By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium earlier this month.
The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By “watching” the messages sent from phone towers and not delivering them to users, the hack could effectively shut down some small localized mobile networks.
The technique was discussed in detail in a talk at USENIX by Kévin Redon, a Berlin-based telecommunications researcher. The research by Redon, who was joined by fellow researchers Nico Golde and Jean-Pierre Siefert, is available on Usenix’s website in video, slideshow (.PDF) and white paper format (.PDF).
Essentially the hacked firmware – named OsmocomBB – can block some calls and messages – also known as pages- by responding to them before the phones that were initially intended to receive them do, something Redon and company called during their research “the race for the fastest paging response time.”
The paper notes that while 4G has been rolled out en masse in most countries, most of the globe remains at the mercy of the Global System for Mobile Communications (GSM) infrastructure.
GSM had been notoriously difficult to crack in its early days but the group had help thanks to the recent proliferation of cheap tools such as the Universal Software Radio Peripheral, a glorified computer–hosted software radio. In 2004, the source code for the Vitelcom TSM30 phone was leaked as well, which allowed researchers to better manipulate and study GSM stack implementations.
The researchers added their OsmocomBB baseband processor (which ran a simple version of the GSM stack) to two different Motorola phones, the C123 and the C118, to observe on air traffic and respond to specific paging requests, or calls.
The exploit’s success generally depends on the response time of the attacker and victim devices. The researchers’ timing differs depending on the device, vendor and network – but according to their research, Redon and company were able to get their hacked phones to respond to signals in about 180 milliseconds.
While the investigation was primarily conducted in and around Berlin, the trio claims it’s possible to “perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area,” suggesting the hack can be adapted regardless of the setting.
The trio was able to carry out the attack on a variety of German cell phone operators including O2, Vodaphone, T-Mobile and E-Plus.
It would clearly take more than one phone – almost a mobile phone botnet of sorts, however – to disrupt an entire channel and answer all of the “paging requests.” For example, the researchers conclude that they’d be able to knock down a localized network belonging to E-Plus, the third largest mobile operator in Germany, with only 11 phones.
“The results indicate the required resources for a large-scale attack do not extensively exhaust the resources provided by a cell,” the paper says, adding that there “is no technical limitation” when it comes to combining cell phones for an attack.
The group is hoping their research brings to light the archaic GSM system that hasn’t changed much since the 1980s – and breaks the “inherent trust” subscribers have placed in telecommunication companies and their users to “play by the rules.”