GSM Security By Obscurity Nearly Over.
In the past 12 months we’ve seen GSM pulled to bits by the hacker/security researcher community.
We now have software for the USRP radio peripheral that can make it behave just like a GSM cell phone tower – routing calls on cruise ships & 3rd world countries (or anywhere else you can get away without a proper licence) via Asterisk VOIP from regular GSM phones.
Also, we’ve now got the ability to snoop almost real-time on encrypted GSM phone calls, thanks to 2GB of Rainbow Lookup tables & the USRP peripheral.
The last piece of the puzzle is getting an open source OS onto a regular mobile phone and grabbing hold of the phone’s baseband firmware – so you can make it do what you want. This is a crucial step – it’s the difference between merely sniffing traffic & being able to inject your own malformed packets. Normally a phones baseband firmware is set in stone – a bit like sending fixed AT commands to a MODEM, but once you can build you own baseband OS, you can then make up your own commands – which is real progress.
To give you an idea of what can be done when you can grab a phone by its low-level-balls like this – at the CCC 2009 conference a phone was reprogrammed so it would constantly request that the cell phone tower open a channel for it. Flooded with enough requests this would stop anyone else using that mast.
Phones which are likely usable for this are hard to get hold of. Try looking for a Calypso C123 on eBay…. good luck. Alternatives available to UK readers are the J100i from Nokia and the V171 from Motorola. I counted a handful of each. The J100i sports a colour screen, but is otherwise about as sophisticated as an old Nokia 3310. You need old hardware like this for reverse engineering.
No Comments »
RSS feed for comments on this post.
Leave a comment
You must be logged in to post a comment.