Original URL: http://www.theregister.co.uk/2011/07/23/cellular_hijacking/

Cellular network hijacking for fun and profit

The Reg cut-out-and-keep guide

By Bill Ray

Posted in Mobile, 23rd July 2011 10:30 GMT

Weekend Following the success of hijacked network Free Libyana, we took the opportunity to talk to some engineers about the complexity of lifting someone else's infrastructure, and discovered there isn't much.

In April this year, Ousama Abushagur hacked into the infrastructure built by the Libyana network in Libya.

He cut the connections to the head office in Tripoli to create his own operator, Free Libyana, connecting 750,000 people without putting up a single transmitter mast and funded entirely from donations. It was certainly an admirable achievement, but not one that's as technically complicated as it first appears – if you have local knowledge, and an army, on your side.

We spoke to network engineers at three of the UK's operators, to see how difficult they thought it would be to hijack their own infrastructure, and were uniformly told that it wasn't very hard at all.

The key requirement is knowledge of the existing topology, ideally with passwords and key phrases, but it seems that with the minimum of knowledge one can subvert great chunks of someone else's network infrastructure, and even take the customers too, as long as you're not hoping to run a 3G network and don't mind forsaking much of the security inherent in the GSM standard.

Not that one can just waltz up to a base station and take control – at least not without being noticed, as the networks are highly monitored. Disconnecting any base station will "light up [the office] like a bloody Christmas tree" as one engineer eloquently put it, which is fine if you're behind your own lines, with a battle front between you and the network engineers dispatched to see what's going on. Try it in other circumstances and you'll have a white van parked beside you within the hour.

But we're assuming you do have a popular uprising on your side, or that the engineers have more important things to do than monitor the outlying regions of their own network. Networks try to have a decentralised topology, but still generally end up with one location from where everything is controlled (though they'll generally have a fallback location too). If that location is disconnected, destroyed or otherwise engaged, then the field is open for a rogue network to set up operations.

Setting up a mobile network isn't particularly difficult – several companies make backpack-sized mobile networks that can be up and running within a few minutes. Such devices generally have a range of a few hundred yards, and their own backhaul via satellite dish.

The pack shown is from Altobridge and includes the MSC (Mobile Switching Centre), HLR (Home Location Registry), and BTS (Base Transceiver Station – the actual radio on 2G systems) as well as a suitable antenna, and satellite dish to haul the calls somewhere useful. You need to negotiate a downlink and some satellite time, and issue SIM chips to everyone making use of it, but as the range is only a few hundred yards that shouldn't present a problem.

Such solutions are eminently portable, but won't connect up the existing population, so taking over what's already there makes more sense if it can be done.

Initially one can take the portable rig and strap the antenna to a nearby mast, but it would be more sensible to plug the portable kit into an existing BTS to make use of the controller, radio and antenna which someone has thoughtfully abandoned. That should just be a matter of plugging everything in, with reasonably standard connections and communications it will give you one working base station for your new network.

Even better is to find a local BSC (base station controller). This rack-mounted kit will control a handful of BTS locations all of which can be recruited from a single BSC. The older models of BSC have no security at all, our engineers reckoned you could plug in your portable network, hit the reset switch, and be up and running in moments – though that is when the Christmas tree effect kicks in.

Now you've got a BSC, but you'll want to know where the nearby base station controllers are so you can get them powered up too, which is where knowledge of the local topology is so important.

Instant island of connectivity

This is what Ousama Abushagur and his team did in Misurata, though their kit was scaled to handle a lot more calls than the backpack version shown above, the principle remains the same. The brought-in kit was plugged into an Ericsson BSC that wasn't being used, providing an instant island of connectivity.

Next step up is the MSC, which will control a number of BSCs. MSCs are better secured, just hitting the reset button isn't going to work this time. Our engineers reckoned that older kit had exploitable vulnerabilities but that access to the passwords would be hugely beneficial.

From the MSC, the down-chain BSCs and BTSs can be remotely managed, so if the information is available then it's a much better point of attack. From a single MSC one can provide (or deny!) connectivity to large swaths of a country from a single location, assuming the remote locations still have power.

The next step is to get the users connected, ideally without having to issue replacement SIMs to all of them.

Have a squiz at the local subscriber list...

In setting up Free Libyana, Abushagur managed to grab the identities of local subscribers from a captured VLR (Visitor Location Registry). That enabled customers to be added to the new HLR (necessary for them to make and receive calls).

Without the customer data, your best bet is to change the ID of your new network, making every handset think it is suddenly roaming internationally. Roamed-to networks aren't expected to have the customer's details, but they are expected to have access to the results of cryptographic ciphers, which can only take place on the customer's original network.

That's because the cryptography in GSM is based around a shared secret which is embedded in the SIM and stored in the operator's Authentication Server (AuS). Authentication Servers are generally secured, so even if you grabbed one (unlikely in this instance as it will be located at the operator's hub), you would still need the passwords that will be known to only a few employees.

What's worse is that the same key is used to generate a session key to encrypt the communications, so without access to the AuS you are forced to run the network without any encryption at all.

What you end up with is a network similar to those run in countries not trusted (by the USA) to have proper encryption, to whom software using strong cryptography can't be exported. That gets people connected, but it's problematic from a business point of view as SIM-cloning becomes possible and clandestine listening becomes easy.

But once that's all working, then you can start the slow process of issuing replacement SIMs, and rebuilding the rest of the country, which hopefully will be a good deal easier now that everyone can talk to each other. ®