Less Radiation

After the 27th of December GSM won’t be the same again.

26C3 hacker conference 27th-30th December (C3 stands for Chaos Computer Club of Germany).

In December 2007 we saw Bluetooth hacked at 24C3.
In December 2008 we saw Dect hacked at 25C3.
This years it’s GSM’s turn.

Here are the interesting GSM talks to look out for. I’m sure they’ll appear on Youtube after the event.

27th Dec 21:45 – Chris Paget & Karsten Nohl

“The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM’s security hasn’t received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.

From the total lack of network to handset authentication, to the “Of course I’ll give you my IMSI” message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.

Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS’ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.”

29th Dec 16:00 – Dieter Spaar

Playing with the GSM RF Interface

Doing tricks with a mobile phone

This talk will show what can be done by taking control of the GSM RF part of a mobile phone, for example performing a DoS attack to the GSM network or using the phone as a sniffing device.

If the RF hardware of a mobile phone can be controlled, lots of things are possible, for example:

* Sending continuous Channel Request which can lead to a huge load for a GSM cell and could be considered as a DoS attack to the GSM network.
* Use a mobile phone as a cheap GSM receiver for sniffing the air traffic somehow similar to what can be done with the USRP.

29th Dec 17:15 – Harald Welte

Using OpenBSC for fuzzing of GSM handsets

With the recent availability of more Free Software for GSM protocols such as OpenBSC, GSM protocol hacking is no longer off-limits. Everyone can play with the lower levels of GSM communications.

It’s time to bring the decades of TCP/IP security research into the GSM world, sending packets incompatible with the state machine, sending wrong length fields and actually go all the way to fuzz the various layers of the GSM protocol stack.

The GSM protocol stack is a communications protocol stack like any other. There are many layers of protocols, headers, TLV’s, length fields that can “accidentially” be longer or shorter than the actual content. There are timers and state machines. Wrong messages can trigger invalid state transitions.

This protocol stack inside the telephone is implemented in C language on the baseband processor on a real-time operating system without any memory protection.

There are only very few commercial GSM protocol stack implementations, which are licensed by the baseband chipset companies. Thus, vulnerabilities discovered in one phone will likely exist in many other phones, even of completely different handset manufacturers.

Does that sound like the preamble to a security nightmare? It might well be! Those protocol stacks never have received the scrutiny of thousands of hackers and attack tools like the TCP/IP protocol suite on the Internet.

It’s about time we change that.