Article

Let me answer that for you: exploiting broadcast information in cellular networks

Authors:

Jean-Pierre SeifertAuthors Info & Claims

SEC'13: Proceedings of the 22nd USENIX conference on Security

Pages 33 - 48

Published: 14 August 2013 Publication History

Abstract

Mobile telecommunication has become an important part of our daily lives. Yet, industry standards such as GSM often exclude scenarios with active attackers. Devices participating in communication are seen as trusted and non-malicious. By implementing our own baseband firmware based on OsmocomBB, we violate this trust and are able to evaluate the impact of a rogue device with regard to the usage of broadcast information. Through our analysis we show two new attacks based on the paging procedure used in cellular networks. We demonstrate that for at least GSM, it is feasible to hijack the transmission of mobile terminated services such as calls, perform targeted denial of service attacks against single subscribers and as well against large geographical regions within a metropolitan area.

References

[1]

Routo Messaging. http://www.routomessaging.com.

[2]

Gartner Says Worldwide Smartphone Sales Soared in Fourth Quarter of 2011 With 47 Percent Growth. http://www. gartner.com/it/page.jsp?id=1924314, February 2012.

[3]

3GPP. Digital cellular telecommunications system (Phase 2+); Network architecture (GSM 03.02 version 7.1.0 Release 1998). Tech. rep., 3rd Generation Partnership Project, 2000. 3GPP TS 03.02 V7.1.0.

[4]

3GPP. Digital cellular telecommunications system (Phase 2+); Mobile radio interface layer 3 specification (3GPP TS 04.08 version 7.9.1 Release 1998). Tech. rep., 3rd Generation Partnership Project, 2001. 3GPP TS 04.08 V7.9.1.

[5]

3GPP. Digital cellular telecommunications system (Phase 2+); Multiplexing and multiple access on the radio path (3GPP TS 05.02 version 8.9.0 Release 1999). Tech. rep., 3rd Generation Partnership Project, 2001. 3GPP TS 05.02 V8.9.0.

[6]

3GPP. Digital cellular telecommunications system (Phase 2+); Base Station System - Mobile Services Switching Centre (BSSMSC) Interface - Interface Principles (3GPP TS 08.02 version 8.0.1 Release 1999). Tech. rep., 3rd Generation Partnership Project, 2002. 3GPP TS 08.02 V8.0.1.

[7]

3GPP. Digital cellular telecommunications system (Phase 2+); Mobile Station - Base Station System (MS - BSS) Interface Channel Structures and Access Capabilities (3GPP TS 04.03 version 8.0.2 Release 1999). Tech. rep., 3rd Generation Partnership Project, 2002. 3GPP TS 04.03 V8.0.2.

[8]

3GPP. Digital cellular telecommunications system (Phase 2+); Numbering, addressing and identification (3GPP TS 03.03 version 7.8.0 Release 1998). Tech. rep., 3rd Generation Partnership Project, 2003. 3GPP TS 03.03 V7.8.0.

[9]

3GPP. Digital cellular telecommunications system (Phase 2+); Security-related network functions (3GPP TS 03.20 version 8.6.0 Release 1999). Tech. rep., 3rd Generation Partnership Project, 2008. 3GPP TS 03.20 V8.6.0.

[10]

3GPP. Digital cellular telecommunications system (Phase 2+); Radio transmission and reception (3GPP TS 45.005 version 9.1.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2010. 3GPP TS 45.005 V9.1.0.

[11]

3GPP. Universal Mobile Telecommunications System (UMTS); Physical channels and mapping of transport channels onto physical channels (FDD)(3GPP TS 25.211 version 9.2.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2010. 3GPP TS 25.211 9.2.0.

[12]

3GPP. Universal Mobile Telecommunications System (UMTS); LTE;3G security; Security architecture(3GPP TS 33.102 version 9.4.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2011. 3GPP TS 33.102 V9.4.0.

[13]

3GPP. Digital cellular telecommunications system (Phase 2+); Mobile Switching Centre - Base Station system (MSC-BSS) interface; Layer 3 specification (3GPP TS 48.008 version 9.8.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2012. 3GPP TS 48.008 V9.8.0.

[14]

3GPP. LTE; Evolved Universal Terrestrial Radio Access (EUTRA); User Equipment (UE) procedures in idle mode(3GPP TS 36.304 version 9.9.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2012. 3GPP TS 36.304 V9.9.0.

