By making simple modifications to common Motorola phones, researchers in Berlin have shown they can block calls and text messages intended for nearby people connected to the same cellular network. The method works on the second-generation (2G) GSM networks that are the most common type of cell network worldwide. In the U.S., both AT&T and T-Mobile carry calls and text messages using GSM networks.
The attack involves modifying a phone’s embedded software so that it can trick the network out of delivering incoming calls or SMS messages to the intended recipients. In theory, one phone could block service to all subscribers served by base stations within a network coverage area known as a location area, says Jean-Pierre Seifert, who heads a telecommunications security research group at the Technical University of Berlin. Seifert and colleagues presented a paper on the technique at the Usenix Security Symposium in Washington, D.C., last week. An online video demonstrates the attack in action.
Seifert’s group modified the embedded software, or “firmware,” on a chip called the baseband processor, the component of a mobile phone that controls how it communicates with a network’s transmission towers.
In normal situations, when a call or SMS is sent over the network, a cellular tower “pages” nearby devices to find the one that should receive it. Normally, only the proper phone will answer—by, in effect, saying “It’s me,” as Seifert puts it. Then the actual call or SMS goes through.
The rewritten firmware can block calls because it can respond to paging faster than a victim’s phone can. When the network sends out a page, the modified phone says “It’s me” first, and the victim’s phone never receives it.
“If you respond faster to the network, the network tries to establish a service with you as an attacker,” says Nico Golde, a researcher in Seifert’s group. That’s enough to stall communications in a location area, which in Berlin average 200 square kilometers in size. The group didn’t design the hack to actually listen to the call or SMS but just hijacked the paging process.
Traditionally, the details of how baseband processors work internally has been proprietary to makers of chips and handsets. But a few years ago, baseband code for a certain phone, the Vitelcom TSM30, leaked out. That enabled researchers to understand how baseband code works and spawned several open-source projects to study and tweak it.
The Berlin group used that open-source baseband code to write replacement software for Motorola’s popular C1 series of phones (such as the C118, C119, and C123). Those devices all use Texas Instruments’ Calypso baseband processor.
The researchers tested their attack by blocking calls and messages just to their own phones. However, they calculate that just 11 modified phones would be enough to shut down service of Germany’s third-largest cellular network operator, E-Plus, in a location area. “All those phones are listening to all the paging requests in that area, and they are answering ‘It’s me,’ and nobody in that cell will get an SMS or a phone call,” Seifert explains.
Jung-Min Park, a wireless-security researcher at Virginia Tech, says that although devising the attack requires detailed technical knowledge, once it is created, “if someone had access to the same code and hardware, repeating the attack should be possible for an engineer.”
Although carriers today mostly tout their 3G and 4G services, most networks around the world still use GSM networks. Around four billion people worldwide use GSM networks for calls, and carriers also use them for some machine-to-machine applications.
The problem could be fixed, but that would require changing GSM protocols to require phones to prove their identity through an additional exchange of encrypted codes. “The defense is expensive to deploy,” says Victor Bahl, principal researcher and manager of the mobility and networking research group at Microsoft. “I can only speculate that the cell network providers are reluctant to invest in mitigation strategies in the absence of an immediate threat.”
Seifert says the research of his group and others shows that basic aspects of mobile communications can no longer be assumed to be safe from hacking. “The answer of the carriers is: ‘It’s illegal—you are not allowed to do it,’” he says, “However, the implication is that the good old times, where you can assume that all the phones are honest and following the protocol, are over.”