Baseband processors will probably be the top future exploit target, now that mobile is exploding. These processors are the central interconnect between microphones, the GPS and a bunch of other periphery on a smartphone (any phone, really). They run propietary binary blobs on mostly lower end ARM-SoCs, and due to their nature, most any exploit will be remote, and you will have a high-bandwidth uplink to share the spoils.
The binary blobs are usually some variant of a homegrown RTOS system, written in C. Given the low end processors used, there is no isolation between processes (no MMU), and the complex 3G et al signalling has lots of nasty error paths and interrupt goodness.
I had started to fear this. As Android fanboy, my biggest phone is no phone is open. I try to explain what a baseband processor, and DSP, and most people are confused by why it matters.
Are there any fun phones (I assume in the US it would be illegal to sell one) with reprogrammable/more open baseband chips? Does anyone know anything about this topic? I would love to make this a hobby/obsession if there was a small place to enter this research outside of the industry.
A good place to look is the replicant[1] project which aims to offer a fully open-source version of android. Most supported phones sadly have closed sourced modems and other stuff.
There's one phone there[2] that only the wifi is non-free. So my guess i turning of wifi gives you a totally free pho ne.This is an openmoko phone-which is also open hardware phone.
Regarding fun: I think you can't run the play store there - so you lose the google apps. And the phone we're talking about is weak - cortex-a8, 512MB.
Your best bet would be osmocomBB with the Motorola C123.
That said, if you are just interested in the reverse engineering bits, most smartphones nowadays allow uploading new 'radio' images. So you can find a bunch of manufacturer firmware images for these baseband processors, with lots and lots of debug messages in them:
AFAIK there is no legal mandate that says a baseband cannot be flashable. The FCC will not grant certification to a device where the frequencies could be changed, but that just means it couldn't be sold directly in the US. You could easily get such a phone from overseas though.
I'm not sure how that regulatory structures works on other countries. I'm sure it's mostly similar.
I'm currently doing some work in this field and wholeheartedly agree. There's an incredible amount of shaggy hackiness in many 3G devices, both mobile and operator infrastructure (and don't even get me started on LTE), to the extent that I sometimes simply can't believe it works.
This is a simple race condition exploiting the baroque way that GSM signalling works. When a call (or an SMS) comes in:
* the basestation will send an alert to the mobile phone ("contact me, I've got something for you")
* the mobile phone will request a channel ("hey, lets talk")
* the basestation will allocate a channel ("yo, talk here")
* the mobile phone will authenticate ("its me, TMSI:xxxxx")
* the basestation will lookup pending signalling ("oh, got something for ya")
That is the very rough outline of how GSM signalling works. My guess is that the basestation will clear the pending signalling for the mobile phone evenif the authentication fails. So an attack can pre-allocate a bunch of channels and then send spoofed auth messages to the basestation. The attacker won't be able to actually authenticate because they don't have the Ki (the GSM keys stored on the SIM). This is just a race condition, and it seems like it would be noisy for the telcos' ops center which would receive a lot of alerts about failing authentication and call/sms delivery failures.
I haven't read the paper, but thats a guess as to how it works. There are loads of ways to DoS the basestation. This doesn't seem that exciting.
Well, the article says that it doesn't DoS the base station, but a group of stations called a location area. This location area in Berlin for example is 200 square kilometers. That's quite a bit more than a single base station. And all you need is a cheap GSM feature phone. You could probably turn it on and literally toss it on a bus to take a quarter of the city offline with a rolling DoS jammer. Hard to find in case someone tries.
For "basestation" read "the network". The partitioning of responsibility within a GSM network is relevant to this attack only in regards to which component maintains the "signals-pending table". There are a number of different locations this could be stored, depending on how the network is setup.
They are doubtless using osmocom-bb, which is an open source baseband implementation for a number of older phones using an old baseband board. The implementation of the attack is not relevant to the attack itself. You could implement it with an SDR, or with osmocom-bb compatible boards, or whatever. It is still a race condition that they've figured out how to win.
The solution is simple. The network needs to maintain to "signals-pending table" entry for a mobile until it successfully authenticates, or the entry times out. If they are flushing the entry after an unsuccessful authentication attempt then it enables a DoS, such as this one. I still have a hard time believing this is how it actually works because it seems like the network is behaving incorrectly.
I also don't believe that's how it works, for SMS at least. Authentication can also fail due to a broken device or to a poor connection. Does that mean SMS messages can get lost? Doesn't make sense.
Also, since this is a race condition, it means that the exploit can't block all incoming calls.
Someone more knowledgeable than me, please correct my presumptuous understanding, because this seems easily mitigated.
I would imagine that, like with your home network, cell phones have multiple addressing schemes in a network. So there's your phone number, but there's also some kind of network address that I have received from the carrier, and then probably some kind of address that refers to my connection with the tower.
I would assume that something similar to ARP goes on here. A message comes in for 415xxxxxxx, my phone. When AT&T gets it, they determine that phone number is network address 1234, and they have some system that says 1234 is currently in tower X. Tower X gets the message and broadcasts a request for the phone corresponding to device 1234. At this point, pirate device with tower address ABCD responds that it is, falsely, AT&T's 1234. The message is then sent to the the phone whose address in tower space is ABCD. My phone was actually DEFG but I couldn't reply fast enough.
