24 June 2009

Pre-Paid, Revisited

In a previous post, I talked about a Net10 Nokia 1600 that appeared to be SIM-locked and have some special firmware that made it nearly useless for anything but Net10's prepaid service.

For the latest experiment, I found an AT&T "Go Phone" Nokia 2610.  I turned it on right next to a running OpenBTS system.  It powered up, registered with OpenBTS and then tried to send an SMS to the private ISDN address 1111340002 via an SMSC at + 14047259800.  Here is the raw TPDU of the message.

If anyone has immediate ideas on the meaning of that 69-byte payload or what the handset is expecting to see in response, let me know.  The known parameters are:

  • IMSI 310410250887606
  • MSISDN +1 707 386 8928
  • PIN 8928
  • ICCID 8901 4104 2125 0887 6088
Unfortunately, the phone itself has a power supply problem, so I will need to find another one.  And then I can post a second example for comparison.

21 June 2009

A Big, Dangerous Assumption

Lately, I've been exchanging thoughts with people in the OpenBSC project about a specific class of DOS attacks against cellular networks. We discussed GSM vulnerabilities specifically, and tried and failed to think of ways to harden our systems against them.

The DOS attacks we discussed would made from the subscriber side of the cellular air interface. These "rogue handset" attacks have a fundamental commonality with false-basestation attacks: the key to performing either type of attack is having a GSM device that allows you to control layer 3 (L3), the layer where most of the resource management and call signaling actually happen. This observation touches on a huge shortcoming of many ISDN/SS7 systems, that they are built with the assumption that any entity in L3 can be trusted to follow the protcol. (I had a related conversation with Jacob Appelbaum a couple of weeks earlier where he made a broader comment about the error of "trusting the infrastructure".) The ugly truth is that if you can take control of an L3 entity you can make a lot of networks do a lot of strange things.

In a recent appeals case in England, MMI v. CellXion, the UK high court upheld a ruling that the function of an IMSI-catcher was sufficiently non-obvious to justify patent protection. Part of that decision was based on testimony from so-called experts that GSM security was once thought to be "unbreakable". It is unfortunate that the high court was mislead by such testimony. To be blunt, anyone who ever thought that GSM security was unbreakable must not have tried. Heck, you can build an IMSI catcher by accident just by misconfiguring certain cellular equipment. But the important point here is that the representations of these so-called experts reflect the long-standing assumption that rogue parties cannot get their hands on the equipment they need to spoof elements of the system. That assumption may have been reasonable in early days of SS7, when these technologies were new, the equipment was expensive and all of the networks were run by governments and megacorporations. Even then, though, breaking the security was merely expensive, far from impossible. The cost is down now. Today anyone with a few hundred dollars can get their hands on a trace phone, a surplus micro-BTS, a SIM kit, a used cellular network test set or an account with a commerical VoIP-PSTN gateway. All of these products can be used to attack cellular and PSTN networks in various ways, ranging from identity spoofing to shutting down whole cells. Most people are unaware of these risks, continue to trust the network and continue to carry potentially dangerous misconceptions about what is secure and what is not.