Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake GSM Base Station Trick Targets IPhones

Posted by CmdrTaco on from the but-he-was-wearing-a-hat dept.

mvar writes "While his Black Hat DC Conference demonstration was not flawless, a University of Luxembourg student on Wednesday did show that it's possible to trick iPhone users into joining a fake GSM network. Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network. 'You want to get phones not just used by the teenage crowd but executives,' said Weinmann, adding that it is possible to 'have complete control of the phone.' Part of the reason these fake GSM network attacks are possible is because the code base used in smartphones such as the iPhone, which is Infineon-based, goes back to the 1990s."

21 of 64 comments (clear)

  1. He added in the comments of the linked article by _0rm_ · · Score: 4, Informative

    The exploit he demonstrated has since been patched by Apple.

    --
    Boredom is bliss.
    1. Re:He added in the comments of the linked article by jgtg32a · · Score: 2

      What was the version that got patched? I'm a couple of updates behind.

    2. Re:He added in the comments of the linked article by Anonymous Coward · · Score: 3, Interesting

      You are missing the point. This is a chipset issue and just the tip of the iceberg. Apple can't patch this properly it requires the chipset manufacturer to update their code which is no easy process on a lot of devices. While the iphone was the demo you can bet that others are affected too.

    3. Re:He added in the comments of the linked article by _0rm_ · · Score: 2

      He didn't say. You can read his comment bellow the twitter stuff on the article page.

      --
      Boredom is bliss.
    4. Re:He added in the comments of the linked article by Atti+K. · · Score: 4, Informative

      Chipset issue and Apple issue too. No matter how crappy the baseband, it shouldn't be able to tell my phone to record audio and transmit it later. BTW, this kind of attack should be impossible on 3G, but I guess GSM will still be around for many years.

      --
      .sig: No such file or directory
    5. Re:He added in the comments of the linked article by sznupi · · Score: 2

      Every GSM phone I'm decently familiar with (including very basic ones) has the option of ignoring roaming requests / invitations...

      --
      One that hath name thou can not otter
    6. Re:He added in the comments of the linked article by sznupi · · Score: 2

      Choosing to ignore "lesser people" does help with that.. (funnily enough, while relying on them with manufacturing; meanwhile some other manufacturers can have half of their dozen plants in the EU, and one even quite close to Cupertino) as would possible free-riding on cellular R&D, we have to wait how this one ends.

      (but BTW they are not "the mobile phone manufacturer", that's something they also do)

      Overall, it's a fascinating thing to me - slashdotters are generally very quick to voice their contempt of investors, traders, stock market, etc.
      Except when worshiping valuations ... made by the very same people (who are blissfully unaware of what kind of monumental transformation is starting to happen to the world with 70+% - and rising - of its population already connected, typically for the first time; what kind of opportunities for investment will it bring, for one)

      --
      One that hath name thou can not otter
  2. All Phones? by tsj5j · · Score: 4, Interesting

    I had the impression that most, if not all, phones are vulnerable to this attack due to the inherent flaws in GSM.
    This is a rather old news article that has been reported multiple times.

    Why is it suddenly "news" again when someone discover it works on the iPhone?
    And if you're on about targeting business users, won't a compromised Blackberry be as, if not more, significant?

    1. Re:All Phones? by MickyTheIdiot · · Score: 4, Insightful

      for the same reason your boss wants an iPhone instead of an Android-based phone... too many people are stuck on brand names. When an brand name gets attached to a story, holy mother of God suddenly it's important.

    2. Re:All Phones? by davester666 · · Score: 4, Insightful

      Blackberry's are immune to all attacks because RIM is focused on selling to business, and they know that business cares about security.

      Apple isn't focused on business, they are focused on regular consumers, and consumers care about ease of use and not security.

      Therefore iPhones and virus-laden, malware-spouting candybar phones and Blackberry's are serious, productive work phones.

      --
      Sleep your way to a whiter smile...date a dentist!
    3. Re:All Phones? by ModernGeek · · Score: 2, Insightful

      Also, when is code inherently flawed because it, "goes back to the 1990s". IIRC, this flaw has to do with phones connecting to unencrypted gsm networks without warning. I, for one am sick of this sensationalism. Where can I get some scientific news with well moderated discussion that will ensue?

      --
      Sig: I stole this sig.
    4. Re:All Phones? by Bill_the_Engineer · · Score: 2

      So you assume that executives can't be duped into installing PhoneSnoop onto a blackberry. Also, what special phone protocol does these blackberries use? I'd assume that the ones on T-Mobile and ATT are GSM.