[15]

3GPP. Universal Mobile Telecommunications System (UMTS); User Equipment (UE) procedures in idle mode and procedures for cell reselection in connected mode(3GPP TS 25.304 version 9.8.0 Release 9). Tech. rep., 3rd Generation Partnership Project, 2012. 3GPP TS 25.304 V9.8.0.

[16]

ARAPINIS, M., MANCINI, L., RITTER, E., RYAN, M., GOLDE, N., REDON, K., AND BORGAONKAR, R. New Privacy Issues in Mobile Telephony: Fix and Verification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (October 2012).

[17]

BARKAN, E., BIHAM, E., AND KELLER, N. Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. J. Cryptol. 21, 3 (Mar. 2008), 392-429.

[18]

BIRYUKOV, A., SHAMIR, A., AND WAGNER, D. Real Time Cryptanalysis of A5/1 on a PC. In Proceedings of the 7th International Workshop on Fast Software Encryption (London, UK, UK, 2001), FSE '00, Springer-Verlag, pp. 1-18.

[19]

BOSWARTHICK, D., ELLOUMI, O., AND HERSENT, O. M2M Communications: A Systems Approach. Wiley, March 2012.

[20]

D. BURGESS ET AL. OpenBTS. http://openbts.org.

[21]

ENCK, W., TRAYNOR, P., MCDANIEL, P., AND LA PORTA, T. Exploiting open functionality in SMS-capable cellular networks. In Proceedings of the 12th ACM conference on Computer and communications security (New York, NY, USA, 2005), CCS '05, ACM, pp. 393-404.

[22]

ETTUS. USRP. http://www.ettus.com/products, 2009.

[23]

FRANK A. STEVENSON. [A51] The call of Kraken. http://web.archive.org/web/20100812204319/http://lists. lists.reflextor.com/pipermail/a51/2010-July/ 000683.html, July 2010.

[24]

GOLDE, N., REDON, K., AND BORGAONKAR, R. Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications. In Proceedings of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).

[25]

H. WELTE. OpenBSC. http://openbsc.osmocom.org.

[26]

INFOSECURITY MAGAZINE. Indian company hacks GSM and usurps IMSI. http://www.infosecurity-magazine.com/ view/24680/indian-company-hacks-gsm-and-usurpsimsi/, March 2012.

[27]

IP.ACCESS LTD. nanoBTS 1800. http://www.ipaccess. com/picocells/nanoBTS_picocells.php.

[28]

KARSTEN NOHL AND LUCA MELETTE. Defending mobile phones. http://events.ccc.de/congress/2011/ Fahrplan/events/4736.en.html, December 2011.

[29]

KRELL, M. Crowdflow. http://crowdflow.net.

[30]

KUNE, D. F., KOELNDORFER, J., HOPPER, N., AND KIM, Y. Location leaks over the GSM air interface. In Proceedings of the 19th Annual Network & Distributed System Security Symposium (Feb. 2012).

[31]

LANDSPURG, T. OpenCellID. http://opencellid.org.

[32]

LEE, P. P. C., BU, T., AND WOO, T. On the detection of signaling DoS attacks on 3G/WiMax wireless networks. Comput. Netw. 53, 15 (2009), 2601-2616.

[33]

MULLINER, C., GOLDE, N., AND SEIFERT, J.-P. SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In Proceedings of the 20th USENIX Security Symposium (San Francisco, CA, USA, August 2011).

[34]

MUNAUT, S. IMSI DETACH DoS. http://security. osmocom.org/trac/ticket/2, May 2010.

[35]

NOKIA SIEMENTS NETWORKS. Nokia Siemens Networks promotes GSMfor Machine toMachine applications. http://www. nokiasiemensnetworks.com/news-events/press-room/ press-releases/nokia-siemens-networks-promotes-gsm-for-machine-to-machine-applications.

[36]

P. TRAYNOR, M. LIN, M. ONGTANG, V. RAO, T. JAEGER, T. LA PORTA, P. MCDANIEL. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In ACM Conference on Computer and Communications Security (CCS) (November 2009).

[37]

PURPLELABS. Tsm30 firmware. http://web.archive. org/web/20090325133430/http://sourceforge.net/ projects/plabs, November 2004.

[38]

RACIC, R., MA, D., AND CHEN, H. Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery. In Securecomm and Workshops, 2006 (28 2006-sept. 1 2006), pp. 1-10.

[39]

SECURITY RESEARCH LABS. A5/1 decryption project. http://opensource.srlabs.de/projects/a51-decrypt.

[40]

SECURITY RESEARCH LABS. Decrypting GSM phone calls. https://srlabs.de/decrypting_gsm/.

