A trio of German computer scientists have revealed how to jam the mobile phone network of an entire city with just 11 modified phones.
The process performs the equivalent of a distributed denial of service (DDoS) attack on the cell towers of a certain mobile network, preventing calls and text messages from reaching their recipient, and even allowing calls to be hijacked and routed to another phone.
Detailed in a 17-page paper, the technique was recently presented as the USENIX Security Symposium in Washington DC and reveals a detailed explanation of how lax security between cell towers and mobile phones can be taken advantage of.
Nico Golde, Kévin Redon, and Jean-Pierre Seifert explain how there is a certain trust between the phone network and its users and an assumption that the basic security between the two cannot be hacked because, when the infrastructure was first developed, cell towers and basebands (mobile phone firmware) were not widely available to outsiders.
"We violate this trust," the group said, adding it is "able to evaluate the impact of a rogue device with regard to the usage of broadcast information. We demonstrate...it is feasible to hijack the transmission of mobile terminated services such as calls, perform targeted denial of service attacks against single subscribers as well against large geographical regions within a metropolitan area."
What happens when your phone rings
When a call to a mobile phone is made, five things happen before your phone starts to ring, as explained by Paul Ducklin on the Sophos Naked Security blog.
- 1. The base station sends out a broadcast page containing an identification code for your phone.
- 2. Your phone recognises its own identification code.
- 3. Your phone wakes up and responds to the base station.
- 4. The base station and your phone negotiate a private radio channel for the call.
- 5. Your phone authenticates to the base station.
Only then does your phone start ringing, or a text message arrives, and the researchers found a critical flaw with how these processes are ordered. Because the phone does not authenticate the incoming activity until step five, hackers could broadcast a signal to effectively race the system and get to the fifth step before the phone has chance to accept the call.
Put simply, a phone modified to work through these steps more quickly can listen in to the broadcast pages in step one, race your phone to step five and win, causing your phone's attempt to authenticate to be rejected. The call or text will not come through, unbeknown to the target phone's owner.
The researchers were able to create this system by modifying publicly available baseband code which was adapted to ensure it ran faster than a wide range of smartphones, including the iPhone 4S, Samsung Galaxy S2 and BlackBerry 9300 Curve.
During testing, the team found their system could be used to block phones over a vast area, ranging from 100 to 500 square kilometers.
Once the process worked, the team went about finding a way to amplify the attack and target multiple devices. The process of jamming a phone takes approximately one second, limiting the modified phones to 60 attacks per minute. They constructed a rig of 11 phones allowing them to broadcast more than 600 james per minute, and with this they calculated it would be enough to knock out the service of several networks across their home city of Berlin.
The research paper says: "A motivated attacker can interrupt communication on a large scale by merely utilising a set of inexpensive consumer devices that are available on the market. This is considerably more efﬁcient compared to traditional radio jamming due to the broad frequency range of mobile carrier networks and the size of location areas."
Going further, the researcher also found that phone calls and text messages could be intercepted. They observed that some networks don't always bother with step five, so calls are put through without being authenticated by the receiving phone; this means a potential attacker could not only block the call from reaching you, but also answer it.
The researchers conclude: "The trust in the security of cellular networks and specifically the widely used GSM standard has been shattered several times. Yet, attacks against mobile terminated services are a minority. The undisturbed operation of telecommunication networks is traditionally based on trust...this trust relationship has to be considered broken."