DAB-IP Broadcasting Exploits
Be warned: this may sound a little odd. Imagine if I told you that some television and radio content is broadcast using IP, over the air. (You'd probably think I’d been working with too much paint thinner over the weekend.) Well, this broadcast method is how a live service in the UK works. It’s called digital audio broadcasting – IP (DAB-IP) and in short, your mobile device just got another network connection.
The UK has just had the “Lobster” (a mobile handset) launched on the Virgin mobile network, which uses DAB-IP for its TV and radio content. DAB is a standard owned by ETSI (the same people who own GSM). With DAB-IP, content is basically being tunneled over IP, over DAB, to your handset. One of the first interesting things I read in relation to this topic was a product sheet on DAB IP Gateway from Radioscope, which pretty much explains and shows how IP is tunneled. Another good document I found was a British Telecom (BT) paper that detailed the initial trial of BT Movio, between August and December, 2005. This paper describes how the DAB-IP network bridges onto the content platform/cellular network (the cellular network is used for license acquisition in the BT solution).
Looking at this from a 30,000 ft viewpoint, a number of different and obvious attack surfaces appear to exist:
• The DAB protocol stack
• The IP stack
• Media codecs
Then, your mind starts to work:
• I wonder if they firewall the DAB connection on the device?
• Can I spoof content? If so, how hard is it to attack the media codec with this spoofed content?
• Is it possible to leverage that old IP stack DoS and take out every DAB-IP enabled mobile/cell phone in a 10-mile radius?
You end up with a situation where you could conceivably "broadcast" exploits to a geographic area if you were able to successfully attack any of the attack surfaces outlined above. It makes you think, doesn't it? Anyway, for those of you out there in Internet land that would like do a little more reading, additional details on the DAB protocol stack can be found here. Also, specs on "Digital Audio Broadcasting (DAB); Internet Protocol (IP) datagram tunneling" can be found here.