Hacker News new | past | comments | ask | show | jobs | submit login

This is a simple race condition exploiting the baroque way that GSM signalling works. When a call (or an SMS) comes in:

* the basestation will send an alert to the mobile phone ("contact me, I've got something for you")

* the mobile phone will request a channel ("hey, lets talk")

* the basestation will allocate a channel ("yo, talk here")

* the mobile phone will authenticate ("its me, TMSI:xxxxx")

* the basestation will lookup pending signalling ("oh, got something for ya")

That is the very rough outline of how GSM signalling works. My guess is that the basestation will clear the pending signalling for the mobile phone even if the authentication fails. So an attack can pre-allocate a bunch of channels and then send spoofed auth messages to the basestation. The attacker won't be able to actually authenticate because they don't have the Ki (the GSM keys stored on the SIM). This is just a race condition, and it seems like it would be noisy for the telcos' ops center which would receive a lot of alerts about failing authentication and call/sms delivery failures.

I haven't read the paper, but thats a guess as to how it works. There are loads of ways to DoS the basestation. This doesn't seem that exciting.




Well, the article says that it doesn't DoS the base station, but a group of stations called a location area. This location area in Berlin for example is 200 square kilometers. That's quite a bit more than a single base station. And all you need is a cheap GSM feature phone. You could probably turn it on and literally toss it on a bus to take a quarter of the city offline with a rolling DoS jammer. Hard to find in case someone tries.


For "basestation" read "the network". The partitioning of responsibility within a GSM network is relevant to this attack only in regards to which component maintains the "signals-pending table". There are a number of different locations this could be stored, depending on how the network is setup.

They are doubtless using osmocom-bb, which is an open source baseband implementation for a number of older phones using an old baseband board. The implementation of the attack is not relevant to the attack itself. You could implement it with an SDR, or with osmocom-bb compatible boards, or whatever. It is still a race condition that they've figured out how to win.

The solution is simple. The network needs to maintain to "signals-pending table" entry for a mobile until it successfully authenticates, or the entry times out. If they are flushing the entry after an unsuccessful authentication attempt then it enables a DoS, such as this one. I still have a hard time believing this is how it actually works because it seems like the network is behaving incorrectly.


I also don't believe that's how it works, for SMS at least. Authentication can also fail due to a broken device or to a poor connection. Does that mean SMS messages can get lost? Doesn't make sense.

Also, since this is a race condition, it means that the exploit can't block all incoming calls.


They figured out a race condition that they will always win. So yes, the exploit currently can block all incoming calls.


> There are loads of ways to DoS the basestation.

Yes, but this way you can DoS a single receiver. So, my wife expecting a call from her lover? Well, we'll see about that... ;)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: