Hacking phone firmware allows paging response attack on GSM

Pierluigi Paganini August 28, 2013

Researchers at last USENIX Security Symposium demonstrated that hacking phone firmware it is possible to violate the security of mobile under the same area

Hacking phone firmware it is possible to interfere with other handsets  in the same area, the attack technique has been presented recently at USENIX Security Symposium by telecommunications researcher Kévin Redon.

Redon conducted a research with other two colleagues, Jean-Pierre Siefert and Nico Golde, they demonstrated that a hacker simply implementing their own baseband firmware based on OsmocomBB could violate the security of mobile telecommunication under the same area exploiting paging procedure in cellular networks.

With this attack technique based on the hacking phone firmware the researchers, at least for GSM, could hijack phone calls and SMS or perform a targeted denial of service attacks against single subscribers and as well against users belonging to a larger geographical area (e.g. Metropolitan area).

Despite numerous security vulnerabilities already exist on GSM, only few of them involve active adversaries. The hack is based on the capacity of modified mobile devices to respond before the phones that were initially intended to receive the calls and messages do. The researchers defined the process as “the race for the fastest paging response time.”

The paging mechanism is used by the network to notify an incoming service, once a phone is registered to a cell, it listens to only the Paging Channel  (PCH) broadcast downlink channel on the CCCH to save energy.

Mobile phones update their location only when they changes Location Area (LA), but can listen to any PCH from any BTS within this LA. The paging message carries Mobile Identity (IMSI/TMSI), each phone compares its IMSI and reply to the broadcasted information.

Hacking phone firmware Paging process

The team of researchers realized the hacking phone firmware modifying the baseband processor for some Motorola handsets and tricking some older 2G GSM networks into not delivering calls and messages. In particular they mounted the OsmocomBB baseband processor (which ran a simple version of the GSM stack) on two different Motorola phones (model C123 and C118),  after the hack both devices are in fact able to respond to specific paging requests, or calls.

The concept is simple, modified devices are able to interfere with those networks catching messages sent from base stations and not delivering them to legitimate recipients, in this way hackers could shut down communications within the area. It must be also considered that the paging mechanism implemented in GSM standard is also used in UMTS and LTE standards.

It’s clear that the hacking phone firmware success depends on numerous factors such as response time on the attacker’s mobile, response time of the victim’s device and network. Response time is related to various manufacturers, Redon’s team for example provide a timely response of around 180 milliseconds. Following the measures conducted on various phone:

Hacking phone firmware Paging response time

The three researchers revealed to have conducted the sperimentation in and around Berlin, the hacking phone firmware allows attackers to “perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area,”, they also added that the technique is effective against numerous German mobile phone operators including O2, Vodaphone, T-Mobile and E-Plus.

A concerning attack scenario could be represented by a group of attackers equipped with modified handsets that coordinate their movements to shut down the communication within a localized network belonging to one of the above operators, for example just 11 phones could be sufficient to knock down calls and messaging for the third largest mobile operator in Germany, E-Plus.

“The results indicate the required resources for a large-scale attack do not extensively exhaust the resources provided by a cell,”  “is no technical limitation” when it comes to combining cell phones for an attack.

If you believe that the problem is limited to small number of users that access to 2G networks you are wrong, in many countries of the globe Global System for Mobile Communications (GSM) represent an essential component of the communication infrastructure.

I have already written o GSM flaw and limits, the discovery of the researchers is another demonstration that it is possible to interfere and manipulate these type of communication.

GSM still implements weak encryption, which enables hackers to pass the authentication and impersonate a victim, consider that some GMS networks use A5/0 that hasn’t encryption, others use A5/2 (broken in 1999) or use A5/1 (also broken).

Following the countermeasures proposed by the researchers in the slides of the presentation:

  • 100% MT authentication: prevents hijacking
  • Use A5/3: prevents hijacking
  • Refresh TMSI: prevents targeted DoS
  • Wait for authentication before assigning MT service: removes race condition
  • Use authenticated paging: removes race condition

GSM system is practically unchanged since the 1980s … an eternity for a communication standard.

Pierluigi Paganini

(Security Affairs – GSM, DoS, Hacking phone firmware)

you might also like

leave a comment