      Not to mention there is a PDF exploit in the blackberry, it was announced last week on US CERT.

      I think you've been blinded by your fanboism...

      --
      These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
    5. Re:All Phones? by davester666 · · Score: 2

      And a whoosh to you sir.

      --
      Sleep your way to a whiter smile...date a dentist!
    6. Re:All Phones? by davester666 · · Score: 2

      Well, I would think this claim would make it obvious my post was ridiculous:

      "Blackberry's are immune to all attacks"

      --
      Sleep your way to a whiter smile...date a dentist!
    7. Re:All Phones? by idontgno · · Score: 2

      That's a good point, very often overlooked. But it can't be overlooked, really, when talking about the behaviors and desires of the management class. The dumbest things ever uttered were probably spoken in perfect and innocent sincerity by a PHB at some point in time.

      Too many are the times I've chuckled at the ridiculous and clearly humorous pronouncement of a manager, only to be greeted with a bewildered stare and a "What's so funny?".

      So, yeah, dumb stuff isn't always humor, and stuff like that makes an incredibly ineffective "whoosh".

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
  3. Users clicking on things... by astern · · Score: 4, Interesting

    ... is always dangerous, but this goes beyond that.

    Much more than a legacy leftover, this remains a chipset and baseband issue, and goes much deeper than the application set.

    --
    If the world isn't beating a path to your door you're doing something wrong.
  4. Its only "news" because of iPhone? by perpenso · · Score: 4, Insightful

    I had the impression that most, if not all, phones are vulnerable to this attack due to the inherent flaws in GSM. This is a rather old news article that has been reported multiple times. Why is it suddenly "news" again when someone discover it works on the iPhone? And if you're on about targeting business users, won't a compromised Blackberry be as, if not more, significant?

    Its only "news" because of iPhone. If you don't mention iPhone in your title or description then your article/page will have fewer readers and you presentation will have fewer attendees. Basically mentioning iPhone in your title is marketing and even presentations have to be marketed.

  5. White hat by Stavr0 · · Score: 3, Funny

    Cool. Can we get it as an Asterisk plugin? or a Skype proxy?

  6. Dead giveaway by 93+Escort+Wagon · · Score: 3, Funny

    If you've joined a bogus network, your first text message will read "How are you gentlemen!!"

    --
    #DeleteChrome
  7. Not a chip issue, people... by Anonymous Coward · · Score: 5, Informative

    If I were Infineon (and I'm not, never have been affiliated with them), I would be hopping mad at being blamed for this kind of security flaw.

    It is a GSM flaw and it is a basic architectural/protocol flaw - not a hardware OR (strictly) software vulnerability.

    The problem is simple. GSM phones inherently trust GSM base stations to be authentic. A GSM phone has no way to validate the authenticity of an "alleged" base station. If the phone comes across a GSM BCH (broadcast channel) in its spectrum, and the BCH adheres to GSM protocol format, the phone accepts that the BCH is being transmitted by an authentic base station. There is nothing in the signal (messaging) that can be used to validate the base station's authenticity.

    This was changed in UMTS (aka 3G). In UMTS, the protocol by which a UMTS phone attaches to a UMTS base station includes MUTUAL authentication. The base station must cryptographically prove its authenticity or the phone will not associate with it. This authentication related cryptography is performed inside the SIM card (called USIM application in UMTS) -- the phone simply serves as courier - between the base station and the USIM. The USIM tells the phone whether it finds the base station's credentials to be acceptable. Since the base station is authenticating the USIM's credentials as well, the authentication is mutual. Both the USIM - AND- the base station (actually the core network behind the base station) have to find each others' credentials acceptable, or the phone will not attach.

    There is nothing Infineon or Apple or anyone else can do to "fix" this vulnerability in GSM. UMTS is the "fix".

    P.S. Turning femtocells into rogue base stations is theoretically possible -- it is up to the femtocell manufacturer to build safeguards into their designs to make this impossible (I know - I've worked on just such safeguard designs in a past life...)

  8. This is not protocol flaw, this is business model by Vitus+Wagner · · Score: 2

    There are a lot of people discussing "flaws" in the GSM, "nice features" in UMTS and no one mentioning stupiid truth.
    Problem not in the protocols, or software. Problem is that operators think that they have right to control user equipment.

    And when this equipment grows from the stupid phone to full-featured computer, user privacy goes void.

    Do not be afraid of rogue with laptop, be afraid of operator's insider.

    What would happen if next generation of phones would get direct brain interfaces? You'll allow operators to control your brain just like now they control your calendars and bookshelves?