Feeds

Eggheads turn Motorola feature phone into CITYWIDE GSM jammer

Innocent mobile turns bad... with good software

The essential guide to IT transformation

Berlin boffins have spotted a procedural flaw in the long-lived GSM protocol and created an exploit around it which can knock out a mobile network or even target an individual subscriber in the same city.

The exploit, presented at the 22nd USENIX Security Symposium last week, takes advantage of the fact that GSM lets phones establish a radio connection before cryptographically authenticating them. That allows a hacked Motorola C123 to masquerade as any handset, before the real device can get connected, denying service to one customer or a whole network.

The 2G telephony standard embodied in GSM has some serious cryptography behind it. Once a radio connection has been established, a key-exchange protocol identifies the customer and encrypts the communication. Before that, however, the handset has to respond to a paging request and it is this response that the boffins have managed to fake.

The phones and associated hardware

Each phone can block 64 calls or messages a minute

Faking the response won't get you access to the mark's calls or text messages, but it will prevent them arriving at their intended destination. In the presentation paper (PDF, detailed if a little hyperbolic) the researchers argue that the GSM session key could be broken, making it possible to intercept incoming calls, but we'd need to see that in action to believe it was that easy.

But denying service is certainly possible, and the team even managed to deny service to a specific number – which is more concerning, as this would be very hard to detect. Cutting off an individual phone could be very helpful in a number of circumstances.

When a call or text is being routed to a mobile phone the network will only have a vague idea where that phone is. The Home Location Register, which tracks the location of every phone on a network, only knows the Base Station Controller (BSC) to which the phone is attached. A single BSC will be connected to multiple Base Transceiver Stations (BTS), which are the base stations with which we're familiar.

So a paging request will be sent out to every BTS connected to the known BSC, which might cover a significant area. The hacked phone simply responds to every paging request and is allocated a radio slot, before failing the authentication stage. In turn this causes the call to fail, with the intended recipient never being alerted.

Responding to every paging request isn't easy. The team demonstrated that their software can outperform any normal handset (responding before the legitimate recipient can get a word in) but when the hacked phone is occupying the allocated channel it can't listen for more paging requests, so the team calculate that one handset can block a maximum of 64 requests a minute. The Berlin network tested by the team was paging between 400 and 800 handsets every minute (depending on the popularity of the network) so blocking an entire operator from large geographical areas is clearly possible.

Locking out a specific phone is a little harder as the paging requests are addressed using the Temporary Mobile Subscriber Identity (TMSI), a random number agreed between the handset and the network to avoid any real identities being transmitted.

To find a specific TMSI the team made repeated calls to the target's phone number, while listening for paging requests. By recording all the TMSIs paged, and hanging up the call before the recipient's phone rang, they were able to establish the TMSI of a specific phone within 20 calls.

Once they'd done that it was trivial to set their hacked C123, connected to a PC for faster processing to respond to every paging request addressed to that TMSI, which then denied service to that customer.

The team points out that on networks where no encryption is used (such as in Pakistan and other countries on the US ITAR list) it would also be possible to hijack the call without the caller ever knowing it had happened. They also propose that the session key could be intercepted and cracked during an earlier call, claiming that if it hadn't been refreshed in the interval between interception and decryption then actual interception would be possible.

El Reg adds that the encryption level is specified by the network and GSM authentication isn't mutual, so this technique could be combined with a faked base station (which would specify no encryption) to allow a true man-in-the-middle attack.

3G networks do mutually authenticate, though they also establish a radio connection prior to authentication so could be vulnerable to a similar attack – likewise with 4G networks.

Fixing the problem would mean changing the GSM protocol, which isn't very likely. Operators could also keep track of radio links which failed at the authentication stage, which would enable them to alert a user if it was happening – though not by call or text, obviously.

Targeted attacks are much more likely than citywide jamming. Attractive as the idea might be, it would require considerable resources (to research the network and position the hacked equipment) and the effect would be swiftly mitigated as the network became aware of what was happening - but block a single user and likely no-one would ever know about it, making it probable that someone, somewhere, is already doing just that. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.