grows further when you look at the underlying narrative for the show as a whole, that of attaching a data connection to everything. Lots of marketing dollars were spent on tiny models of everything from stadiums, to entire cities.  This is being enabled by the hope the industry has for emerging protocols such as 5G and LTE-M.  More capacity and higher speeds, means more things can now talk to the Internet.    

This is good for the mobile industry, but also for attackers, as more connected things simply mean a larger attack surface on which to work.  As was demonstrated at our expert dinner, we believe too many vulnerabilities are still present, both in the underlying infrastructure that carries data and also in the radio delivery from base station to user.  This will only be compounded on as more things become connected on an application level, driven by increased digitization and usage of emerging web technologies.

From a signalling (SS7 and Diameter) point of view, the underlying infrastructure to support this brave new world is vulnerable, and becoming easier and cheaper to access by an attacker. For dollars per day, bad actors can now buy access to core telecoms networks on the black market and exploit either existing flaws, or new ones.  Once inside, all that is needed  is a phone number (MSISDN) of your target or targets, be it a person or a fleet of connected cars, to manipulate the commands accordingly.  The move towards new protocols will only present new opportunities for bad actors, who are notoriously creative and persistent.

There are also weaknesses from a radio frequency point of view, as vulnerabilities exist in the vast majority of communication protocols and their implementation. Again, as we saw at our expert’s dinner, armed with just a Raspberry Pi, a chipboard bought for a few dollars and some Python script, data can be sniffed, intercepted, even decrypted on the fly and altered to carry out the whim of the attacker.  Whilst we demonstrated some of this on a toy drone, it is important to note that the same protocols are used in the delivery of the entire gamut of ‘things’ connected by mobile networks.  This means everything from industrial control systems to cars.

This is not intended to be a doomsday rant.  These are points we believe, as a research based security company, are important to be on the mind of the mobile industry.  Many believe we are on the edge of a new industrial revolution. If this is true, then the old mantra that security needs to be built into the heart of things is never truer than right now.  We look forward to spending time making sure the brave new world the mobile industry is creating, is kept safe and can flourish for everyone’s benefit.