back to article Cellular network hijacking for fun and profit

Following the success of hijacked network Free Libyana, we took the opportunity to talk to some engineers about the complexity of lifting someone else's infrastructure, and discovered there isn't much. In April this year, Ousama Abushagur hacked into the infrastructure built by the Libyana network in Libya. He cut the …

COMMENTS

This topic is closed for new posts.
  1. Trollslayer
    Thumb Up

    Great article

    A lot of technical and background information explained clearly, thanks!

    Hmmm.... so I can set up a local phone network with a backpack...

  2. Anonymous Coward
    Pirate

    /agree

    Gives a person an excellent outline in which to start populating with local/national data..... how interesting... my mind is a raging torrent, flooded with rivulets of thought cascading into a waterfall of creative alternatives.....

    ;)

    1. DryBones
      Pint

      *ahem*

      Ditto!

    2. Trollslayer
      Devil

      Ditto!

      Thanks Mel.

  3. Henry Wertz 1 Gold badge

    Interestingly...

    GSM actually has a "private GSM network" option. I know my old Siemens S46 had this choice.

    I really don't know if there's any actual spectrum set aside, but the GSM spec allows for the possibility of running your own GSM network within your house or whatever (well, probably meant for businesses) so you could switch your existing phone over and avoid all those fees.

    1. Anonymous Coward
      Anonymous Coward

      private GSM nets

      A few years back I got a tour of the LHC tunnels ar CERN, while they were doing the setup. No public networks that deep underground, but my phone found 6 or 7 interestingly-named private ones. Wouldn't connect, though.

  4. Anonymous Coward
    Anonymous Coward

    "Disconnecting any base station"

    "will light up [the office] like a bloody Christmas tree"

    That obviously wasn't an Orange engineer then!

  5. Anonymous Coward
    Anonymous Coward

    You don't need the crypto

    The whole basis of a cell phone intercept based on OpenBTS and a software radio is that there is really NO phone on the market at the moment that follows the GSM standards properly and tell you that it has been instructed to work in unencrypted mode (thanks, anti-terrorist idiots - why couldn't you leave it at LEGAL intercept?).

    This means that you set up a cell as "foreign" and null the authorisation so any phone cal log in, then you go live and jam local GSM for a few seconds so each phone will initiate a new seek to the strongest signal (it's not subtle, so you'd only do that if you're in a hurry, otherwise it'll happen in less than 5 mins anyway). And hey, presto, no keys needed and you can intercept anything that is near - as long as you hand off calls nobody will notice a changed route.

    The above setup costs less than $1000 (mostly the transceiver). On a budget you can also sniff SMS, that's even easier (because SMS is actually a control signal). A couple of Motorola phones and a laptop and you can reasonably be sure that no SMS in the vicinity escapes. Or get a cheap Chinese receiver for $300 or so - easier to set up.

    That's why we set up a secure mobile call service - we *know* how easy it is to intercept as we work with researchers in that field. It takes a bit more knowledge than your average voicemail hack (for which we have solutions too), but it no longer needs a rocket scientist, and this situation is not likely to improve soon.

    1. Anonymous Coward
      Anonymous Coward

      You do not need OpenBTS

      Cough, cough, what do you think portable BTSes have been used for during the last 10 years?

  6. Karlos2K
    Mushroom

    Any one up for a Lulzsec mission?

    I can imagine lulzsec reading this article. And thinking hmmmmmm this could be fun........

    1. Shonko Kid
      Pirate

      set to auto-tweet everything it sees?

      for maximum lulz

  7. Christian Berger

    Actually the CCC does this regularly

    On events hosted by the CCC there regularly is a home grown GSM network.

    http://events.ccc.de/camp/2011/wiki/GSM

    You can either do that with a GSM station you bought from eBay (heavy) or use an USRP. (Though I doubt the second will work without external clock)

  8. skellious
    Thumb Up

    Very interesting!

    This story was extremely interesting, informative and well written. A star example of Reg Journalism. Thank you!

  9. Mage Silver badge
    Coat

    So

    OK you bought your surplus 4.8m dish off eBay.

