Open Source in GSM Could Breed Mobile Mayhem
Jan 18, 2011 5:00 AM PT
Mobile malware may grow as a security threat this year, but security researcher Ralf-Philipp Weinmann says there's a worse threat lurking around -- the GSM baseband system.
The threat from hacking GSM baseband systems has been largely ignored, Weinmann reportedly told the audience at a presentation at the Black Hat security conference in Washington, D.C., Monday.
The advent of open source code for base station programming now lets hackers create their own base stations that will let them take over all smartphones within range in a scenario Weinmann calls the "baseband apocalypse."
What's With this Baseband Stuff?
In a cellphone network, the base station system handles traffic and signals between a mobile phone and the network subsystem. Base transceiver stations are found at cell antenna sites.
By creating a rogue base transceiver station using easily available open source baseband code, Weinmann has previously demonstrated that hackers can easily take over smartphones within the range of the rogue station.
Weinmann's found that Layer 3 of the GSM Um interface, which manages connectivity, mobility and radio resources, has many vulnerabilities that can be easily exploited. At Black Hat, he demonstrated what he claimed are the first over-the-air exploitations of memory corruption in GSM/3GPP stacks that allow malicious code to be executed on baseband processors.
Weinmann has made several presentations on the danger from GSM base station systems over the past year. He says neither the GSM Association nor the European Telecommunications Standards Institute have considered the possibility of hackers setting up or using malicious base stations to compromise mobile phones.
The GSM Association and AT&T, which uses GSM technology, did not respond to requests for comment by press time.
What Clear and Present Danger?
With the advent of inexpensive new hardware such as femtocells, the threat of someone setting up a rogue base transceiver station is increasing, Weinmann contended.
Wireless carriers in the United States are making femtocells readily available to consumers in hopes of broadening their coverage areas. AT&T, for example, offers the 3G MicroCell, which acts as a mini-cellular tower, to subscribers.
Weinmann's scenario has hackers setting up cheap rogue transceivers at busy sites such as airports or in the financial districts of cities, or near embassies.
Other security researchers, however, have questioned whether this constitutes a serious threat.
"GSM isn't being used for transmitting mission-critical data," Godfrey Chua, director of mobility at ACG Research, told LinuxInsider.
"Perhaps that's why it hasn't been a priority to be addresses," Chua added. "GSM systems are basically designed for voice."
Further, specifications for the GSM standard were published in 1990, well before wireless data transmission was envisioned, Chua said.
Weinmann did not respond to requests for comment by press time.