September 24, 2016

Weaknesses in GSM Network Exposed Again

Last week’s Black Hat DC hacking conference saw a presentation by David Pérez and José Picó of the Spanish internet security company Taddong where the two demonstrated a practical attack against mobile phones using GPRS and EDGE.

The attack works on two levels. First a fake base station is setup (which costs under $10,000) to which victim’s phone then connects and so gives the attacker full control over the victim’s data communications. The second part of the attack is to jam the 3G signals in the area and force phones to switch to GPRS and EDGE (something that the majority of 3G phones do by default).

The reason the rogue base station is able to be introduced is that although mobiles need to authenticate themselves when connecting, base stations do not. Hence a base station can be introduced and the mobile phone has no way to verify its authenticity.

The only viable workaround today is to ensure that your phone only uses 3G protocols and never falls back on 2G. However this isn’t always practical as some phones, like the iPhone, don’t offer this as a option and it can leave you without connectivity in 3G black spots.