LAS VEGAS — Google’s Android Red Team outlined a now-patched critical 0-click vulnerability in its Pixel 6 modem stack that allows a skilled adversary to hijack a target’s Android handset simply by initiating a call to the victim.
During the Wednesday Black Hat session, four of Google’s Android Red Team members demonstrated how two Pixel modem vulnerabilities (CVE-2022-20170, CVE-2022-20405) could be chained together to first downgrade a targeted Pixel’s cellular modem communication to the second-generation (2G) wireless standard and hijack the handset, all with the help of a low-cost $1,000 home-brew cellphone base station.
The bugs in question were initially discovered in 2021 by Android Red Teamers. Both modem bugs are now rated critical with a CVSS score of 9.8. The flaw, tracked as CVE-2022-20170, is an over-the-air remote code execution bug and was patched in June 2022. The second vulnerability, tracked as CVE-2022-20405, is an elevation of privilege (EoP) flaw and was patched in August 2022. When the EoP bug was first identified in an Android security bulletin, it was rated moderate in severity.
Read more of SC Media's coverage from Black Hat 2023 here.
A successful attack allows an adversary to wirelessly execute remote code, running in privileged context of the Pixel modem. An attacker would then be able to launch attacks against the handset, including carrying out a DoS attack, perform SMS/RSC (text message) sniffing and spoofing, MFA compromise and giving a hacker the ability to pivot to the device’s core operating system kernel, according to researchers.
Google said it is unaware of the bugs being exploited in the wild and that the delay in sharing the technical CVE details was tied to internal Alphabet procedures.
2G is obsolete: Long live 2G
.
The Android Red Team demonstrating the attack here at Black Hat included Xuan Xing, Eugene Rodionov, Xiling Gong and Farzan Karimi (see image). The initial attack vector is exploiting weaknesses in Android Pixel’s cellular data connection to 2G networks.
“This attack is all about downgrading handsets to 2G,” Karimi said.
Modern cellular modems mostly use 4G or 5G cellular network frequency bands. However, most cellular data modem chipsets still support legacy wireless frequencies, including 2G. Legacy support is needed for rare use cases such as antiquated wireless network geographies, devices cycling down to reduce handset power consumption and for phones destined for international markets where legacy 2G cellular networks are more common.
Security issues with 2G include weak encryption between towers and devices that attackers can (and have) easily cracked to intercept calls or text messages. Researchers said even modern phones periodically downgrade to 2G to better handle signal congestion, roaming and network switching.
While cases of hackers and law enforcement using false base stations called ISMI catchers (international mobile subscriber identity) or surveillance tools such as Stingray to capture phone ID data, geolocation information and content have been documented, the Android Red Team took it a step further. They showed how a $1,000 home-brew base station could be used to not just capture data but also gain remote access and control a vulnerable Pixel phone.
Breaking down the attack
Google Red Team researchers were able to launch an over-the-air RCE attack via 2G signal processing on the Pixel 6 modem by first leveraging CVE-2022-20170. The attack, using a malicious 2G cell station, targeted the modem and the way it processes baseband transmission signals. The first stage of the attack is forcing the Pixel 6 modem to downgrade to 2G communications.
“When a victim comes in proximity (a range of less than 5 miles) of the malicious base station it will connect to it,” said Karimi. “That allows the adversary to send the exploit payload and establish a foothold on the victim’s modem.”
The RCE bug is more specifically an out-of-band (OOB) write error that occurs when decoding the over-the-air (OTA) packets from 2G GSM communication. The EoP bug stems from a misconfiguration in the Pixel 6’s modem code that makes memory space RWX (otherwise known as the read (r), write (w) and execute (x) permissions) and accessible via signal processing instructions, researchers said.
The modem’s OOB flaw enables an attacker to triggered malicious code sent to the targeted handset as it first initiates a phone call. The process of accepting a call (before the handset indicates an inbound call) is an autonomous system number (ASN) sequence. That is where “a number assigned to a local network, registered into the carrier's routing community” during the call setup stage, according to a Gartner definition of the process.
“The attacker fully controls up to 255 bytes written into 1-byte buffer in the heap,” researchers said. “CVE-2022-20170 enables us to overwrite heap header of the next adjacent chunk with fully controlled data.”
Google explained the exploit technique allowed them to “write a limited number of controlled bytes in the heap and corrupt adjacent heap objects.” It’s unclear if one of those objects impacted the modem’s memory management unit (MMU), which is crucial to the next stage in the attack.
The misconfiguration vulnerability (CVE-2022-20405) located in the modem’s (MMU) allowed researchers to execute 80 bytes of malicious shellcode in the heap — allowing the attacker a foothold on the compromised handset.
.
Google pro tip: Disable 2G
The 2G-attack technique is not a theoretical threat. Here in Las Vegas, during what is called Hacker Summer Camp (featuring three security conferences: BSides, Black Hat and DEF CON) there are reports of pop-up 2G base stations near hotels Paris Las Vegas and Caesars Palace. DEF CON participants are famous for a tradition of shining a light on cybersecurity professionals attending the conference who leave their digital gear open to a cyberattack.
In their Black Hat session, researchers highly recommended attendees disable 2G support on their phones. To do this on an Android handset, simply go to Settings and search 2G and toggle 2G support off.
In related news, Google announced Tuesday a suite of Android 14 advanced cellular security mitigations for enterprises.
“Android 14 introduces support for IT administrators to disable 2G support in their managed device fleet. Android 14 also introduces a feature that disables support for null-ciphered cellular connectivity,” according to a Google Security Blog writeup.
