Yesterday at the 28th Chaos Communications Congress (28C3), in Berlin, security researchers along with Karsten Nohl and Luca Melette showcased a number of flaws and solutions in GSM mobile phone networks.
Defeating GSM encryption is not new. Nohl and Melette detailed how attackers can use known network control messages to help decrypt SMS traffic and recover the TMSI, a temporary ID assigned to every device on the network. Acquiring a TMSI lets an attacker pretend to be the victim’s mobile phone. This is useful for signing up somebody’s phone for SMS subscription services or other premium-rate SMS fraud.
Mitigating the attack requires mobile networks to implement certain techniques that prevent the encrypting of known messages, avoiding known plain-text attacks. Making the changes can require new GSM network hardware, which carriers may have to delay due to expense.
The duo also mentioned how the use of IMSI catchers–monitoring devices used by law enforcement–by criminals is leaving mobile users at risk. Crooks can now attain relatively cheaply the same hardware tools that police use to emulate cell towers.
An additional technique used to locate mobile phones is the so-called Silent SMS. These messages are silently ignored by the majority of mobile phones and give no indication to the user. But the messages leave trails in customer service records, the logs kept by mobile carriers, and allow monitors to correlate a mobile phone’s location with that of cell towers.
Our presenters have developed free software, CatcherCatcher, which detects features used by IMSI catchers that regular cell towers don’t use. The GSM security map, a site that uses data from the CatcherCatcher tool, helps to track unauthorized mobile phone monitoring.