So, if this pirate phone responds to multiple requests, for multiple AT&T subscriber addresses, claiming to have all those addresses, can't the tower just cap it at like 3 addresses? After that can't it be determined to be a pirate device and disconnected from the network? If one device claims messages intended for more than 3 addresses, isn't it safe to say it's faulty or spoofing?
Where am I wrong here? It seems like this level of ability should be built into a protocol that requires recipients to identify themselves? Like if I issue an ARP request on my Ethernet network, and the same MAC address always comes back, that would be a detectable attack (assuming it was not my gateway). Isn't this the same principle?
This talks about screwing around with the network by acting like another phone to do denial of service. Can't you achieve the same result just by transmitting noise on the same frequencies? If you're blasting out paging responses, won't that be just as "easy" to track down as transmitting noise?
Modifying them to intercept calls/SMS is more threatening, especially as GSM and SMS look like attractive protocols for doing mobile apps and payments in "developing" areas.
Transmitting noise across the entire spectrum of frequencies that a cellular carrier uses would probably take a much larger and more expensive transmitter, a bigger antenna and more power. (You'd have to jam all the bands available to the carrier, since a tower can just tell a phone to switch to another frequency if there's a reception problem.) In contrast, all this exploit requires is a cheap cell phone.
I am surprised that the baseband paging firmware code is closed and has not already been reverse engineered. And if so, it is surprising for me as to why have we never come across any attack like this in real life.
The more cynical outlook would be that the baseband firmware has been reverse engineered and broken long ago, the fruits of this effort kept from being aired due to the high price they could command on the black market.
Does anyone know if CDMA is vulnerable to the same paging hijack?
I know that Verizon here in the US registers the ESN/MEID of the device itself for service provisioning (with a SIM only being used for GSM roaming and LTE).
I would guess that CDMA doesn't have to 'page' to find the right phone (though it might ping to see if it's still connected / in range) as the phone's ID is already associated with the number (no need to query a SIM).
This will be responsible for a few deaths if it ever becomes widespread. The obvious way is by preventing people from calling 911, but the other way, potentially just as deadly, is preventing people who are on-call from being called into hospitals where their services are required.
Someone who's on-call isn't always at the hospital. They might well be across town, within a certain range as dictated by maximum response time; that is, they can be anywhere within fifteen minutes' travel to the hospital once they've been called. Of course, if they don't get the call, or get the call late, that could mean someone's life.
There's an actual, articulable reason shit like this is illegal, and it isn't just arbitrary FCC bullshit. Being annoyed at cell phone calls isn't worth someone's life.
Not to detract from your point, but it wouldn't affect home lines, so they'd still be able to contact 911. As for cell phones, if someone, say, collapses in public, I've witnessed 5+ people try to contact 911. The likelihood of everyone having the same network and thus being knocked out is relatively low.
And finally, many doctors use pagers/beepers, which wouldn't necessarily be knocked out in the same way a GSM network would.
But that's just me talking on a few details; I agree with you, it should obviously be illegal and could be deadly.
> it wouldn't affect home lines, so they'd still be able to contact 911.
First: Land lines, not home lines. My home line is a cell phone. Many others can say the same.
And this only helps when a land line is available, and when someone thinks to use it. Being out in the boonies is an obvious failure mode, but the other one, which can also be deadly, is people getting panicky and forgetting that the phone what hooks to the wall can be used to make calls.
> As for cell phones, if someone, say, collapses in public, I've witnessed 5+ people try to contact 911. The likelihood of everyone having the same network and thus being knocked out is relatively low.
Maybe I'm too used to living in the boonies, but I doubt most of the towns I've been to have any more than one network for the entire community. Simply not cost-effective to build-out in the flyover states.
> And finally, many doctors use pagers/beepers, which wouldn't necessarily be knocked out in the same way a GSM network would.
I know for a fact there are towns which are cell phone only as far as hospital personnel are concerned. You're right that pagers would likely be immune to this, but that only helps if they're actually being used.
When I said the same network, I probably should have said network provider - I meant that if a GSM network is knocked out, odds are there's a CDMA Verizon user in the bunch trying to call 911.
This attack will not affect the caller because "paging" is only used when the Network tries to get in contact with a phone that it doesn't already have an ongoing connection with.
It should affect all Network initiated communications though including push notifications.
I could see it being potentially being much worse. Some could buy a phone for every tower, set them up to wait for a trigger call that when received will cause then block every call in the country simultaneously. There are probably close to 200k towers in America so it would be fairly expensive and unlikely to get that many devices into place. Then again someone could just target the top 5 populated cities or if they coordinate it with a terrorist attack or if they are smart enough to know what the stock market would do...
The binary blobs are usually some variant of a homegrown RTOS system, written in C. Given the low end processors used, there is no isolation between processes (no MMU), and the complex 3G et al signalling has lots of nasty error paths and interrupt goodness.