GSM security bypass demonstrated as trivialThere are significant security threats posed by the possibility of an attacker eavesdropping on and recording GSM calls.
In Chris Paget's presentation at Defcon, he demonstrated how to attack GSM by intercepting and recording calls made during his presentation. Paget's attacks used some hardware to act as the cell tower (a couple of antennae) and a laptop running OpenBTS and Asterisk. Using this setup, he was able to spoof a cell phone network, intercept and record calls made by a 2G GSM handset, as well as potentially instigate a denial-of-service attack by refusing to route the calls of the handset connected to his cell tower. This demonstration also included instructing a handset not to use encryption and breaking the A5/1 encryption during a call. Paget pointed out that the handset could warn the user that he or she is connecting without encryption or to a rouge cell tower, but the cell providers have disabled the warnings.
Security threats from the GSM attack
There are significant security threats posed by the possibility of an attacker eavesdropping on and recording GSM calls. Because users frequently discuss sensitive data or even reset passwords via their mobile handsets, all the while assuming their calls are secure, attackers could easily record information such as credit card numbers, intellectual property or SSNs that users discuss. This basic assumption -- that the voice call is secure -- was not necessarily true even prior to this new attack, but the simplicity and low cost of Paget's attacks make these new cell phone threats much more serious.
Probably the most harm that could be done by a GSM attack would be a form of a denial-of-service (DoS) attack: getting GSM phones to connect to a malicious cell tower and then not routing their calls. This could have a particularly tragic effect in emergency situations if the malicious tower prevented calls to 911 or other services from getting through.
This attack could also be used for targeted attacks for many types of criminal activities like monitoring a stockbroker's cell phone for insider trading information, or a lawyer's conversation with a client, or really any invasion of someone's privacy.
GSM attacks: Enterprise defense strategy
Enterprises using GSM handsets should, first and foremost, be aware of these potential attacks and pressure their cell phone providers to migrate to more secure encryption for GSM and more secure default configurations of handsets. This could be done by writing provisions into contracts or service-level agreements with providers that secure GSM handsets be used and securely configured or have insecure settings, like 2G, disabled. Demanding only phones that support more secure protocols will make it lucrative for cellular providers to support the secure protocols on all of the cellular networks you use. Enterprises should also include basic security awareness training for high-security users, including how their cell phone calls could be at risk, and the importance of not discussing sensitive information over the phone.
Other practical measures to protect against these attacks include using 3G or newer phones, which provide a greater level of security by using stronger cryptography on the cellular network. However, if yours is a high-security environment, you probably already have some sort of voice privacy system set up for end-to-end encryption because of the inherent security risks of using a wireless shared infrastructure. However, If you don't have a voice privacy system, when setting one up, ensure voice and data traffic are securely encrypted and transported end-to-end over the wireless shared infrastructure to guarantee the confidentiality of the voice or data of high-risk users. Paget mentions that some cell providers do offer additional encryption options for voice and SMS to protect against these attacks, which enterprises can also consider.
To minimize an attacker stealing a password via cell phone eavesdropping, the password-reset system should require a new password to be created as soon as the temporary password is used. Lastly, enterprises should have a traditional, hard-wired voice phone available for emergencies in case there are any problems creating a secure GSM connection with the cellular network.
Enterprises must be aware that the cell network can be successfully attacked and A5/1 encryption compromised, as that encryption has been broken for several years, making it trivial to eavesdrop on or record GSM calls. With this in mind, enterprises should consider migrating to more secure platforms, such as 3G, instigating user awareness training, or implementing voice privacy systems in high-security environments.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in October 2010