Swapping software can give one GSM
phone the power to prevent incoming calls and text messages from reaching other
phones nearby.
By making simple
modifications to common Motorola phones, researchers in Berlin have shown they
can block calls and text messages intended for nearby people connected to the
same cellular network. The method works on the second-generation (2G) GSM
networks that are the most common type of cell network worldwide. In the U.S.,
both AT&T and T-Mobile carry calls and text messages using GSM networks.
The attack involves modifying a phone’s embedded software so that
it can trick the network out of delivering incoming calls or SMS messages to
the intended recipients. In theory, one phone could block service to all
subscribers served by base stations within a network coverage area known as a
location area, says Jean-Pierre Seifert, who heads a telecommunications security
research group at the Technical University of Berlin. Seifert and colleagues
presented a paper on the technique at the Usenix Security Symposium in Washington, D.C., last week. An online video demonstrates the attack in action.
Seifert’s group modified the embedded software, or
“firmware,” on a chip called the baseband processor, the component of a
mobile phone that controls how it communicates with a network’s transmission
towers.
In normal situations,
when a call or SMS is sent over the network, a cellular tower “pages” nearby
devices to find the one that should receive it. Normally, only the proper phone
will answer—by, in effect, saying “It’s me,” as Seifert puts it. Then the
actual call or SMS goes through.
The rewritten
firmware can block calls because it can respond to paging faster than a
victim’s phone can. When the network sends out a page, the modified phone says
“It’s me” first, and the victim’s phone never receives it.
“If you respond
faster to the network, the network tries to establish a service with you
as an attacker,” says Nico Golde, a researcher in Seifert’s group. That’s
enough to stall communications in a location area, which in Berlin average 200
square kilometers in size. The group didn’t design the hack to actually listen
to the call or SMS but just hijacked the paging process.
Traditionally, the
details of how baseband processors work internally has been
proprietary to makers of chips and handsets. But a few years ago, baseband code
for a certain phone, the Vitelcom TSM30, leaked out. That enabled researchers
to understand how baseband code works and spawned severalopen-source projects to study and tweak it.
The Berlin group used
that open-source baseband code to write replacement software for Motorola’s
popular C1 series of phones (such as the C118, C119, and C123). Those devices
all use Texas Instruments’ Calypso baseband processor.
The researchers
tested their attack by blocking calls and messages just to their own phones.
However, they calculate that just 11 modified phones would be enough to shut
down service of Germany’s third-largest cellular network operator, E-Plus,
in a location area. “All those phones are listening to all the paging
requests in that area, and they are answering ‘It’s me,’ and nobody in
that cell will get an SMS or a phone call,” Seifert explains.
Jung-Min Park, a
wireless-security researcher at Virginia Tech, says that although devising the
attack requires detailed technical knowledge, once it is created, “if someone
had access to the same code and hardware, repeating the attack should be
possible for an engineer.”
Although carriers
today mostly tout their 3G and 4G services, most networks around the world
still use GSM networks. Around four billion people worldwide use GSM networks
for calls, and carriers also use them for some machine-to-machine applications.
The problem could be
fixed, but that would require changing GSM protocols to require phones to prove
their identity through an additional exchange of encrypted codes. “The defense
is expensive to deploy,” says Victor Bahl, principal researcher and manager of
the mobility and networking research group at Microsoft. “I can only speculate
that the cell network providers are reluctant to invest in mitigation
strategies in the absence of an immediate threat.”
Seifert says the
research of his group and others shows that basic aspects of mobile
communications can no longer be assumed to be safe from hacking. “The answer of
the carriers is: ‘It’s illegal—you are not allowed to do it,’” he says,
“However, the implication is that the good old times, where you can assume that
all the phones are honest and following the protocol, are over.”
Courtesy of: TechnologyReview
No comments:
Post a Comment