Using mobile devices has become a big part of everyday life. With over 5.6 billion mobile phones being used, it safe to assume that a significant part of our private communication happens over mobile networks. Like many other things in our life, the more we become dependent on certain facilities, the more we tend to implicitly trust it. The objective of this article is to re-emphasis the insecurity in the networks that we trust and to make general users aware of the facts.
Components of mobile network
|BSC||Base Station Controller|
|BSS||Base Station Subsystem|
|BTS||Base Transceiver System (Antenna System + Radio Base Station)|
|EIR||Equipment Identification Register (for IMEI verification)|
|IMEI||International Mobile Equipment Identity|
|IMSI||International Mobile Subscriber Identity|
|HLR||Home Location Register|
|ISDN||Integrated Services Digital Network|
|ILR||Interworking Location Register (for roaming between AMPS and GSM system)|
|MSC||Mobile Switching Center|
|MSISDN||Mobile Station International Subscriber Directory Number|
|NSS||Network Switching Subsystem|
|OSS||Operation and Support System|
|PDN||Public Data Network|
|PSTN||Public Switched Telephone Network|
|SIM||Subscriber Identification Module|
|SMS||Short Message Service|
|TMSI||Temporary Mobile Subscriber Identity|
|VLR||Visitor Location Register|
Ref: Wireless Communications Systems and Networks, By Mullett, Thomson Publisher
Critical Data and Protection Mechanism
What are the main types of known attacks?
Rogue Base station Attacks
- GSM standards mandate authentication of mobile devices by the network but not vice-versa.
- Attackers run their own BSS with powerful radio antennas and using proximity, fools a mobile device into attaching to itself instead of a legitimate BSS.
- Base Station hardware and Open Source software (e.g. OpenBTS, OpenBSC) are available in public.
- Allows an attacker to intercept outbound voice, identify subscriber’s geo-location and capture a subscriber’s IMSI.
Track Location Attacks
- An attacker’s objective is to identify a subscriber’s geo-location.
- For attacking wider areas, MSC information can be leaked from HLR. For local area attacks, a rogue BSS can be used.
- Obfuscated MSC code is stored inside the HLR, each of which has mapping to a physical area.
- Rogue BSS can be used to launch active or passive attacks for the purpose of knowing subscriber’s geo-location
- Active Attack: a rogue BSS can send RRLP (Radio Resource Location services Protocol) request and the phone will return the geo-location. Also the BSS can force a handset into a higher power level and can calculate the location from its electro-magnetic signature.
- Passive: by intercepting TA (Timing Advance) and Power Level data send from mobile phone. In GSM, TA is the length of time a signal takes to reach from a mobile device to the BSS. Each mobile device transmits periodically less than 1/8th of the eight TDMA time slots. Since each device is at a different distance and the signal travels at a finite speed, the precise arrival time within a time slot allows BSS to determine the distance of the device.
Attacks on Subscriber Information
- An attacker’s objective is to know the billing entity name for a given MSISDN number.
- Caller ID query on CNAM can reveal the organization, individual and business details.
- Caller ID databases are generally accessible through VoIP.
- Mobile networks communicate with mobile devices with TMSI. A TMSI is mapped to MSISDN.
- An attacker’s objective is to find the MSISDN, then read the traffic and decrypt.
- TMSI can be discovered by a number of techniques. Two of the common known techniques are: Silent Paging and Silent SMS:
- Silent Paging: to Page a device silently, an adversary calls the target MSISDN and hangs up before the BSS initiates the process to alert the called device. Then the adversary scans the PCH (Paging Channel) for incoming call broadcasts. From that, it retrieves the TMSI or IMSI.
- Silent SMS: the adversary sends a specially crafted silent SMS which is acknowledged by the device without displaying it. This is possible by changing the “data_coding” attribute of GSM 03.38 to ’0xC0′. When the mobile device receives an SMS with data_coding set to the value, it sends a delivery notification but discards the message and hence it is never displayed. The adversary then scans the PCH and captures the TMSI or IMSI.
- Knowing TMSI allows an adversary to monitor specific target MSISDN. Then using cryptanalysis the adversary cracks the session key and records the call content.
- The adversary typically requires a set of RF equipment and a cracking infrastructure:
- RF Equipments: Universal Software Radio Peripheral, Wide-band receiver and low-cost mobile phone with custom firmware (e.g. OsmocomBB).
- Cracking Infrastructure: FPGAs (Field Programmable Gate Arrays), low cost PCs and Rainbow table.
Attacks on Mobile Devices
- Compromising a targeted mobile device gives an adversary easy access to user information.
- Typically, the following types of attacks are known to be successfully used: Baseband Attack, Messaging Attack, Application Attack and a Mixed Attack.
- A Baseband Attack targets the underlying RTOS operating system of a device. Most of them are written in C and Assembly language for which an adversary has access to publicly available vulnerability information and exploits. Many of the RTOS lack security features like stack protection, address space layout randomization etc.
- A Messaging Attack targets protocol and/or architectural vulnerabilities and implementation vulnerabilities.
- WAP and OTA push enables delivering unsolicited data to mobiles. This can be and had been the source of some attacks e.g. DoS attack using malformed WAP payload (ref: MSL-2008-001).
- MMS Spoofing can be achieved for example, by using vulnerabilities in a web application’s session management. The adversary attempts to illegitimately charge a victim for MMS sent.
- A number of vulnerabilities occur due to faulty implementation of a protocol or technology standard. Some of the known examples are iPhone SMS attack (by Collin Mulliner and Charlie Miller), SMS curse of silence (by Tobias Engel)
- With increasingly powerful smart phones, mobile applications are becoming attack vectors (Pwn2Own attack on iPhone Safari browser by Ralf- Philipp Weinmann and Vicenzo Lozzo)
- There are other types of known attacks e.g. iPhone PHP Perl Compatibility Regular Expression vulnerability (for iPhone 1.x) discovered by Charlie Miller.
- DoS can be launched against network or a targeted mobile device.
- BSS has a limited number of control channels (RACH- Random Access Channel). By flooding the channels, the services in an area can be rendered unusable.
- IMSI Detach message is used to tear down a mobile device call from the network. An adversary spoofs a detach message by using the IMSI of a target device which will disconnect the device from the network making the device useless for telephony activities.