
Hacked Feature Phone Can Block Other People’s Calls - rajbala
http://www.technologyreview.com/news/518646/hacked-feature-phone-can-block-other-peoples-calls/
======
revelation
Baseband processors will probably be the top future exploit target, now that
mobile is exploding. These processors are the central interconnect between
microphones, the GPS and a bunch of other periphery on a smartphone (any
phone, really). They run propietary binary blobs on mostly lower end ARM-SoCs,
and due to their nature, most any exploit will be _remote_ , and you will have
a high-bandwidth uplink to share the spoils.

The binary blobs are usually some variant of a homegrown RTOS system, written
in _C_. Given the low end processors used, there is no isolation between
processes (no MMU), and the complex 3G et al signalling has lots of nasty
error paths and interrupt goodness.

~~~
616c
I had started to fear this. As Android fanboy, my biggest phone is no phone is
open. I try to explain what a baseband processor, and DSP, and most people are
confused by why it matters.

Are there any fun phones (I assume in the US it would be illegal to sell one)
with reprogrammable/more open baseband chips? Does anyone know anything about
this topic? I would love to make this a hobby/obsession if there was a small
place to enter this research outside of the industry.

~~~
hershel
A good place to look is the replicant[1] project which aims to offer a fully
open-source version of android. Most supported phones sadly have closed
sourced modems and other stuff.

There's one phone there[2] that only the wifi is non-free. So my guess i
turning of wifi gives you a totally free pho ne.This is an openmoko phone-
which is also open hardware phone.

Regarding fun: I think you can't run the play store there - so you lose the
google apps. And the phone we're talking about is weak - cortex-a8, 512MB.

[1]replicant.us
[2][http://redmine.replicant.us/projects/replicant/wiki/GTA04](http://redmine.replicant.us/projects/replicant/wiki/GTA04)

~~~
616c
Thanks. Unfortunately no one sells these anymore, correct? I was well aware of
OpenMoko, but you point out a lot of the problems.

EDIT: I also forgot mention I was looking into this, but it means going back
to the old phones. Still might be worth it.

[http://bb.osmocom.org/trac/wiki/MotorolaC123](http://bb.osmocom.org/trac/wiki/MotorolaC123)

------
grugq
This is a simple race condition exploiting the baroque way that GSM signalling
works. When a call (or an SMS) comes in:

* the basestation will send an alert to the mobile phone ("contact me, I've got something for you")

* the mobile phone will request a channel ("hey, lets talk")

* the basestation will allocate a channel ("yo, talk here")

* the mobile phone will authenticate ("its me, TMSI:xxxxx")

* the basestation will lookup pending signalling ("oh, got something for ya")

That is the very rough outline of how GSM signalling works. My guess is that
the basestation will clear the pending signalling for the mobile phone _even_
_if_ the authentication fails. So an attack can pre-allocate a bunch of
channels and then send spoofed auth messages to the basestation. The attacker
won't be able to actually authenticate because they don't have the Ki (the GSM
keys stored on the SIM). This is just a race condition, and it seems like it
would be noisy for the telcos' ops center which would receive a lot of alerts
about failing authentication and call/sms delivery failures.

I haven't read the paper, but thats a guess as to how it works. There are
loads of ways to DoS the basestation. This doesn't seem that exciting.

~~~
Xylakant
Well, the article says that it doesn't DoS the base station, but a group of
stations called a location area. This location area in Berlin for example is
200 square kilometers. That's quite a bit more than a single base station. And
all you need is a cheap GSM feature phone. You could probably turn it on and
literally toss it on a bus to take a quarter of the city offline with a
rolling DoS jammer. Hard to find in case someone tries.

~~~
grugq
For "basestation" read "the network". The partitioning of responsibility
within a GSM network is relevant to this attack only in regards to which
component maintains the "signals-pending table". There are a number of
different locations this could be stored, depending on how the network is
setup.

They are doubtless using osmocom-bb, which is an open source baseband
implementation for a number of older phones using an old baseband board. The
implementation of the attack is not relevant to the attack itself. You could
implement it with an SDR, or with osmocom-bb compatible boards, or whatever.
It is still a race condition that they've figured out how to win.

The solution is simple. The network needs to maintain to "signals-pending
table" entry for a mobile until it successfully authenticates, or the entry
times out. If they are flushing the entry after an unsuccessful authentication
attempt then it enables a DoS, such as this one. I still have a hard time
believing this is how it actually works because it seems like the network is
behaving incorrectly.

~~~
bad_user
I also don't believe that's how it works, for SMS at least. Authentication can
also fail due to a broken device or to a poor connection. Does that mean SMS
messages can get lost? Doesn't make sense.

