4

This answer to a similar topic describes in a detailed way how vulnerable SMS and voice calls are in terms of decryption. In order to do so, an attacker needs to set up a fake base station located relatively close to the victim's device.

Assuming this scenario, I have the following questions:

  • Is the attacker able to intercept only traffic FROM the mobile phone or also TO the mobile phone? I would imagine that a carrier does not forward SMS or voice calls intended for the victim's device to a fake base station as he knows which base stations belong to his network, isn't it?
  • How does the integration of the fake base station into acarrier's network work? I'd assume that there has to be some sort of authentication?
pfust75
  • 425
  • 7
  • 9
  • I believe you are talking about the Stingray systems. The concept was demonstrated by white-hat hackers at DEFCON. You can read about it here: https://security.stackexchange.com/questions/157316/gsm-encryption-suppression/160390#160390 – SDsolar Jun 25 '17 at 00:53

2 Answers2

3

This video demonstrates the fake base station attack.

To answer your first question, yes, it does go both ways (I'm pretty sure) (see edit and comment below). The device is in the best place to determine the most efficient communication path (that is, the nearest base station); therefore, it makes sense that the network would use the cell phone's nearest station to send communications on. (see edit below)

The fake station can communicate with another real station to complete the network connection (to be over the top, you could also make your own satellite link). It does make sense that stations would have to be authenticated, but this is apparently not the case (see video). It seems that the fake base station actually integrates pretty seamlessly.

Edit: According to the comment below, intercepting an inbound call is actually more difficult for cryptographic reasons. My guess is that the real base station gets to determine the encryption in this case, not the fake one (don't quote me on this).

mmdemirbas
  • 109
  • 3
jtpereyda
  • 1,500
  • 2
  • 16
  • 26
  • 1
    The defcon demonstration videos are quite useful! In video 4/4 it's clearly said that outbound calls are **much** easier to catch than inbound calls. The Secret Key of the SIM card has to be cracked in order to authenticate the fake base station to the carrier's network. That is neccessary if you want to intercept inbound calls. At the time of the video (2010), only professional IMSI catcher are able to handle this. I assume that this is the same for incoming SMS. – pfust75 Feb 19 '12 at 09:36
  • By the way, according to the defcon video intercepting SMS and voice calls is only easily possible on GSM. So if you can, choose 3G or higher and you should be safe. – pfust75 Feb 19 '12 at 09:46
0

Yes GSM is vulnerable locally but it is not worthwhile anymore because there are differential packet prepending rules which will cycle pseudorandomly per device now. Why do an exploit for only one message and then take a chance that the next dozen messages or so will most likely set off an alert and/or get stiffarmed at the base station level?

Recently we had a guy in Austin who SMS spammed along the main drag for a week or so thinking he was going to spam real estate ads and local club scene stuff. That dipsheets visa was yanked asap plus his prior employers had to answer for some of the tools he had on his laptop. There are so many providers in the field surveying, etc. it is not the wild west anymore.

As a side note, carriers have been frustrated with the number of complaints about messaging spam in general and have segregated a majority of that messaging traffic. I think Savis Systems made an aggregator that put an end to a lot of this SMS hijinx last summer anyway...

Hope that helps,

iceberg

mmdemirbas
  • 109
  • 3