Flaws in Cell Towers

Thursday, August 25, 2016 @ 03:08 PM gHale

Three critical security flaws in Base Transceiver Station (BTS) stations allow attackers to compromise, hijack, crash mobile cell towers, researchers said.

BTS stations, cellular phone towers, are the backbone of every mobile network and relay calls, SMS messages, and data packets from phones to the mobile operator’s data center, which interconnect calls, transmit the SMS messages to their destination, and send data packets to servers.

Smart Socket Flaw Exposes Networks
Hackers Target Industrial Companies
Network Monitoring: Keeping an Eye on IIoT
Network Monitoring Partnership

BTS stations are universally deployed, regardless if the underlying mobile network runs on GSM, UTMS, or LTE technologies.

With that as a background, there are three vulnerabilities in several software packages that run on BTS stations, said researchers at mobile security firm Zimperium.

On top of that, other software packages not included in the Zimperium tests could also suffer since they have similar architectures.

Affected vendors include Legba Incorporated, Range Networks, OsmoCOM.

There are currently three issues which mobile operators and BTS software vendors need to address in their equipment.

The first is a bug in a core BTS software service that exposes the device to external connections, allowing an attacker to reach the BTS station’s transceiver via the Internet.

Attackers can send UDP packets to certain management ports (5700, 5701, 5701) and take advantage of the device’s built-in features. This allows the attacker to take remote control of the BTS station, alter GSM traffic, extract information from the passing data, crash the BTS station, or worse.

Zimperium recommended companies bind the sockets used for control and data exchange only to the local interface (, or deploy a firewall to block external traffic.

The second issue is a memory buffer overflow caused by oversized UDP packets. This is a classic remote code execution flaw (RCE) that lets the attacker run malicious code on the device. This bug is as dangerous as the attacker’s skills.

The third issue relates to the first. If the attacker can send custom UDB traffic to the BTS station, because the control channel features no authentication, an attacker can execute commands on the BTS station’s transceiver module. The transceiver is the main hardware component in the BTS station rig, which sends and receives data between the radio antenna and the BTS core software.

This flaw allows an attacker to control the transceiver module remotely without having to enter any administrative credentials.

Zimperium said the attacker with access to the control channel can turn the BTS off, jam antenna radio frequencies, or change the BTS identity, removing the BTS from the mobile operator’s network or making it behave like another BTS station from the same network, and carry out man in the middle attacks.

Leave a Reply

You must be logged in to post a comment.