A simple attack on GSM cellphones
At hack.lu, held in Luxembourg two weeks ago, Ralf Weinman talked about a known vulnerability in GSM (2G) systems — the lack of authentication of the network by the mobile device. While the vulnerability has been known for some time, it is the relative ease of launching an attack that has brought it back into the limelight now. The attack is simple: Create you own 2G base-station, using a Universal Software Radio Peripheral and running OpenBTS, a base station defined entirely in software. Mobile phones in the vicinity will then connect to your fake base station, unsuspecting of any foul play.
Here are Ralf’s slides from his hack.lu presentation.
Here is the abstract from Ralf’s talk scheduled to be delivered at DeepSec 2010 in Nov 2010:
Attack scenarios against mobile phones have thus far concentrated on the application processor. While code running on these processors are getting hardened by vendors as can be seen in the case of Apple’s iPhoneOS — the current release uses data execution prevention and code signing, the GSM stack running on the baseband processor is neglected. The advent of several open-source solutions for running GSM base stations is a game-changer: Malicious base stations are not within the attack model that was assumed assumed by the GSM MoU and baseband vendors. This paper explores the viability of attacks against the baseband processor of GSM cellular phones and shows first practical results that enable code exeuction on them. It will include a demo of a practical exploitation of a remote memory corruption on the iPhone