    How hard could it be to hijack the Broadcast TV satellites?

    1. Steve X

      Been done

      http://en.wikipedia.org/wiki/Captain_Midnight_(HBO)

      is one of many such.

    2. Christian Berger

      @Mage

      Actually that's moderately simple. You just need to have a considerably stronger signal than the official uplink station, or you need to use an empty transponder which is turned on.

      It is regularly done with UHF Satcom satellites of the US military. On the downlink frequency of 255.55 MHz you will often find satellite pirates.

      1. Dave Bell

        One reason why it's so easy

        You can't get an engineer to a satellite, so it's handy to be able to use the same tricks as the pirates. You keep the security in a place where you can repair it

  10. Anonymous Coward
    Anonymous Coward

    Journalism 101

    "brought in kit"?

    Where did it come from? Who brought it in? Who paid for it? Was it something someone could put in their backpack and bring through customs. Would it need a car to transport it, a truck or maybe a helicopter? etc

  11. HK Craig

    Bridging networks over IP

    What I would like to be able to do is when travelling overseas carry a small personal router sized piece of kit that connects back over the internet to a similar device in my home country (can make use of DDNS). This would build and present my home country mobile network for me to make and receive calls as if I were in my home country. I would also expect sms to work. The micro cell bridge would cover a few or perhaps 10-15 meters only and would have an admin interface where I could permission handsets so such that other users would not connect and incur roaming charges thinking they were in my home country. 2 or 3G. Does anyone know of such a product?

    Thanks! Craig.

    1. Bill Ray (Written by Reg staff)

      Re: Bridging networks over IP

      Technically that's easy, even demonstrated earlier this year (http://www.theregister.co.uk/2011/01/26/attocells/), but its also illegal as your operator has no rights to use spectrum elsewhere in the world.

      So I wouldn't hold your breath for a solution on this one.

      Bill.

    2. Anonymous Coward
      Anonymous Coward

      given that you would need an internet connection at your location anyway..

      Skype?

      Call forward from your cell to skype before you set off... Yeah you will pay to recieve calls, but it would still be cheaper.

      Bonus.. that 10-15m zone will be much larger - poolside wifi provided in hotel... skype available, anywhere with wifi.. skype available.

      or you know, you could just buy a cheap pay&go sim at your destination with a bit of data and use skype on your mobile over the existing 3g.. (Assuming this works - it did years ago when I last used skype on the mobile)

    3. zaffhome
      Holmes

      The vodafone sure signal is "technically" such a product I believe

      However I think it has some location sensing protection built in (not sure if its GPS or network based)

  12. Anonymous Coward
    Black Helicopters

    Is it just me (probably)

    but information like *this* would be far more useful to a bunch of wannabee terrorists than some scanned PDF of "The Anarchists Cookbook". ...

    1. Ru
      Boffin

      Tragically, it isn't just you.

      Of such snippets of information is much security theatre built!

      How many instances of hi-tech terrorism has the world seen? Precious few. Even lulzsec have managed to cause more irritation and gain vastly wider publicity than politically motivated s'kiddies doing website defacements.

      It boils down to the fact that having your phonecalls recorded or having your position tracked or even having your credit card cloned just isn't terrifying in the same way that a few pounds of crude homebrew explosive going off in your local pub is. The latter is much simpler to plan and execute too, requiring much less specialist knowledge or equipment.

  13. Anonymous Coward
    Angel

    I can see...

    ...a rescue chopper or Coast Guard boat carrying one of these and rerouting all the 911 calls in the area, boosting the signal of stranded people in the vicinity of disaster areas.

    This would be something prepared to replace all the local networks and made recognizable by all mobiles in the area, right?

    Remember the latest disaster situations, when all phones, including mobiles, failed?

    Oh, they do that already? My mistake.

  14. Anonymous Coward
    Anonymous Coward

    Be careful

    Insurgents, armies, UN bombing runs, bah. A real sysadmin would keep the network up:

    http://xkcd.com/705/

This topic is closed for new posts.

Other stories you might like