21 November 2009

The Democratization of Communications Warfare

So I am in Berlin for the second time in two weeks, fresh back from DeepSec in Vienna, lounging on the main deck of c-base and looking back on the week. I'm waiting for a new passport and the consulate isn't open on weekends. Harald Welte has been kind enough again to let me use his living room and I'm looking forward to seeing some Cold War museums with him tomorrow.

For many years, the telecommunications industry has relied on the cost and complexity of network equipment to achieve many of its security goals. Sure, the standards had big security holes, but you needed really expensive equipment and a lot of expertise to exploit those holes. The problem, though, is that cost and complexity were often the only security measures. If you had network equipment, network exploitation was usually just a question of how you configure that equipment, and the attack configurations were usually obvious.

Right now, there are genuinely bad people using the public communications networks to plan genuinely bad things. There are state actors using network exploits to monitor or track these bad people. There are state actors using network exploits to abuse the privacy of their citizens. There are criminals using network exploits to commit fraud. There are targets using knowledge of network exploits to confound the state actors who are targeting them. When we see this cycle of measures and countermeasures in the world of radar systems, we call it "electronic warfare". To describe this cycle of exploits and counter-exploits in telecom networks, I'll introduce a new phrase: "communications warfare". The weapons in this type of warfare are IMSI-catchers, jammers and hacked handsets. Thanks to cost and complexity, communications warfare in the cellular networks has largely been the domain of large, well-funded organizations. Even hackers usually stayed out of this game because the equipment and know-how are at a premium, so much so that some mistake the most basic techniques for trade secrets.

Moore's Law and the open source movement are removing the cost and complexity of network equipment. VoIP projects have been doing that for wireline networks for several years now, but projects like OpenBTS and OpenBSC are starting to do the same for cellular. These projects remove barriers that prevent people from experimenting with cellular technologies in their homes and classrooms. They demystify the systems. They have the potential to democratize cellular communications, but thanks to the inherent failings of cellular security, these projects also have the potential to democratize cellular communications warfare.

I don't think that democratizing communications warfare is a good thing, but I think that democratizing cellular is a very good thing. I have spent some time this week wondering if it is possible to achieve the first without unleashing the second.


  1. And did you come to any conclusions, or at least a strategy for a solution?

  2. I hope that doesn't mean you are considering exercising some kind of paternalism.

  3. I don't have any good ideas yet. I can't control other people, but I will distance myself and the project from public discussions of how to implement attacks. Call that paternal if you want.

  4. No I wouldn't call not participating in certain activities paternal. I meant more something like binary blobs or hardware enforcement.

  5. Maybe OpenBTS could be setup to only allow IMSI numbers that are in a local DB, and at that limit the max number of allowed IMSI numbers. Or limit the max distance with timing.
    Just some ideas.
    I can see what you are worried about, just don’t stop your project for worry of what people could do with it.

  6. OpenBTS will always have an open source distribution, open down to L1, so there's no way to lock anything. And since the security holes are mostly in L3, they are far above the hardware. Any system that implements an L1/L2 network stack can be used to build a false BTS by replacing the logic in L3. That's just a huge problem in the pre-3G specs that we can't do anything about.

  7. You are always talking about IMSI-catcher ... why are you scared about?
    Give me one serious example of abusing collected IMSI's

  8. http://www.airshoes.us


  9. You can't do anything really on a hardware or software level, but on a social level, you can publicly identify bad actors, where they live and operate from, and cut them off. Make it personal. Make them into pariahs, and make their lives uncomfortable on a personal level, and make sure they know why, and their friends and business associates know why, too. For the hard cases, there's always the Tahrir Square treatment. Anti-social behavior should have social consequences...