20.5k unique visitors in the last 3 days

ASN.1 Bug Lets Hackers Attack Mobile Carriers

A patch addresses the vulnerability but operators will find it a burden to update software across their routers, switches and masts.

Ars Technica has reported on the discovery of a vulnerability in the software library of ASN.1, a widely-used standard for encoding telecom network data. The vulnerability allows hackers to execute their own malicious code on routers, switches and radio towers.

The weakness was identified by researchers from the Fundación Sadosky and is described in an advisory posted to GitHub on July 18th. They found a bug in an ASN.1 compiler for C and C++ supplied by Objective Systems Inc., an American business. The bug allows…

…an attacker to remotely execute code in software systems, including embeded software and firmware… The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.

Objective Systems have created a patch, which is available to their customers upon request. However, operators will find it a burden to install the patches on all the affected hardware, not least because the affected equipment will be widely distributed. In the interim, hackers have a standing target to attack, and the only comfort is that the vulnerability is relatively difficult to exploit.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email