Hordes of new threats ahead for mobile networks
Faked femtocells will eff up your ess
Malware on smartphones is just the first in a series of new security threats for mobile networks ushered in by the embrace of internet technologies, according to mobile phone encryption firms.
Dr Bjoern Rupp, chief exec of GSMK CryptoPhone, warns that criminal gangs are able to steal private information and undermine fair business trading thanks to advances in technology that have made attacks possible on low-cost kit. Years ago such attacks were only possible for intelligence agencies, but have now become feasible as a means of industrial espionage.
Attacks scenarios fall into three categories: active (setting up fake mobile network nodes in a technique akin to the better understood tactic of setting up rogue Wi-Fi hotspots), passive (eavesdropping) and malware-based attacks on smartphones.
Rogue femtocell ruse
The first and most ambitious line of attack involves spoofing femtocells to feign that you are the user's mobile network provider, while in fact you are taking over his network traffic. This can be accomplished using cheap hardware and some free open-source software.
"In the old-world of mobile telecoms you would need $50,000 to buy measurement equipment from the likes of Rohde & Schwarz for such an attack," Rupp told El Reg. "Now your commercial IPX software allows you to run a base station on Linux and simulate a GSM cell."
A spoofed femtocell is one approach to running man-in-the-middle attacks on mobile networks but suffers from practical obstacles. Most femtocells are 3G, and the 3G standard requires mutual authentication (so the network must authenticate itself to the handset and via versa) so it's much harder to pretend to be a node on that network. GSM (2G networks) only authenticate in one direction, with the SIM proving its identity to the network.
Rupp said hackers could force smartphones connected to a rogue femtocell to fall back and use GSM. "A determined adversary could push targeted devices into GSM mode," he explained. He added that this type of attack was more potent than much-publicised Evil Twin-style rogue Wi-Fi hot spot attacks.
"In the Wi-Fi area users generally make an active decision to connect to a network. With the rogue base station attack, users will not realise they have entered a trap. The phone will simply think it has entered a new cell with a strong signal, and will begin talking to a rogue base station automatically."
Spy on the wire
The second line of attack involves passively intercepting and decrypting mobile network traffic, by exploiting the latest cryptographic advances in breaking GSM's built-in encryption algorithms.
A codebook that allows A5/1 GSM encryption – which is used in 80 per cent of mobile phones – was published online back in December. The attack was demonstrated by German computer scientist Karsten Nohl at the Chaos Communication Congress (CCC) in Berlin. This advance reduces the cost of cell phone eavesdropping below $10,000, according to Cellcrypt, another voice encryption specialist.
A month later a practical method for cracking A5/3 encryption used in 3G mobile phone calls was published by leading cryptographer Adi Shamir (the ‘S’ in RSA).
Performing such eavesdropping attacks would involve running GNU radio on a printed circuit board, among other equipment. "Such an attack would require knowledge but might cost only a few hundred dollars, and so poses no great barrier," Rupp explained. "You could tune into GSM signals and decrypt calls, as show in the CCC demo."
Mobile malware enters the fray
A third line of attack involves remote takeover of mobile devices by using tricks such as BlackBerry Service Book updates, Trojans and SIM Toolkit attacks.
Security vendors have warned about the threat of mobile malware for at least ten years, but it's only since the uptake of internet-enabled smartphones such as the iPhone that next year's threat has finally materialised. The ikee Rickrolling worm and much more dangerous Duh mobile worm exploited default passwords on jailbroken iPhones to spread for the purposes of mischief and phishing Dutch banking credentials, respectively. These threats ramp up the exploit potential from earlier threats which largely involved Trojan applications on Symbian devices and the like.
Research published this week from computer scientists at Rutgers University demonstrates how rootlets on smartphones and (possibly) upcoming tablets such as the iPad might be used to turn devices into "remotely-activated bugging or tracking systems", as explained in our earlier article here.
The attacks were demonstrated on a smartphone called the OpenMoko running Linux but might potentially be applied to smartphones running Android, iPhones and BlackBerries.
"Smartphones have arrived at the internet age. There is sensitive data on these devices but the level of perception of the threat has not developed," Rupp concluded.
Both GSMK and Cellcrypt sell voice encryption products that combat such attacks and therefore have a vested interest in talking up the threat involved. Instances of practical exploits of the scenarios outlined by GSMK are hard to come by, but then again those engaged in corporate espionage, much less state-sponsored spying, tend not to publicise their activities.
Cellcrypt has published a handy top tips guide which corporate telecoms managers, operators and equipment manufacturers would do well to review. ®
Sponsored: IBM FlashSystem V9000 product guide