back to article Eggheads turn Motorola feature phone into CITYWIDE GSM jammer

Berlin boffins have spotted a procedural flaw in the long-lived GSM protocol and created an exploit around it which can knock out a mobile network or even target an individual subscriber in the same city. The exploit, presented at the 22nd USENIX Security Symposium last week, takes advantage of the fact that GSM lets phones …

COMMENTS

This topic is closed for new posts.
  1. Velv
    Black Helicopters

    Here come the tinfoil hat brigade!!!

    "This must have been written in to the standard so that governments can spy on the people!!!"

    1. Anonymous Coward
      Anonymous Coward

      A world without mobile phones! Bliss, I mean how on earth did we ever manage without them?

      1. crayon

        Your ancestor was probably the tw@t who said the same thing about fire. Or probably not, since someone with such stupid genes would have their lineage ended rather quickly.

    2. sabroni Silver badge
      Happy

      Here come the tinfoil hat brigade!!!

      Here come the government sock puppets, here to belittle legitimate concerns and make out that "if you have nothing to hide you have nothing to fear".

      Isn't guessing other people's opinions fun!!!

  2. James 51

    I think it's far more likely to be used to prevent someone who is about to be arrested calling someone else if they manage to escape. Or if you know a bomb is going to be detonated by a phone call or text you could use it for that.

    1. Anonymous Coward
      Anonymous Coward

      "Or if you know a bomb is going to be detonated by a phone call or text you could use it for that."

      Yes, and you know the phone number they're going to call from, or to.

      Not holding my breath for a practical opportunity to prove this use.

    2. JetSetJim
      Thumb Up

      Hmm...

      In GSM, you are not actually known to the BSC, you're known to the logical grouping of cells known as a "Location Area" (LA), which will comprise a number of cells (typically all connected to one BSC).

      So, before you attack a specific mobile, you have to know at least which LA it is in.

      TMSI's change each time the mobile changes LA, and may also change if the mobile does what is called a "periodic location update" (which is not triggered by movement) so this attack isn't that long-lasting.

      The attack relies on the attacker responding to the paging message faster than the mobile does. In practical terms, this means locating yourself at an "earlier" base station within the location area, as the BSC will typically clunk through BTS's in the LA one at a time - but the differences are in the milliseconds, so you may be at the mercy of the speed of being able to get radio resources to send your paging response. It's certainly possible, but I doubt it's that reliable.

      The article claims the hijack is not detectable, but I'd argue that's not true - the MSC will receive multiple paging responses, therefore a trivial modification is required to detect this in software (and indeed may already be implemented in some vendor equipment for all I know). In addition, the network KPI's on call termination success rate would plunge through the floor (for the "global" attack, anyway) and alarm bells that "something" is happening would be ringing within 30 mins. It would take longer to diagnose, I admit, but it is diagnostically possible to work out that this is happening by examining traces from the BSC.

      I'd agree that it's possible to hijack a session in networks where the authentication/ciphering are not implemented, although their claim "an attacker can fully impersonate the victim after cracking the session key Kc" seems a bit brief (perhaps it's feasible, I don't know).

      The "Detach" attack is clever, I admit.

      The standards changes they propose are unlikely to be implemented - the s/w stack for GSM (and UMTS) is so old, there would be too many different devices that would need their firmware re-flashing. Not economical to do.

      Overall, a good bit of fun and potentially a headache for an operator. Buy the phones with cash and your attack can be suitably anonymised, too.

  3. Anonymous Coward
    Black Helicopters

    yeah

    but block a single user and likely no-one would ever know about it, making it probable that someone, somewhere, is already doing just that. ®

    1. AndyS

      Re: yeah

      What a coincidence - I just read that article too!

  4. Khaptain Silver badge

    Shame its' not very portable

    I would love to have one of these for my tram journey to and from work, it would be peace perfect peace.

    1. frank ly

      Re: Shame its' not very portable

      Strip the case, display, buttons and individual batteries from the phones. Replace the laptop with a custom ARM powered board; etc :)

      1. John Smith 19 Gold badge
        Boffin

        Re: Shame its' not very portable

        "Strip the case, display, buttons and individual batteries from the phones. Replace the laptop with a custom ARM powered board; etc :)"

        You do know the guts of a mobile is what's inside those USB data dongles?

        And yes they can do voice, but it's down to the sim card inside.

        So 8 way USB hub --> 8 Mobiles.

    2. Anonymous Coward
      Anonymous Coward

      Re: Shame its' not very portable

      I would love to have one of these for my tram journey to and from work, it would be peace perfect peace.

      LOL, you're going to carry a full focused jammer kit just to get some peace? Sledgehammer, meet nut.

      You can get GSM jammers online for $25 and they work. They are just as illegal as the demonstrated approach, but a lot easier to hide. Being cheap also mean "losing" them won't be that financially stressful either if someone is on to you.

      1. Khaptain Silver badge

        Re: Shame its' not very portable

        @ac 09:09

        At first I thought you were joking but after a little searching I can see that they really do exist albeit for slightly more expensive, around the 70€ mark for the smaller ones..

        Very, very tempting....

        If I have understood correctly using a cell phone on public transport in Japan is very much frowned upon, I don't see why we can't have the same over here in Europe. If I play my music too loud my neighbours can call the cops on me for disturbing the peace. Why do the same rules not apply on a train or a bus when the idiot next to you is yammering away to his girlfriend about something that someone once wrote of Farcebook.......