[41]

SECURITY RESEARCH LABS. GSM security map. http://www.gsmmap.org.

[42]

SERROR, J., ZANG, H., AND BOLOT, J. C. Impact of paging channel overloads or attacks on a cellular network. In Proceedings of the 5th ACM workshop on Wireless security (New York, NY, USA, 2006), WiSe '06, ACM, pp. 75-84.

[43]

SPAAR, D. RACH flood DoS. http://security.osmocom. org/trac/ticket/1, November 2009.

[44]

T. ENGEL. Remote SMS/MMS Denial of Service - Curse Of Silence. http://berlin.ccc.de/~tobias/cursesms.txt, December 2008.

[45]

VARIOUS CONTRIBUTORS. Osmocom project. http://osmocom.org.

[46]

WEINMANN, R.-P. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. In Proceedings of the 21st USENIX Workshop on Offensive Technologies (Bellevue, WA, USA, August 2012).

[47]

WELTE, H., MUNAUT, S., EVERSBERG, A., AND OTHER CONTRIBUTORS. OsmocomBB. http://bb.osmocom.org.

Cited By

Chang SKumar SHu YPark Y(2019)Power-Positive NetworkingACM Transactions on Sensor Networks10.1145/331768615:3(1-25)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3317686
Hussain SEcheverria MSingla AChowdhury OBertino E(2019)Insecure connection bootstrapping in cellular networksProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3323402(1-11)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3323402
Basin DDreier JHirschi LRadomirovic SSasse RStettler VLie DMannan MBackes MWang X(2018)A Formal Analysis of 5G AuthenticationProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243846(1383-1396)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243846
Show More Cited By

Let me answer that for you: exploiting broadcast information in cellular networks
1. Networks
  1. Network types

Recommendations

Let's Downgrade Let's Encrypt
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Following the recent off-path attacks against PKI, Let's Encrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is ...
Cell phones answer Internet's call

Cellular service providers, handset manufacturers, and system integrators are captivated by the promise of the wireless Internet using third generation cellular telephony. The leading contender to be the global standard for third-generation cellular ...
ANSWER: Adaptive network selection in WLAN/UMTS environment
EUC'07: Proceedings of the 2007 conference on Emerging direction in embedded and ubiquitous computing

The next generation wireless network is aimed to provide users with anywhere, anytime, and seamless service. With the increasing demand for the next generation network, many research works have focused on the efficient way to integrate different types ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SEC'13: Proceedings of the 22nd USENIX conference on Security

August 2013

702 pages

ISBN:9781931971034

Program Chair:
Sam King
University of Illinois and Adrenaline Mobility

Sponsors

Akamai: Akamai
Google Inc.
IBMR: IBM Research
NSF
Microsoft Reasearch: Microsoft Reasearch

Publisher

USENIX Association

United States

Publication History

Published: 14 August 2013

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 18 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chang SKumar SHu YPark Y(2019)Power-Positive NetworkingACM Transactions on Sensor Networks10.1145/331768615:3(1-25)Online publication date: 17-May-2019
https://dl.acm.org/doi/10.1145/3317686
Hussain SEcheverria MSingla AChowdhury OBertino E(2019)Insecure connection bootstrapping in cellular networksProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3323402(1-11)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3323402
Basin DDreier JHirschi LRadomirovic SSasse RStettler VLie DMannan MBackes MWang X(2018)A Formal Analysis of 5G AuthenticationProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243846(1383-1396)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243846
Chang SKumar STran BViswanathan SPark YHu YNoubir GConti MKasera S(2017)Power-positive networking using wireless chargingProceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3098243.3098265(52-57)Online publication date: 18-Jul-2017
https://dl.acm.org/doi/10.1145/3098243.3098265
Kim HKim DKwon MHan HJang YHan DKim TKim YRay ILi NKruegel C(2015)Breaking and Fixing VoLTEProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813718(328-339)Online publication date: 12-Oct-2015
https://dl.acm.org/doi/10.1145/2810103.2813718
Dabrowski APianta NKlepp TMulazzani MWeippl EPayne CHahn AButler KSherr M(2014)IMSI-catch me if you canProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664272(246-255)Online publication date: 8-Dec-2014
https://dl.acm.org/doi/10.1145/2664243.2664272
Tung YHan SChen DShin KAhn GYung MLi N(2014)Vulnerability and Protection of Channel State Information in Multiuser MIMO NetworksProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660272(775-786)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660272

View Options

View options

Media

Figures

Other

Tables

View Table of Contents