3

I have a friend who says that he can take down anyones mobile data connection and one day he did it while I was in the tram with him. Is it possible that someone can DDOS your mobile data connection, or hijack it or something?

Anders
  • 65,052
  • 24
  • 180
  • 218
Shariq Musharaf
  • 133
  • 1
  • 4

2 Answers2

2

I already answered this for WiFi.

Please read my cleaned-up version of this if you're less interested in how WiFi and cellular networks compare here, but in only the attack surface.

A lot of the things said there still apply here, I'll reduce the list to the ones that also apply to GSM/other mobile network standards:

  • Physical layer attacks: Simply jam the frequency spectrum with your own signal. That signal might just be noise, but it might also be a WiFi network base station of your own under heavy load, with the nodes in that WiFi mobile network being configured not to play nice with others. (depending on the WiFi mobile terminal chipset, that can be extremely easy) Spectrum can only be used once!
    Tool: noise source (e.g. Gunn Diode, SDR device), or normal AP
  • Electromagnetic sledgehammer: EMI gun. Take microwave oven oscillator, attach directive antenna, pray you don't cook someone's (your) brain, and point in the rough direction of the access point. Poof!
    Tool: Microwave oven, some sheet metal, lack of regard for other people's property and own health, or extended RF knowledge
  • MAC and Network layer attacks: Especially for networks using WEP A5/1 (noone should be using this anymore, but sadly...) it's easy to forge what is called deauthentication packets – and thus, to throw out stations from your WiFi. decrypt GSM calls and fake base station knowledge Tool: Aircrack-NG's aireplay SDR+software base station, or hardware base station, or modified phones.
  • Targetted jamming: As opposed to simply occupying the channel with noise or your own WiFi mobile network, you can also build a device that listens for typical WiFi packet's beginnings (preambles), and then, just shortly, interferes. Or just sends fake preambles periodically, or especially when it's silent. That way, you can corrupt selected packets, or fake channel occupancy.
    Tool: Commodity off-the shelf SDR
  • authentication attacks: at some point, even "proper" clients for your WiFi mobile network need to register with the WiFi mobile network. That mechanism can of course be forced to its knees by simply sending hundreds of authentication requests every second, from randomly generated MAC addresses hardware IDs/IMEIs, or even from MAC addresses of clients you know (by observation) exist. There's no solution to the problem for the AP base station – either it succumbs to the overload of auth network registration packets requests, or it starts blocking out legitimate users.
    Tool: your network card a cheap mobile phone under your hardware control, 10 lines of bash scripting
  • Man-in-the-Middling / access point base station spoofing: With anything short of WPA(2)-Enterprise, nothing proves that the access point calling itself "Toduas AP" is actually your Access Point. You might have heard of "Stingrays". If not, google is your friend. Simply operating a slightly higher-powered access point base station with the same ID string and, if necessary at all, a faked AP MAC address (trivial, since just a setting) operator identity, will "pull" clients away from your access point real network. Of course, if the spoofing Access Point base station doesn't know the password secret keys of the network operator(only necessary if >2G), users might quickly notice (or they don't); however, noticing things don't work is nice, but doesn't help them.
    Tool: a random normal access point any implementation of a base station. They're not expensive.

You have to realize that it's a privilege, not a right, to have your WiFi use a channel. WiFi happens in the so-called ISM bands (Industrial, Scientific, Medical usage), where operators of transmitters don't have to have an explicit license. That means it's OK for everyone to use that spectrum, as long as they don't intentionally harm other devices and are not easily damaged by interference.

So, it's absolutely legal for someone to operate a high-definition digital camera stream that occupies the whole WiFi channel. That will effectively shut down your WiFi.

Of course, it's illegal to interfere with mobile network operation. Illegality doesn't mean impossibility or a high probability of legal consequences for the attacker.

If you need something that no-one can mess with, wireless is, by definition, not the way to go.

Community
  • 1
Marcus Müller
  • 5,863
  • 2
  • 17
  • 28
0

(Cleaned up version of my answer that demonstrates what of the WiFi attacks apply to mobile networks, too):

  • Physical layer attacks: Simply jam the frequency spectrum with your own signal. That signal might just be noise, but it might also be a network base station of your own under heavy load, with the nodes in that mobile network being configured not to play nice with others. (depending on the mobile terminal chipset, that can be extremely easy) Spectrum can only be used once!
    Tool: noise source (e.g. Gunn Diode, [SDR device][1]), or normal AP
  • Electromagnetic sledgehammer: EMI gun. Take microwave oven oscillator, attach directive antenna, pray you don't cook someone's (your) brain, and point in the rough direction of the access point. Poof!
    Tool: Microwave oven, some sheet metal, lack of regard for other people's property and own health, or extended RF knowledge
  • MAC and Network layer attacks: Especially for networks using A5/1 (noone should be using this anymore, but sadly...) it's easy to decrypt GSM calls and fake base station knowledge
    Tool: SDR+software base station, or hardware base station, or modified phones. Targetted jamming: As opposed to simply occupying the channel with noise or your own mobile network, you can also build a device that listens for typical WiFi packet's beginnings (preambles), and then, just shortly, interferes. Or just sends fake preambles periodically, or especially when it's silent. That way, you can corrupt selected packets, or fake channel occupancy.
  • authentication attacks: at some point, even "proper" clients for your mobile network need to register with the mobile network. That mechanism can of course be forced to its knees by simply sending hundreds of authentication requests every second, from randomly generated hardware IDs/IMEIs, or even from MAC addresses of clients you know (by observation) exist. There's no solution to the problem for the base station – either it succumbs to the overload of network registration requests, or it starts blocking out legitimate users.
    Tool: one or a couple cheap mobile phone under your hardware control, 10 lines of bash scripting
  • Man-in-the-Middling / base station spoofing: You might have heard of "Stingrays". If not, google is your friend. Simply operating a slightly higher-powered base station with the same ID string and, if necessary at all, a faked operator identity, will "pull" clients away from your real network. Of course, if the spoofing base station doesn't know the secret keys of the network operator(only necessary if >2G), users might quickly notice (or they don't); however, noticing things don't work is nice, but doesn't help them.
    Tool: a any implementation of a base station. They're not expensive.
Community
  • 1
Marcus Müller
  • 5,863
  • 2
  • 17
  • 28