Re: Seeking more info on: Devastating mobile attack under spotlight

[liquidfish <liquidfish () gmail com>]

It is possible for carriers to send and install a new firmware image to a
mobile phone using SMS messages. The system is called Firmware Over The Air
(FOTA) technology. Mobile carriers use this tech to send updates to
customers without requiring customer intervention. So whether or not it is
possible to update a mobile station's entire firmware image is not in
question. It IS possible because the carriers have designed systems to make
it possible. The question that needs to be answered is whether or not (and
possibly how) those systems validate the legitimacy of the FOTA messages
they recieve. Something like the 3GPP EAP-SIM standard would be a very
applicable (although a pain in the butt i imagine given the dependency on
SMS messages for FOTA) method for validation that could possibly resolve the
alleged vulnerability (if it exists)



-p

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave