Wireless Phone Hack can Block Calls

Tuesday, August 27, 2013 @ 07:08 PM gHale

Slightly adjusting the firmware on certain kinds of phones, a hacker could block other phones in the area from receiving incoming calls or SMS messages, new research shows.

The hack involves modifying the baseband processor on some Motorola phones and tricking some older 2G GSM networks into not delivering calls and messages. By “watching” the messages sent from phone towers and not delivering them to users, the hack could effectively shut down some small localized mobile networks, according to the research presented at the USENIX Security Symposium earlier this month.

Cracking Encryption Made Easier
RFID Hacking Tool from Long Range
Cyber Security Assessment Service
Cyber Security Diagnostic Tool

Essentially the hacked firmware – named OsmocomBB – can block some calls and messages (also known as pages) by responding to them before the phones initially intended to receive them do, said Kévin Redon, a Berlin-based telecommunications researcher who discussed the details at the USENIX conference. Redon called this “the race for the fastest paging response time.” Fellow researchers Nico Golde and Jean-Pierre Siefert, who also helped write a paper on the subject, joined him at the conference.

The paper notes that while 4G rolled out en masse in most countries, most of the globe remains at the mercy of the Global System for Mobile Communications (GSM) infrastructure.

GSM had been notoriously difficult to crack in its early days but the group had help thanks to the recent proliferation of cheap tools such as the Universal Software Radio Peripheral, a glorified computer–hosted software radio. In 2004, the source code for the Vitelcom TSM30 phone leaked as well, which allowed researchers to better manipulate and study GSM stack implementations.

The researchers added their OsmocomBB baseband processor (which ran a simple version of the GSM stack) to two different Motorola phones, the C123 and the C118, to observe on air traffic and respond to specific paging requests, or calls.

The exploit’s success generally depends on the response time of the attacker and victim devices. The researchers’ timing differs depending on the device, vendor and network – but according to their research, Redon and company were able to get their hacked phones to respond to signals in about 180 milliseconds.

While the investigation primarily took place in and around Berlin, the trio claims it is possible to “perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area.”

The trio was able to carry out the attack on a variety of German cell phone operators including O2, Vodaphone, T-Mobile and E-Plus.

It would take more than one phone – almost a mobile phone botnet – to disrupt an entire channel and answer all of the “paging requests.” For example, the researchers conclude they would be able to knock down a localized network belonging to E-Plus, the third largest mobile operator in Germany, with only 11 phones.

“The results indicate the required resources for a large-scale attack do not extensively exhaust the resources provided by a cell,” the paper said, adding there “is no technical limitation” when it comes to combining cell phones for an attack.

The group is hoping their research brings to light the archaic GSM system that hasn’t changed much since the 1980s – and breaks the “inherent trust” subscribers have placed in telecommunication companies and their users to “play by the rules.”

Click here to download the white paper.

Leave a Reply

You must be logged in to post a comment.