Security researchers have discovered a way to intercept calls made by several Samsung smartphones. At the Mobile Pwn2Own competition this week, researchers demonstrated a vulnerability in the Samsung Galaxy S6, Galaxy S6 Edge, and Galaxy Note 4 that allowed them to trick the handsets to connect to a malicious base station to gain access to calls and messages originating from/ terminating on the phone.
Daniel Komaromy and Nico Komaromy revealed a "man-in-the-middle" vulnerability in the Shannon-branded baseband chips - constituting modem, RF transceiver, and tracking IC - used in the aforementioned handsets. The researchers set up a base station, which is required to connect a mobile phone to the wider telephone network, and found that Samsung handsets quickly established connections with it. This allowed the researchers to intercept calls and messages sent and received through the base station.
"As soon as we power up the new phone in the presence of their attack radio, their signal patches the radio runtime software of the baseband processor (the other CPU in your cellphone that users can't access that takes care of the radio to talk to the network) so that after the patch any phone calls I make are routed to them instead of their intended destination," said Dragos Ruiu, an organiser of PacSec.
"I tested this after when we went to where we did have cellphone coverage by trying to dial my Japanese cellphone and it rang on Nico's cellphone instead. The modified radio software also forwarded the original number dialled so in the real world an attacker would then use a VoIP proxy to forward the call imperceptibly and listen in on it," he added.
Komaromy and Komaromy didn't reveal full exploitation details of their research but noted that they have informed Samsung about it. The researchers, as well as Samsung, didn't respond to our request for comment.