26C3: Playing with the GSM RF interface
December 29, 2009
Posted by on
Doing tricks with a mobile phone
This talk will show what can be done by taking control of the GSM RF part of a mobile phone, for example performing a DoS attack to the GSM network or using the phone as a sniffing device.
If the RF hardware of a mobile phone can be controlled, lots of things are possible, for example:
- Sending continuous Channel Request which can lead to a huge load for a GSM cell and could be considered as a DoS attack to the GSM network.
- Use a mobile phone as a cheap GSM receiver for sniffing the air traffic somehow similar to what can be done with the USRP.
Motivation for playing with GSM
The GSM network has been in use in Germany since 1992 and hasn’t been well researched until recently. It was always the case that access to GSM equipment was restricted. Now the game has changed. Second hand GSM equipment is easily available, OpenBTS, OpenBCS, etc…. the documentation behind GSM is also now public (but is very extensive)
- Hardware based on USRP
- Air Interface (Um) is a software defined radio
- Does not model classic GSM architecture, but uses a direct Um-to-SIP
- Implements the Abis protocol plus MSC/MSC/HLR
- Supports the Siemens BS11 microBTS
- Supports ip.access nanoBTS
- Used to run the 26C3 network using 4 nanoBTS units
The nanoBTS is much smaller and more modern than the 10 year old Siemens BS11 unit.
- Passively sniff the GSM Air Interface
- Based on USRP and GNU Radio
- Analyze protocols with Wireshark
What about an “open” phone
- Project Blacksphere for Nokia DCT3 phone – No longer active ?
- TSM30, based on the TI Calypso GSM chipset – source code available on the internet
- Can be used to sniff the air traffic
- Could be used to perform DoS on the GSM network
- Openmoko GTA01/02: GSM modem based on TI Calypso
- The software is open-source, but the GSM modem is still closed
- Future plans: Take a GSM RF-Transceiver and Baseband chip, connect it to a DSP/FPGA board
- Truly open
- Very long term
- Spanish phone (about 6 years old)
- GSM, GPRS, WAP
- TI Calypso chipset – leaked documents can be found
- Firmware is written in C – no source code for the DSP
Sniffing the air traffic
The TSM30 provides the chance to extract digitally converted traffic, however issues of extracting the data (1 MByte per second) from the phone need to be worked out. As there is no fast data transfer this is currently an issue. Tests with 1 second of audio have been tested and work as expected.
- By sending continuous RASH requests you can use up available channels on the BTS
- Makes it difficult for phones to access the cell
- Phones might switch to another cell
- Useful for specifically targeting a location, but not a general wide-spread DoS
- No 100% guarantee
- Theory known for sometime, but never demonstrated
- Even a phone without a SIM can perform the attack
- Hard to track
- Protection against the attack would require a complete rewrite of how GSM functions
One useful purpose for the attack, is performing a DoS against the cell and implement a rogue point to capture user information when phones attempt to register to another available BTS.
A demonstration of the DoS using the 25C6 conference GSM network (nanoBTS and OpenBTS)
More information can be found on the CCC wiki.