Feeds

Hacking into GSM for only $1500

Demonstrated and documented

Application security programs and practises

A researcher at the DefCon hackers' meet has demonstrated kit for spoofing GSM base stations, allowing even those on a limited budget to intercept phone calls and text messages.

The audience attending the talk by Chris Paget were able to see their own handsets transferring to his spoofed base station, with calls receiving a recorded message explaining that the security had been compromised, Associated Press reports. The demonstration would presumably have been a lot less impressive if Las Vegas had better 3G coverage.

The basis of the attack isn't new: the attacker sets up a base station advertised as belonging to a compatible network operator and handsets locally switch to the stronger signal. In a live attack the base station then connects to the real cellar network and passes authentication tokens back and forth as though it wasn't there.

GSM communications are supposed to be encrypted between the genuine network at the handset, but in some countries strong encryption isn't allowed so the network informs the handset not to encrypt the communications. The handset is supposed to pop up a warning when this happens, but doesn't, so rogue base stations can ask the handset not to encrypt anything and then listen in.

The 2G GMS standard does not mandate mutual authentication – the handset must prove its identity to the network, but the network is not required to return the favour. That's always made 2G networks open to this kind of abuse; the only difference is that the kit to do it has got a lot cheaper over the years. 3G standards do require such authentication, so they are immune from this kind of attack.

During the demonstration, Paget pointed out that one could jam the 3G signal (at 2.1GHz), forcing handsets to drop back to 2G and open themselves to the vulnerability. That's true, but will cease to be possible (or at least will get a lot more difficult) once operators start deploying 3G technology on the 2G frequencies.

"GSM is broken - it's just plain broken," said Paget during the demonstration, though he could have added that the standard is no more broken than it was yesterday - the break just got cheaper to exploit. ®

HP ProLiant Gen8: Integrated lifecycle automation

More from The Register

next story
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Want to beat Verizon's slow Netflix? Get a VPN
Exec finds stream speed climbs when smuggled out
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
NBN Co execs: No FTTN product until 2015
Faster? Not yet. Cheaper? No data
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.