Another nail in GSM’s security coffin?

One of the great things about communications hardware is the flexibility of the CELL-TOWER-METRO-DENSE-COVERAGEtechnology, which means that – as well as being highly flexible – with the right software and firmware code, the hardware’s capability can be significantly stretched.

Leading European cellular communications researcher Karsten Nohl has proven this to be the case time and again in recent years by subverting the wireless monitoring and handshaking processes underlying GSM cellular kit.

Much of Nohl’s research has centered on the wireless nature of GSM cellular communications and the fact that the transmitter – and receiver – must rely on a wireless handshaking process in order to identify and authenticate themselves to the other.

Put simply, this means that, with the right sniffing software in place, it becomes possible to eavesdrop – and even interface – with the other end of the communications connection.

Now a group of researchers with the Technical University of Berlin have gone several steps further and subverted the hardware of the GSM transmission element of the hardware, namely the baseband transceiver element of a Motorola C1 series handset.

Blanket transmission

By blanket transmitting on the GSM control frequencies, the researchers found that they could effectively `busy out’ the local cell to prevent incoming calls from being received, as well as locking down any text messages being transmitted or received.

The good news is that, because the 3G and 4G cellular networks use a spread spectrum approach to transmission, blocking the radio control channels is not possible. Yet.

Interestingly, because the GSM control channels overlap in many areas, the effects of this blocking process can radiate out into adjacent cells – especially if the cell sites use a segmented approach to their coverage.

The baseband code has been completely rewritten on an open source basis by the coders, meaning their work can be tweaked – and further rewritten – by other crackers and hackers.

According to Professor Jean-Pierre Seifert, who heads a telecommunications security research group with the Technical University of Berlin, if the correct blanket transmission approach is used, then the blocking effect can also extend back to the EMX (electronic mobile exchange), meaning – in theory at least – that whole areas of a city could be busied out in this way,


How it all works – in English

The hacked baseband code has been modified to signal to the local base station that it is available to `answer’ any incoming call – regardless of whom it is addressed to. This means that any incoming call assigned to a mobile in the cell site’s coverage area will be assigned to the rogue mobile.

Only when the full authentication process proceeds will the network realise its mistake and attempt to re-route. At which stage the whole process starts again – until the incoming call times out.

Siefert and his team say that their research was based on hardware details of the Vitelcom TSM30 handset – which was released into the Eastern European market two years ago – and which leaked out to the hardware hacking community.

After working out how the baseband code of the TSM30 worked, the researchers were able to apply this knowledge to the Motorola handset processor.

Because Motorola’s popular C1 series of phones – such as the C118, C119, and C123 – all use the Texas Instruments’ Calypso baseband processor, the researchers say that many other handsets may be affected.

The researchers have also calculated that just 11 modified handsets would be enough to shut down service of Germany’s E-Plus cellular network – across the whole of Germany.

I think that’s a tad optimistic, as E-Plus – despite being Germany’s third-largest network – has 19 million subscribers (compared to T-Mobile’s 38 million and Vodafone’s 39 million) and is also predominantly a GSM-1800 network, which means its base stations are closer together than the competing GSM-900 services.

The $64,000 question, of course, is whether the baseband security flaw can be fixed. Like Nohl’s various revelations over the years, the problem is a structural flaw, but is far deeper rooted than simple GSM sniffing/subversion methodologies.

Theoretically, an over-the-air update to affected mobiles could add an extra layer of handshaking security, but this would only be a workaround, as the baseband processor is fundamental hardware to the transceiving elements of the mobile device.

Myself, I reckon that the cellcos – and the hardware manufacturers – will point out that 3G and 4G networks are relatively immune from this sort of electronic hackery.

Seifert is quoted, meanwhile, as saying that the carriers’ response to his team’s research has been that the process is illegal and that people should not be doing this.

“However, the implication is that the good old times, where you can assume that all the phones are honest and following the protocol, are over,” he told a reporter on one newswire last week.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.