[Tinkerphones] ASN.1 vulnerability?

H. Nikolaus Schaller hns at goldelico.com
Fri Jul 29 15:02:59 CEST 2016


Hi,
you may have read about an issue with ASN.1 compilers:

	https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080

I have contaced Gemalto/Cinterion and got the feedback
that Qualcom says they have the bug but it can't be used
for an exploit because they reduce some length value
before the overflow can occur:

	http://www.pcworld.com/article/3099692/security/devices-with-qualcomm-modems-safe-from-critical-asn1-telecom-flaw.html

The Option GTM601 and the PHS8/PLS8 modules we
use in our projects are based on Qualcom network software
so that we are on the safe side.

As long as we believe Qualcom - but we have no choice
unless someone develops a 2/3/4G module from scratch
with open software and gets it certified for operation.

So it is up to you if you still are worried or not. I am not.

BR,
Nikolaus




More information about the Community mailing list