The binary blobs are usually some variant of a homegrown RTOS system, written in C. Given the low end processors used, there is no isolation between processes (no MMU), and the complex 3G et al signalling has lots of nasty error paths and interrupt goodness.
Are there any fun phones (I assume in the US it would be illegal to sell one) with reprogrammable/more open baseband chips? Does anyone know anything about this topic? I would love to make this a hobby/obsession if there was a small place to enter this research outside of the industry.
There's one phone there that only the wifi is non-free. So my guess i turning of wifi gives you a totally free pho ne.This is an openmoko phone-which is also open hardware phone.
Regarding fun: I think you can't run the play store there - so you lose the google apps. And the phone we're talking about is weak - cortex-a8, 512MB.
EDIT: I also forgot mention I was looking into this, but it means going back to the old phones. Still might be worth it.
That said, if you are just interested in the reverse engineering bits, most smartphones nowadays allow uploading new 'radio' images. So you can find a bunch of manufacturer firmware images for these baseband processors, with lots and lots of debug messages in them:
I'm not sure how that regulatory structures works on other countries. I'm sure it's mostly similar.
* the basestation will send an alert to the mobile phone ("contact me, I've got something for you")
* the mobile phone will request a channel ("hey, lets talk")
* the basestation will allocate a channel ("yo, talk here")
* the mobile phone will authenticate ("its me, TMSI:xxxxx")
* the basestation will lookup pending signalling ("oh, got something for ya")
That is the very rough outline of how GSM signalling works. My guess is that the basestation will clear the pending signalling for the mobile phone even if the authentication fails. So an attack can pre-allocate a bunch of channels and then send spoofed auth messages to the basestation. The attacker won't be able to actually authenticate because they don't have the Ki (the GSM keys stored on the SIM). This is just a race condition, and it seems like it would be noisy for the telcos' ops center which would receive a lot of alerts about failing authentication and call/sms delivery failures.
I haven't read the paper, but thats a guess as to how it works. There are loads of ways to DoS the basestation. This doesn't seem that exciting.
They are doubtless using osmocom-bb, which is an open source baseband implementation for a number of older phones using an old baseband board. The implementation of the attack is not relevant to the attack itself. You could implement it with an SDR, or with osmocom-bb compatible boards, or whatever. It is still a race condition that they've figured out how to win.
The solution is simple. The network needs to maintain to "signals-pending table" entry for a mobile until it successfully authenticates, or the entry times out. If they are flushing the entry after an unsuccessful authentication attempt then it enables a DoS, such as this one. I still have a hard time believing this is how it actually works because it seems like the network is behaving incorrectly.
Also, since this is a race condition, it means that the exploit can't block all incoming calls.
Yes, but this way you can DoS a single receiver. So, my wife expecting a call from her lover? Well, we'll see about that... ;)
I would imagine that, like with your home network, cell phones have multiple addressing schemes in a network. So there's your phone number, but there's also some kind of network address that I have received from the carrier, and then probably some kind of address that refers to my connection with the tower.
I would assume that something similar to ARP goes on here. A message comes in for 415xxxxxxx, my phone. When AT&T gets it, they determine that phone number is network address 1234, and they have some system that says 1234 is currently in tower X. Tower X gets the message and broadcasts a request for the phone corresponding to device 1234. At this point, pirate device with tower address ABCD responds that it is, falsely, AT&T's 1234. The message is then sent to the the phone whose address in tower space is ABCD. My phone was actually DEFG but I couldn't reply fast enough.
So, if this pirate phone responds to multiple requests, for multiple AT&T subscriber addresses, claiming to have all those addresses, can't the tower just cap it at like 3 addresses? After that can't it be determined to be a pirate device and disconnected from the network? If one device claims messages intended for more than 3 addresses, isn't it safe to say it's faulty or spoofing?
Where am I wrong here? It seems like this level of ability should be built into a protocol that requires recipients to identify themselves? Like if I issue an ARP request on my Ethernet network, and the same MAC address always comes back, that would be a detectable attack (assuming it was not my gateway). Isn't this the same principle?
Modifying them to intercept calls/SMS is more threatening, especially as GSM and SMS look like attractive protocols for doing mobile apps and payments in "developing" areas.
I know that Verizon here in the US registers the ESN/MEID of the device itself for service provisioning (with a SIM only being used for GSM roaming and LTE).
I would guess that CDMA doesn't have to 'page' to find the right phone (though it might ping to see if it's still connected / in range) as the phone's ID is already associated with the number (no need to query a SIM).
Someone who's on-call isn't always at the hospital. They might well be across town, within a certain range as dictated by maximum response time; that is, they can be anywhere within fifteen minutes' travel to the hospital once they've been called. Of course, if they don't get the call, or get the call late, that could mean someone's life.
There's an actual, articulable reason shit like this is illegal, and it isn't just arbitrary FCC bullshit. Being annoyed at cell phone calls isn't worth someone's life.
And finally, many doctors use pagers/beepers, which wouldn't necessarily be knocked out in the same way a GSM network would.
But that's just me talking on a few details; I agree with you, it should obviously be illegal and could be deadly.
First: Land lines, not home lines. My home line is a cell phone. Many others can say the same.
And this only helps when a land line is available, and when someone thinks to use it. Being out in the boonies is an obvious failure mode, but the other one, which can also be deadly, is people getting panicky and forgetting that the phone what hooks to the wall can be used to make calls.
> As for cell phones, if someone, say, collapses in public, I've witnessed 5+ people try to contact 911. The likelihood of everyone having the same network and thus being knocked out is relatively low.
Maybe I'm too used to living in the boonies, but I doubt most of the towns I've been to have any more than one network for the entire community. Simply not cost-effective to build-out in the flyover states.
> And finally, many doctors use pagers/beepers, which wouldn't necessarily be knocked out in the same way a GSM network would.
I know for a fact there are towns which are cell phone only as far as hospital personnel are concerned. You're right that pagers would likely be immune to this, but that only helps if they're actually being used.
When I said the same network, I probably should have said network provider - I meant that if a GSM network is knocked out, odds are there's a CDMA Verizon user in the bunch trying to call 911.
Good points all around.
It should affect all Network initiated communications though including push notifications.