Have you ever told someone that you didn’t receive their text or their call? Although it can happen, it doesn’t sound very believable in this digital age. Can you imagine “I didn’t get that text or call” happening to everyone in a city? It might become more common if attackers embrace new security research that demonstrated how to block all incoming calls and text messages sent to other nearby phones connected to the same GSM cellular network.
There are numerous security flaws in the GSM mobile protocol; there are also many known attacks based on GSM cellular networks, such as sniffing GSM traffic and cracking encryption, or setting up a fake base station for a GSM interception attack. Recently at the USENIX Security Symposium, security researchers demonstrated two new attacks based on the GSM paging procedure during their presentation titled “Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks” [pdf]. The abstract states:
...it is feasible to hijack the transmission of mobile terminated services such as calls, perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area.
Nico Golde, Kévin Redon, and Jean-Pierre Seifert from the Technical University Berlin and Telekom Innovation Laboratories modified the firmware [pdf slides] in Motorola phones; this embedded software is what controls how a phone communicates with cell towers. When a text or call is sent over a GSM network, the tower queries, or pages, all nearby devices in order to determine which phone is supposed to receive the call or text. It works on a “trust” system, and the intended phone replies, “It’s me.” But that trust can be violated, since the modified firmware “can respond to paging faster than the victim’s phone. When a network sends out a page, the modified phone says ‘It’s me’ first, and the victim’s phone never receives it.”
The researchers first presented “Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks” at the 29th Chaos Communication Congress (29c3). They said their new attack could stall communications in Berlin where the average GSM location area is about 200 square kilometers. In fact, they estimate that an attacker(s) with 11 similarly modified phones would be enough to shut down the service of Germany’s third-largest cellular network operator. “All those phones are listening to all the paging requests in that area, and they are answering ‘It’s me,’ and nobody in that cell will get an SMS or a phone call.”
In case you didn’t know, AT&T and T-Mobile are examples of GSM wireless service providers in the US. You’ve probably heard about the government paying AT&T to have its telecom employees work beside DEA agents for the secret Hemisphere Project. Because Hemisphere contains AT&T-supplied phone call records from as long ago as 1987, it is reportedly much larger than the NSA’s call record database that allegedly holds only five years of call records. AT&T documentation training slides indicate the database is also used by Homeland Security, FBI and other law enforcement agencies. It’s no surprise that the Justice Department wanted to keep Hemisphere a secret.
"Hemisphere covers every call that passes through an AT&T switch - not just those made by AT&T customers," reported the New York Times. "Some four billion call records are added to the database every day." Hemisphere can also query the database to discover what new phone number was replaced by a dropped phone that a criminal or drug dealer may have used as a “burner” disposable phone.
Some drug dealers don’t toss out their phone, but instead swap out the SIM card or spoof the IMEI number. Last month, we looked at a new and undetectable forensic method for tracking cellphones on a GSM network even if the owners tried those tactics to avoid “lawful interception” wiretapping.
You may not care about GSM, but GSM networks (2G) are the most common type of cellular network in the world. If you think you’re safe by using 4G and LTE, then read what the Berlin researchers wrote [pdf], “It is important to note that the main reason for evaluating the paging race condition in GSM was the availability of freely modifiable hardware and software. However, modern telecommunication standards such as UMTS or LTE are making use of exactly the same paging procedure principles. Insufficient cryptography and authentication further escalate the problem, but the root cause does not only pertain to GSM.”
If you are interested, you can watch or download their USENIX video presentation as well check out the research paper [pdf] and slides [pdf].