ASN.1 Bug Lets Hackers Attack Mobile Carriers

Ars Technica has reported on the discovery of a vulnerability in the software library of ASN.1, a widely-used standard for encoding telecom network data. The vulnerability allows hackers to execute their own malicious code on routers, switches and radio towers.

The weakness was identified by researchers from the Fundación Sadosky and is described in an advisory posted to GitHub on July 18th. They found a bug in an ASN.1 compiler for C and C++ supplied by Objective Systems Inc., an American business. The bug allows…

…an attacker to remotely execute code in software systems, including embeded software and firmware… The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier’s network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.

Objective Systems have created a patch, which is available to their customers upon request. However, operators will find it a burden to install the patches on all the affected hardware, not least because the affected equipment will be widely distributed. In the interim, hackers have a standing target to attack, and the only comfort is that the vulnerability is relatively difficult to exploit.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.