Also, since this is a race condition, it means that the exploit can't block
all incoming calls.

~~~
Xylakant
They figured out a race condition that they will always win. So yes, the
exploit currently can block all incoming calls.

------
jessedhillon
Someone more knowledgeable than me, please correct my presumptuous
understanding, because this seems easily mitigated.

I would imagine that, like with your home network, cell phones have multiple
addressing schemes in a network. So there's your phone number, but there's
also some kind of network address that I have received from the carrier, and
then probably some kind of address that refers to my connection with the
tower.

I would assume that something similar to ARP goes on here. A message comes in
for 415xxxxxxx, my phone. When AT&T gets it, they determine that phone number
is network address 1234, and they have some system that says 1234 is currently
in tower X. Tower X gets the message and broadcasts a request for the phone
corresponding to device 1234. At this point, pirate device with tower address
ABCD responds that it is, falsely, AT&T's 1234. The message is then sent to
the the phone whose address in tower space is ABCD. My phone was actually DEFG
but I couldn't reply fast enough.

So, if this pirate phone responds to multiple requests, for multiple AT&T
subscriber addresses, claiming to have all those addresses, can't the tower
just cap it at like 3 addresses? After that can't it be determined to be a
pirate device and disconnected from the network? If one device claims messages
intended for more than 3 addresses, isn't it safe to say it's faulty or
spoofing?

Where am I wrong here? It seems like this level of ability should be built
into a protocol that requires recipients to identify themselves? Like if I
issue an ARP request on my Ethernet network, and the same MAC address always
comes back, that would be a detectable attack (assuming it was not my
gateway). Isn't this the same principle?

------
MichaelGG
This talks about screwing around with the network by acting like another phone
to do denial of service. Can't you achieve the same result just by
transmitting noise on the same frequencies? If you're blasting out paging
responses, won't that be just as "easy" to track down as transmitting noise?

Modifying them to intercept calls/SMS is more threatening, especially as GSM
and SMS look like attractive protocols for doing mobile apps and payments in
"developing" areas.

~~~
greenyoda
Transmitting noise across the entire spectrum of frequencies that a cellular
carrier uses would probably take a much larger and more expensive transmitter,
a bigger antenna and more power. (You'd have to jam all the bands available to
the carrier, since a tower can just tell a phone to switch to another
frequency if there's a reception problem.) In contrast, all this exploit
requires is a cheap cell phone.

------
chatman
I am surprised that the baseband paging firmware code is closed and has not
already been reverse engineered. And if so, it is surprising for me as to why
have we never come across any attack like this in real life.

~~~
ComputerGuru
The more cynical outlook would be that the baseband firmware has been reverse
engineered and broken long ago, the fruits of this effort kept from being
aired due to the high price they could command on the black market.

------
petera
Sildes and video: [https://www.usenix.org/conference/usenixsecurity13/let-me-
an...](https://www.usenix.org/conference/usenixsecurity13/let-me-answer-you-
exploiting-broadcast-information-cellular-networks)

------
pudquick
Does anyone know if CDMA is vulnerable to the same paging hijack?

I know that Verizon here in the US registers the ESN/MEID of the device itself
for service provisioning (with a SIM only being used for GSM roaming and LTE).

I would guess that CDMA doesn't have to 'page' to find the right phone (though
it might ping to see if it's still connected / in range) as the phone's ID is
already associated with the number (no need to query a SIM).

------
MindTwister
To expand on pudquick's question. Does anyone know if 3g, 4g, CDMA or any of
the other standards are just as suspectible to this?

------
derleth
This will be responsible for a few deaths if it ever becomes widespread. The
obvious way is by preventing people from calling 911, but the other way,
potentially just as deadly, is preventing people who are on-call from being
called into hospitals where their services are required.

Someone who's on-call isn't always at the hospital. They might well be across
town, within a certain range as dictated by maximum response time; that is,
they can be anywhere within fifteen minutes' travel to the hospital once
they've been called. Of course, if they don't get the call, or get the call
late, that could mean someone's life.

There's an actual, articulable reason shit like this is illegal, and it isn't
just arbitrary FCC bullshit. Being annoyed at cell phone calls isn't worth
someone's life.

~~~
dylangs1030
Not to detract from your point, but it wouldn't affect home lines, so they'd
still be able to contact 911. As for cell phones, if someone, say, collapses
in public, I've witnessed 5+ people try to contact 911. The likelihood of
everyone having the same network and thus being knocked out is relatively low.

And finally, many doctors use pagers/beepers, which wouldn't necessarily be
knocked out in the same way a GSM network would.

But that's just me talking on a few details; I agree with you, it should
obviously be illegal and could be deadly.

~~~
derleth
> it wouldn't affect home lines, so they'd still be able to contact 911.

First: Land lines, not home lines. My home line is a cell phone. Many others
can say the same.

And this only helps when a land line is available, and when someone thinks to
use it. Being out in the boonies is an obvious failure mode, but the other
one, which can also be deadly, is people getting panicky and forgetting that
the phone what hooks to the wall can be used to make calls.

> As for cell phones, if someone, say, collapses in public, I've witnessed 5+
> people try to contact 911. The likelihood of everyone having the same
> network and thus being knocked out is relatively low.

Maybe I'm too used to living in the boonies, but I doubt most of the towns
I've been to have any more than one network for the entire community. Simply
not cost-effective to build-out in the flyover states.

> And finally, many doctors use pagers/beepers, which wouldn't necessarily be
> knocked out in the same way a GSM network would.

I know for a fact there are towns which are cell phone only as far as hospital
personnel are concerned. You're right that pagers would likely be immune to
this, but that only helps if they're actually being used.

~~~
dylangs1030
Good catch, I meant land lines.

When I said the same network, I probably should have said _network provider_
\- I meant that if a GSM network is knocked out, odds are there's a CDMA
Verizon user in the bunch trying to call 911.

Good points all around.

