ASN.1 Bug Lets Hackers Attack Mobile Carriers

Ars Technica has reported on the discovery of a vulnerability in the software library of ASN.1, a widely-used standard for encoding telecom network data. The vulnerability allows hackers to execute their own malicious code on routers, switches and radio towers.

The weakness was identified by researchers from the Fundación Sadosky and is described in an advisory posted to GitHub on July 18th. They found a bug in an ASN.1 compiler for C and C++ supplied by Objective Systems Inc., an American business. The bug allows…

…an attacker to remotely execute code in software systems, including embeded software and firmware… The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.

Objective Systems have created a patch, which is available to their customers upon request. However, operators will find it a burden to install the patches on all the affected hardware, not least because the affected equipment will be widely distributed. In the interim, hackers have a standing target to attack, and the only comfort is that the vulnerability is relatively difficult to exploit.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.   Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.   Commsrisk is edited by Eric. Look here for more about Eric's history as editor.