Open Source in GSM Could Breed Mobile Mayhem

Mobile malware may grow as a security threat this year, but security researcher Ralf-Philipp Weinmann says there’s a worse threat lurking around — the GSM baseband system.

The threat from hacking GSM baseband systems has been largely ignored, Weinmann reportedly told the audience at a presentation at the Black Hat security conference in Washington, D.C., Monday.

The advent of open source code for base station programming now lets hackers create their own base stations that will let them take over all smartphones within range in a scenario Weinmann calls the “baseband apocalypse.”

What’s With this Baseband Stuff?

In a cellphone network, the base station system handles traffic and signals between a mobile phone and the network subsystem. Base transceiver stations are found at cell antenna sites.

By creating a rogue base transceiver station using easily available open source baseband code, Weinmann has previously demonstrated that hackers can easily take over smartphones within the range of the rogue station.

Weinmann’s found that Layer 3 of the GSM Um interface, which manages connectivity, mobility and radio resources, has many vulnerabilities that can be easily exploited. At Black Hat, he demonstrated what he claimed are the first over-the-air exploitations of memory corruption in GSM/3GPP stacks that allow malicious code to be executed on baseband processors.

Weinmann has made several presentations on the danger from GSM base station systems over the past year. He says neither the GSM Association nor the European Telecommunications Standards Institute have considered the possibility of hackers setting up or using malicious base stations to compromise mobile phones.

The GSM Association and AT&T, which uses GSM technology, did not respond to requests for comment by press time.

What Clear and Present Danger?

With the advent of inexpensive new hardware such as femtocells, the threat of someone setting up a rogue base transceiver station is increasing, Weinmann contended.

Wireless carriers in the United States are making femtocells readily available to consumers in hopes of broadening their coverage areas. AT&T, for example, offers the 3G MicroCell, which acts as a mini-cellular tower, to subscribers.

Weinmann’s scenario has hackers setting up cheap rogue transceivers at busy sites such as airports or in the financial districts of cities, or near embassies.

Other security researchers, however, have questioned whether this constitutes a serious threat.

“GSM isn’t being used for transmitting mission-critical data,” Godfrey Chua, director of mobility at ACG Research, told LinuxInsider.

“Perhaps that’s why it hasn’t been a priority to be addresses,” Chua added. “GSM systems are basically designed for voice.”

Further, specifications for the GSM standard were published in 1990, well before wireless data transmission was envisioned, Chua said.

Weinmann did not respond to requests for comment by press time.

1 Comment

  • A few days ago, I saw here http://digitallife.nl/internet/18404–open-android-is-onveiliger-dan-iphone-.html (Dutch text) that a safety advisor said that Android has more chance to get viruses because it’s FOSS and hackers can see the source-code.

    This seemed complete nonsense to me as there are a lot of FOSS projects that are safer than the proprietary counterpart.

    But after reading this, I assume that it’s just a wrong translation. It’s not Android that is more vulnerable because it’s FOSS. But because of FOSS GSMs, there is a bigger chance that a hacker can hack a network.

    I don’t say that Android is necessarily safer than iOS or RIM phones, but I say that the difference between those phones doesn’t come from the difference between FOSS and closed software.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels