Eggheads turn Motorola feature phone into CITYWIDE GSM jammer Berlin boffins have spotted a procedural flaw in the long-lived GSM protocol and created an exploit around it which can knock out a mobile network or even target an individual subscriber in the same city. The exploit, presented at the 22nd USENIX Security Symposium last week, takes advantage of the fact that GSM lets phones …
In GSM, you are not actually known to the BSC, you're known to the logical grouping of cells known as a "Location Area" (LA), which will comprise a number of cells (typically all connected to one BSC).
So, before you attack a specific mobile, you have to know at least which LA it is in.
TMSI's change each time the mobile changes LA, and may also change if the mobile does what is called a "periodic location update" (which is not triggered by movement) so this attack isn't that long-lasting.
The attack relies on the attacker responding to the paging message faster than the mobile does. In practical terms, this means locating yourself at an "earlier" base station within the location area, as the BSC will typically clunk through BTS's in the LA one at a time - but the differences are in the milliseconds, so you may be at the mercy of the speed of being able to get radio resources to send your paging response. It's certainly possible, but I doubt it's that reliable.
The article claims the hijack is not detectable, but I'd argue that's not true - the MSC will receive multiple paging responses, therefore a trivial modification is required to detect this in software (and indeed may already be implemented in some vendor equipment for all I know). In addition, the network KPI's on call termination success rate would plunge through the floor (for the "global" attack, anyway) and alarm bells that "something" is happening would be ringing within 30 mins. It would take longer to diagnose, I admit, but it is diagnostically possible to work out that this is happening by examining traces from the BSC.
I'd agree that it's possible to hijack a session in networks where the authentication/ciphering are not implemented, although their claim "an attacker can fully impersonate the victim after cracking the session key Kc" seems a bit brief (perhaps it's feasible, I don't know).
The "Detach" attack is clever, I admit.
The standards changes they propose are unlikely to be implemented - the s/w stack for GSM (and UMTS) is so old, there would be too many different devices that would need their firmware re-flashing. Not economical to do.
Overall, a good bit of fun and potentially a headache for an operator. Buy the phones with cash and your attack can be suitably anonymised, too.
"Strip the case, display, buttons and individual batteries from the phones. Replace the laptop with a custom ARM powered board; etc :)"
You do know the guts of a mobile is what's inside those USB data dongles?
And yes they can do voice, but it's down to the sim card inside.
So 8 way USB hub --> 8 Mobiles.
I would love to have one of these for my tram journey to and from work, it would be peace perfect peace.
LOL, you're going to carry a full focused jammer kit just to get some peace? Sledgehammer, meet nut.
You can get GSM jammers online for $25 and they work. They are just as illegal as the demonstrated approach, but a lot easier to hide. Being cheap also mean "losing" them won't be that financially stressful either if someone is on to you.
@ac 09:09
At first I thought you were joking but after a little searching I can see that they really do exist albeit for slightly more expensive, around the 70€ mark for the smaller ones..
Very, very tempting....
If I have understood correctly using a cell phone on public transport in Japan is very much frowned upon, I don't see why we can't have the same over here in Europe. If I play my music too loud my neighbours can call the cops on me for disturbing the peace. Why do the same rules not apply on a train or a bus when the idiot next to you is yammering away to his girlfriend about something that someone once wrote of Farcebook.......
If you pay €70 for it you're not looking in the right place, but hey, it's your money.
The most interesting ones are those which combine GSM, WiFi and GPS jamming. That totally screws up any tracking device you may have on you because it cannot get a location from GSM cell or GPS satellite triangulation, and by jamming WiFi it cannot fall back on WiFi MAC IDs either. Thorough idea. Naturally you'll be off air yourself as well, but that's the whole point.
I don't think it was cost-cutting. The designers already were using made-up temporary numbers in their comms, and so didn't think that encrypting them was really worth the overhead of encrypting a temporary, made-up ID. They could have achieved the same result simply by having the handset negotiate a new ID on a rotating, frequent basis.
As others have pointed out below, this is a mere annoyance at worst...
In other news, someone who connects to the electrical supply can break it for a load of people.
In other news, someone who connects to the local network can break it for a load of people.
If there's a shared facility, you can dick around with it and break it for other people. Using the protocols that facility uses is the best way to do it.
In other news some world weary anonymous coward has seen it all before.
In other news they've posted an interesting comment showing just how clever they are.
In other news another AC has shown up who is even less interested and is making out that the first AC is as boring as the original article.
You never know what's gonna happen on the internet!!!
I can't see what real value there is in this for targeting an individual. Sure, you could annoy them, but unless you're planning to assassinate them it'll just be an annoyance. I would also, perhaps incorrectly, assume that if you were the type of person actually planning a stealthy assassination you'd have other, more suitable, tech available. Maybe I'm just missing something.
Stopping drug dealers, snitches or lookouts from informing their colleagues as a bust goes down.
Stopping kids/students/adults from cheating during exams etc.
Stopping employees from spending their day talking to their kids, familly, friends or lovers during woking hours.
Hi Guys,
I am new to this or any Specialist Tech site and find this article and many more on this site - interesting and slightly frightening - does anyone else share this concern??
I have long been an advocate that we are in the midst of a new Revolution in Military Affairs (RMA) and that Information Warfare (of which I see a thread in this article) is a prime mover in this new RMA - which at the left of arc could deny us online services or betray our personal details and right of arc could potentially lead to removal of physical infrastructure (Stuxnet) or state on state actions which would have unimaginable consequences for many of us.
Currently studying for a Master's in Business Management I was hoping to get some opinions from the commercial or business community - I think I understand the military aspects of Information Warfare but am struggling to link anything tangible to activity in the business world. It seems that service denial and software failures are so common that they cant be attributed to individual action!!!
If anyone can help I would be very grateful - unfortunately all that I can offer in return is a small piece in the literature review of my thesis.
Regards,
DS
Well, the Masters in in Business Management is working well if I observe your desire to turn everything into TLAs (D2TEIT) in action, and is Masters really spelled with an 's ?
Unless English isn't your native language, I would suggest reading a bit more.
1 - the way you use "advocate" is wrong. Look up what being an advocate mean and adjust your use of language accordingly - I think you mean that "you're of the opinion that" ..
2 - TLAs are not constructed that way, but also be aware that you're contributing to confusion if you use TLAs inappropriately. I realise that is often a deliberate side effect for those who study management, but this has a habit of catching up with you. I have wiled away many a happy afternoon with colleagues digging out other formal meanings for TLAs and then drawing up presentations to use them and see who dared asking questions when we presented to board level people. *Very* educational, it made presentations so much more entertaining.
On the topic itself, information warfare is indeed an issue, but it's not "new" or even revolutionary, only the means have changed. Disinformation was the genesis of the double spy, and denial of service by killing off dead drops is also hardly a novel idea. Even the whole idea of governments ignoring their own laws until exposed is boringly familiar..
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
