December 4, 2016

Weaknesses in GSM Network Exposed Again

Last week’s Black Hat DC hacking conference saw a presentation by David Pérez and José Picó of the Spanish internet security company Taddong where the two demonstrated a practical attack against mobile phones using GPRS and EDGE.

The attack works on two levels. First a fake base station is setup (which costs under $10,000) to which victim’s phone then connects and so gives the attacker full control over the victim’s data communications. The second part of the attack is to jam the 3G signals in the area and force phones to switch to GPRS and EDGE (something that the majority of 3G phones do by default).

The reason the rogue base station is able to be introduced is that although mobiles need to authenticate themselves when connecting, base stations do not. Hence a base station can be introduced and the mobile phone has no way to verify its authenticity.

The only viable workaround today is to ensure that your phone only uses 3G protocols and never falls back on 2G. However this isn’t always practical as some phones, like the iPhone, don’t offer this as a option and it can leave you without connectivity in 3G black spots.

GSM Phones Now Vulnerable To Eavesdropping with Cheap Off-the-shelf Equipment

The GSM phone network is based on technology which is over 20 years old. As a result it is now possible to eavesdrop phone calls using four $15 Motorola handsets, a medium-end computer and a 2TB hard drive.

Karsten Nohl and Sylvain Munaut gave a live demonstration of this new hack last week at the 27th annual Chaos Communication Congress in Berlin. The whole process takes about 20 seconds, enabling phone conversations and SMS messages to be recorded and decrypted.

This new GSM attack is based on research that was revealed at the 2009 Berlin conference where, with $4000 of equipment, phone calls could be intercepted and recorded. Previously to that, commercially available equipment capable of eavesdropping on other people’s phone calls would have cost more than $50,000.

The problem lies with the GSM encryption algorithm A5/1 which is now decades-old and has known weaknesses. By using a 2TB rainbow table the encryption can be easily broken.

The hack uses ‘silent’ or ‘broken’ SMS messages that do not show up on the phone to gather information about the phones location and other unique numbers needed to employ the hack.

H-online.com and Wired.com have more technical details here and here. Slides from the presentation are here.

Picture Source:[wikimedia.org]