Feeds

Cellular network hijacking for fun and profit

The Reg cut-out-and-keep guide

Beginner's guide to SSL certificates

Instant island of connectivity

This is what Ousama Abushagur and his team did in Misurata, though their kit was scaled to handle a lot more calls than the backpack version shown above, the principle remains the same. The brought-in kit was plugged into an Ericsson BSC that wasn't being used, providing an instant island of connectivity.

Next step up is the MSC, which will control a number of BSCs. MSCs are better secured, just hitting the reset button isn't going to work this time. Our engineers reckoned that older kit had exploitable vulnerabilities but that access to the passwords would be hugely beneficial.

From the MSC, the down-chain BSCs and BTSs can be remotely managed, so if the information is available then it's a much better point of attack. From a single MSC one can provide (or deny!) connectivity to large swaths of a country from a single location, assuming the remote locations still have power.

The next step is to get the users connected, ideally without having to issue replacement SIMs to all of them.

Have a squiz at the local subscriber list...

In setting up Free Libyana, Abushagur managed to grab the identities of local subscribers from a captured VLR (Visitor Location Registry). That enabled customers to be added to the new HLR (necessary for them to make and receive calls).

Without the customer data, your best bet is to change the ID of your new network, making every handset think it is suddenly roaming internationally. Roamed-to networks aren't expected to have the customer's details, but they are expected to have access to the results of cryptographic ciphers, which can only take place on the customer's original network.

That's because the cryptography in GSM is based around a shared secret which is embedded in the SIM and stored in the operator's Authentication Server (AuS). Authentication Servers are generally secured, so even if you grabbed one (unlikely in this instance as it will be located at the operator's hub), you would still need the passwords that will be known to only a few employees.

What's worse is that the same key is used to generate a session key to encrypt the communications, so without access to the AuS you are forced to run the network without any encryption at all.

What you end up with is a network similar to those run in countries not trusted (by the USA) to have proper encryption, to whom software using strong cryptography can't be exported. That gets people connected, but it's problematic from a business point of view as SIM-cloning becomes possible and clandestine listening becomes easy.

But once that's all working, then you can start the slow process of issuing replacement SIMs, and rebuilding the rest of the country, which hopefully will be a good deal easier now that everyone can talk to each other. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Same old iPad? NO. The new 'soft SIMs' are BIG NEWS
AppleSIM 'ware to allow quick switch of carriers
Brits: Google, can you scrape 60k pages from web, pleeease
Hey, c'mon Choc Factory, it's our 'right to be forgotten'
Of COURSE Stephen Elop's to blame for Nokia woes, says author
'Google did have some unique propositions for Nokia'
FCC, Google cast eye over millimetre wireless
The smaller the wave, the bigger 5G's chances of success
It's even GRIMMER up North after MEGA SKY BROADBAND OUTAGE
By 'eck! Eccles cake production thrown into jeopardy
Mobile coverage on trains really is pants
You thought it was just *insert your provider here*, but now we have numbers
Don't mess with Texas ('cos it's getting Google Fiber and you're not)
A bit late, but company says 1Gbps Austin network almost ready to compete with AT&T
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.