Forgot your password?
typodupeerror
Iphone Apple

Fake GSM Base Station Trick Targets IPhones 64

Posted by CmdrTaco
from the but-he-was-wearing-a-hat dept.
mvar writes "While his Black Hat DC Conference demonstration was not flawless, a University of Luxembourg student on Wednesday did show that it's possible to trick iPhone users into joining a fake GSM network. Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network. 'You want to get phones not just used by the teenage crowd but executives,' said Weinmann, adding that it is possible to 'have complete control of the phone.' Part of the reason these fake GSM network attacks are possible is because the code base used in smartphones such as the iPhone, which is Infineon-based, goes back to the 1990s."
This discussion has been archived. No new comments can be posted.

Fake GSM Base Station Trick Targets IPhones

Comments Filter:
  • by _0rm_ (1638559) on Thursday January 20, 2011 @12:24PM (#34941530) Journal
    The exploit he demonstrated has since been patched by Apple.
  • by Atti K. (1169503) on Thursday January 20, 2011 @01:08PM (#34942150)
    Chipset issue and Apple issue too. No matter how crappy the baseband, it shouldn't be able to tell my phone to record audio and transmit it later. BTW, this kind of attack should be impossible on 3G, but I guess GSM will still be around for many years.
  • by Anonymous Coward on Thursday January 20, 2011 @05:40PM (#34945818)

    If I were Infineon (and I'm not, never have been affiliated with them), I would be hopping mad at being blamed for this kind of security flaw.

    It is a GSM flaw and it is a basic architectural/protocol flaw - not a hardware OR (strictly) software vulnerability.

    The problem is simple. GSM phones inherently trust GSM base stations to be authentic. A GSM phone has no way to validate the authenticity of an "alleged" base station. If the phone comes across a GSM BCH (broadcast channel) in its spectrum, and the BCH adheres to GSM protocol format, the phone accepts that the BCH is being transmitted by an authentic base station. There is nothing in the signal (messaging) that can be used to validate the base station's authenticity.

    This was changed in UMTS (aka 3G). In UMTS, the protocol by which a UMTS phone attaches to a UMTS base station includes MUTUAL authentication. The base station must cryptographically prove its authenticity or the phone will not associate with it. This authentication related cryptography is performed inside the SIM card (called USIM application in UMTS) -- the phone simply serves as courier - between the base station and the USIM. The USIM tells the phone whether it finds the base station's credentials to be acceptable. Since the base station is authenticating the USIM's credentials as well, the authentication is mutual. Both the USIM - AND- the base station (actually the core network behind the base station) have to find each others' credentials acceptable, or the phone will not attach.

    There is nothing Infineon or Apple or anyone else can do to "fix" this vulnerability in GSM. UMTS is the "fix".

    P.S. Turning femtocells into rogue base stations is theoretically possible -- it is up to the femtocell manufacturer to build safeguards into their designs to make this impossible (I know - I've worked on just such safeguard designs in a past life...)

panic: can't find /

Working...