A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited.

Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device.

The attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off. But it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.

The vulnerabilities lie within a device management tool carriers and manufacturers embed in handsets and tablets to remotely configure them. Though some design their own tool, most use a tool developed by a specific third-party vendor—which the researchers will not identify until they present their findings next week at the Black Hat security conference in Las Vegas. The tool is used in some form in more than 2 billion phones worldwide, they say, including Android and BlackBerry devices and a small number of Apple iPhones used by Sprint customers. They haven’t looked at Windows Mobile devices yet.

The researchers say there’s no sign that anyone has exploited the vulnerabilities in the wild, and the company that makes the tool has issued a fix that solves the problem. But it’s now up to carriers to distribute it to users in a firmware update.

Carriers use the management tool to send over-the-air firmware upgrades, to remotely configure handsets for roaming or voice-over WiFi and to lock the devices to specific service providers. But each carrier and manufacturer has its own custom implementation of the client, and there are many that provide the carrier with an array of additional features.

To give carriers the ability to do these things, the management tool operates at the highest level of privilege on devices, which means an attacker who accesses and exploits the tool has the same abilities as the carriers.

The management tools are implemented using a core standard, developed by the Open Mobile Alliance, called OMA device management. From these guidelines, each carrier can choose a base set of features or request additional ones. Skolnik says they found that some phones have features for remotely wiping the device or conducting a factory reset, altering operating system settings and even remotely changing the PIN for the screen lock.

Read more