Someone more knowledgeable than me, please correct my presumptuous understanding, because this seems easily mitigated.
I would imagine that, like with your home network, cell phones have multiple addressing schemes in a network. So there's your phone number, but there's also some kind of network address that I have received from the carrier, and then probably some kind of address that refers to my connection with the tower.
I would assume that something similar to ARP goes on here. A message comes in for 415xxxxxxx, my phone. When AT&T gets it, they determine that phone number is network address 1234, and they have some system that says 1234 is currently in tower X. Tower X gets the message and broadcasts a request for the phone corresponding to device 1234. At this point, pirate device with tower address ABCD responds that it is, falsely, AT&T's 1234. The message is then sent to the the phone whose address in tower space is ABCD. My phone was actually DEFG but I couldn't reply fast enough.
So, if this pirate phone responds to multiple requests, for multiple AT&T subscriber addresses, claiming to have all those addresses, can't the tower just cap it at like 3 addresses? After that can't it be determined to be a pirate device and disconnected from the network? If one device claims messages intended for more than 3 addresses, isn't it safe to say it's faulty or spoofing?
Where am I wrong here? It seems like this level of ability should be built into a protocol that requires recipients to identify themselves? Like if I issue an ARP request on my Ethernet network, and the same MAC address always comes back, that would be a detectable attack (assuming it was not my gateway). Isn't this the same principle?
I would imagine that, like with your home network, cell phones have multiple addressing schemes in a network. So there's your phone number, but there's also some kind of network address that I have received from the carrier, and then probably some kind of address that refers to my connection with the tower.
I would assume that something similar to ARP goes on here. A message comes in for 415xxxxxxx, my phone. When AT&T gets it, they determine that phone number is network address 1234, and they have some system that says 1234 is currently in tower X. Tower X gets the message and broadcasts a request for the phone corresponding to device 1234. At this point, pirate device with tower address ABCD responds that it is, falsely, AT&T's 1234. The message is then sent to the the phone whose address in tower space is ABCD. My phone was actually DEFG but I couldn't reply fast enough.
So, if this pirate phone responds to multiple requests, for multiple AT&T subscriber addresses, claiming to have all those addresses, can't the tower just cap it at like 3 addresses? After that can't it be determined to be a pirate device and disconnected from the network? If one device claims messages intended for more than 3 addresses, isn't it safe to say it's faulty or spoofing?
Where am I wrong here? It seems like this level of ability should be built into a protocol that requires recipients to identify themselves? Like if I issue an ARP request on my Ethernet network, and the same MAC address always comes back, that would be a detectable attack (assuming it was not my gateway). Isn't this the same principle?