The truly open smartphone
that cares about your privacy.

Learn more...

About the ASN.1 Vulnerability

Aug 12, 2016, hellekin

A recent vulnerability disclosure threatens billions of smartphones. What's the fuss about it? How does Neo900 fare against this threat? Hint: pretty well.

ASN.1 Vulnerability

Following the decision of NIST to deprecate usage of SMS in two-factor authentication, this vulnerability disclosure confirms the pertinence of the unique design of Neo900 that, among other features, isolates the baseband chip (modem), making it dependent on the CPU (and the OS) to access anything else on the system, and preventing remote activation of the chip in the first place.

Lucas Molas of Programa STIC discovered a Heap memory corruption in ASN.1 parsing code generated by Objective Systems Inc. ASN1C compiler for C/C++ potentially affecting billions of phone users worldwide. ASN.1 is used in many protocols and data formats, including cellular telephony. The proprietary software vendor received a bug report via plain text email on June, 1st, 2016, according to the CVE-2016-5080 released on July, 18th, 2016 to the public in a coordinated release with the vendor.

Abstract Syntax Notation One (ASN.1) is a technical standard and formal notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking.
A vulnerability found in the runtime support libraries of the ASN1C compiler for C/C++ from Objective Systems Inc. could allow an attacker to remotely execute code in software systems, including embeded software and firmware, that use code generated by the ASN1C compiler. The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources, these may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network.

The proprietary software vendor released a hot patch (v7.0.1) available upon request to their customers, and will integrate the fix in the upcoming v7.0.2 of their compiler.

On July, 1st, Programa STIC mentioned that memory corruption bugs in ASN.1 related components of an LTE stack have been announced or hinted at in several infosec conference presentations over the past few weeks and its (sic) likely the same or similar bugs will become public soon.

How is Neo900 Affected?

The short answer is: this vulnerability that potentially plagues most commercial phones on the planet, won't affect Neo900 like it will other devices.

In our last communication we noted that Neo900 is the only phone that provides a hardware protection from rogue behavior of the modem.

In fact, the GTA0x design contains two unique features to detect and/or prevent suspect activity:

Neo900 takes advantage of this and incorporates circuitry to give the CPU the capacity to monitor:

Therefore, although the modem in Neo900 may or may not be affected—we cannot know since all baseband chips are proprietary black box designs—Neo900 is designed to not trust the modem. In other designs where RAM is shared and a rogue modem can access the power supply at will, the attack surface is infinitely larger, and exploiting a vulnerability such as the ASN.1 bug will grant access to the whole system.

But with Neo900, the attack surface is much reduced, and a compromised modem would need yet another major vulnerability in the USB hardware or the (well understood and proven) free kernel driver to subvert the CPU. As long as there's no proprietary vulnerable binary blobs in the Neo900 APE, we consider the chance of a modem bug bubbling up to the rest of the system without a way to control it and fix it in software negligible.

Our exclusive Neo900 design is more valuable than ever!

Thank you for your attention,

– hellekin for the Neo900 team

P.S.: Feedback is welcome! Did you enjoy reading this post? What else should it have covered? What do you want to read in the news? You can tell me: hellekin at neo900 dot org.

Footnote: from Openmoko Neo 1973 and FreeRunner, to Golden Delicious GTA04 and maybe the upcoming Pyra, and of course Neo900, GTA0x design supports modem separation, although not power separation in Neo 1973 (GTA01). ^^

September 2016 Update »

« Migrating away from Eagle, to KiCad


Learn more

The Neo900 project aims to provide a successor of N900 Nokia Internet Tablet™ device, with faster CPU, more RAM and LTE modem, basing efforts on an already existing, mature and stable free platform - the OpenPhoenux GTA04, following the spirit of freedom known from Openmoko devices.