        1. Anonymous Coward
          Anonymous Coward

          Re: Shame its' not very portable

          If you pay €70 for it you're not looking in the right place, but hey, it's your money.

          The most interesting ones are those which combine GSM, WiFi and GPS jamming. That totally screws up any tracking device you may have on you because it cannot get a location from GSM cell or GPS satellite triangulation, and by jamming WiFi it cannot fall back on WiFi MAC IDs either. Thorough idea. Naturally you'll be off air yourself as well, but that's the whole point.

  5. John Smith 19 Gold badge
    Unhappy

    So "Temporary Mobile Subscriber Identity" *not* temporary after all

    But don't worry, no one knows about it.

    Yay for another cost cutting implementation tactic

    As for wheather this is used IRL.

    How would you know?

    1. FutureShock999

      Re: So "Temporary Mobile Subscriber Identity" *not* temporary after all

      I don't think it was cost-cutting. The designers already were using made-up temporary numbers in their comms, and so didn't think that encrypting them was really worth the overhead of encrypting a temporary, made-up ID. They could have achieved the same result simply by having the handset negotiate a new ID on a rotating, frequent basis.

      As others have pointed out below, this is a mere annoyance at worst...

  6. Valer

    Countermeasure for such DoS attacks

    I published a countermeasure for something similar in 2006: http://bocan.ro/Media/Default/Downloads/threats-and-countermeasures-in-gsm-networks.pdf

  7. Anonymous Coward
    Anonymous Coward

    Why use a jammer to stop people making mobile phone calls

    When you could just get them to subscribe to O2?

  8. Alan Brown Silver badge

    hmmmmmm

    I've seen something like this used a few times. Yet another case of them what know doing it quietlyalready.

  9. El Richard Thomas

    They're already doing th<NO CARRIER>

  10. Anonymous Coward
    Anonymous Coward

    In other news, someone who connects to the electrical supply can break it for a load of people.

    In other news, someone who connects to the local network can break it for a load of people.

    If there's a shared facility, you can dick around with it and break it for other people. Using the protocols that facility uses is the best way to do it.

    1. Anonymous Coward
      Anonymous Coward

      In other news some world weary anonymous coward has seen it all before.

      In other news they've posted an interesting comment showing just how clever they are.

      In other news another AC has shown up who is even less interested and is making out that the first AC is as boring as the original article.

      You never know what's gonna happen on the internet!!!

  11. Don Jefe

    Useful Targeted Attack?

    I can't see what real value there is in this for targeting an individual. Sure, you could annoy them, but unless you're planning to assassinate them it'll just be an annoyance. I would also, perhaps incorrectly, assume that if you were the type of person actually planning a stealthy assassination you'd have other, more suitable, tech available. Maybe I'm just missing something.

    1. RyokuMas
      Coat

      Re: Useful Targeted Attack?

      Blocking prisoners' mini-mobes, perhaps?

    2. Khaptain Silver badge

      Re: Useful Targeted Attack?

      Stopping drug dealers, snitches or lookouts from informing their colleagues as a bust goes down.

      Stopping kids/students/adults from cheating during exams etc.

      Stopping employees from spending their day talking to their kids, familly, friends or lovers during woking hours.

  12. Anonymous Coward
    Anonymous Coward

    Now my question is...

    Can this be done on a PI to bring down the size to a more manageable/portable size?

    If your going to knock out a city, might as well be a bit more portable/able to be on the move.

  13. DS - IW
    Headmaster

    Information Warfare

    Hi Guys,

    I am new to this or any Specialist Tech site and find this article and many more on this site - interesting and slightly frightening - does anyone else share this concern??

    I have long been an advocate that we are in the midst of a new Revolution in Military Affairs (RMA) and that Information Warfare (of which I see a thread in this article) is a prime mover in this new RMA - which at the left of arc could deny us online services or betray our personal details and right of arc could potentially lead to removal of physical infrastructure (Stuxnet) or state on state actions which would have unimaginable consequences for many of us.

    Currently studying for a Master's in Business Management I was hoping to get some opinions from the commercial or business community - I think I understand the military aspects of Information Warfare but am struggling to link anything tangible to activity in the business world. It seems that service denial and software failures are so common that they cant be attributed to individual action!!!

    If anyone can help I would be very grateful - unfortunately all that I can offer in return is a small piece in the literature review of my thesis.

    Regards,

    DS

    1. Anonymous Coward
      Anonymous Coward

      Re: Information Warfare

      Well, the Masters in in Business Management is working well if I observe your desire to turn everything into TLAs (D2TEIT) in action, and is Masters really spelled with an 's ?

      Unless English isn't your native language, I would suggest reading a bit more.

      1 - the way you use "advocate" is wrong. Look up what being an advocate mean and adjust your use of language accordingly - I think you mean that "you're of the opinion that" ..

      2 - TLAs are not constructed that way, but also be aware that you're contributing to confusion if you use TLAs inappropriately. I realise that is often a deliberate side effect for those who study management, but this has a habit of catching up with you. I have wiled away many a happy afternoon with colleagues digging out other formal meanings for TLAs and then drawing up presentations to use them and see who dared asking questions when we presented to board level people. *Very* educational, it made presentations so much more entertaining.

      On the topic itself, information warfare is indeed an issue, but it's not "new" or even revolutionary, only the means have changed. Disinformation was the genesis of the double spy, and denial of service by killing off dead drops is also hardly a novel idea. Even the whole idea of governments ignoring their own laws until exposed is boringly familiar..

This topic is closed for new posts.

Other stories you might like