A demonstration of how cellular transmissions from mobile phones can be subverted and users’ mobiles fooled into logging into a rogue GSM station, so allowing calls to be eavesdropped and falsified, has highlighted the fact that the designers of the GSM standard never envisaged the need for ultra-high levels of security on mobile calls.
“When the GSM standard was formulated more than 20 years ago, the developers were required to design a digital successor to the analogue cellular standards of the day. As a result, security was only added after the basic standard was developed,” said Barmak Meftah, Fortify Software’s chief products officer.
“Security was not built into the standard from day one, but essentially added as an afterthought. And that is why we have today’s crackers able to subvert the technology using an `evil twin’ methodology that is widely used when hacking WiFi networks,” he added.
According to the software security assurance expert, evil twin attacks, in which a rogue base station is placed close to the WiFi network that is to be hacked, has been around for a number of years, and fool the mobile into logging into the rogue base station, and handing over its handshaking credentials.
It is the same with Chris Paget’s rogue micro cellular base station, says Meftah, as, similar to the WiFi evil twin scenario, the user session can be relayed onto the legitimate network, allowing the cracker to stage a man in the middle attack on the cellular user, eavesdropping on the call and the data handshaking procedures.
The bad news here, he explained, is that not only are the call contents recordable, but the cracker can then generate the handshake credentials at another cellular base station, and place outgoing calls on the cracked cellular users’ account.
Call resale fraud was a major problem in the early analogue days of cellular, and allowed `calling shops’ on street corners to rent out mobiles for lengthy calls to foreign destinations for a few pounds/dollars, but end up with the legitimate cellular users footing the bill – or his operator, if the bill is extraordinarily high, he went on to say.
The really bad news about this hack, says the Fortify product chief, is that it exploits a structural flaw in the GSM standard that is difficult to fix retrospectively, as there are hundreds of millions of existing standard phones in regular usage.
“Sure, the networks can increase the security of their networks to beat this problem, but that leaves existing mobile users high and dry. It really shows how a lack of investment in security at the development stages, building security firmly into the technology, has not been made,” he said.
“It all comes down to the program code that the GSM standard developments worked on. This could have serious repercussions for GSM users across the world,” he added.
The hack demo was carried out at the hackers conference, DefCon 2010, in Las Vegas this month.