LAS VEGAS— Most of the attacks featured at the Black Hat conference in Las Vegas hinge on stealing money, exfiltrating data, or, in extreme cases, blowing up factories with bubbles.
Altaf Shaik, the principal security researcher at Kaitiaki Labs, had a different goal. By using just $200 and the fundamental structure of LTE networks, Shaik found a way to wreak havoc on cellular networks.
This Is My SON
A variety of well-documented attacks can be leveraged against cellular networks, but Shaik was more interested in investigating the fundamental structure of cellular networks.
"The favorite target is always the mobile phone, because the person is carrying this," said Shaik. "What about attacking base stations? I don't mean physically damaging or plugging in, is it really possible to attack these without being detected?"
With that in mind, Shaik looked to Self Organizing Networks (SONs). These are cellular base stations that, once placed in the field, will automatically probe their surroundings, looking for other base stations and cell phones. Using the data it collects, a SON base station can then assign itself a unique Cell ID and even automatically make adjustments to optimize performance. Depending on how its configured, a SON can do this without any guidance from human operators.
In order for a SON to work, the base stations receive information from individual cell phones. This includes data measurement on the distance between the cell phone and nearby base station. The base stations can also communicate with each other through what's called the X2 interface. The problem with both of these avenues of communication, Shaik explained, is that they are trusted and unverified and therefore, ripe for exploitation.
Using just $200 worth of equipment, Shaik built a rudimentary rogue base station. The device had a range of 50 meters and up to 100 meters with additional amplification.
Attacking the Network
In one attack, Shaik showed how the low-cost device could inject junk information into a SON. He broadcast the cell ID of a faraway base station while near a target base station. The target base station thinks, 'Oh! A new base station that's close by! I should create an X2 relationship with it!' In doing so, these base stations now begin to create rules between each other about how to communicate and hand off cellphones moving between each station.
But all those rules are based on faulty information. Do this enough, he said, and it would be possible to tie the network in knots.
In another attack, Shaik had his rogue base station mimic the frequency and cell ID of a nearby base station. That stations thinks 'That's my cell ID! I'd better change it!' But to change a cell ID, the base station needs to reboot, which can take up to eight minutes. That's bad for the network operator, but it's also bad for any cell phones that were using that base station.
According to Shaik, when an LTE base station isn't available, cell phones will sometimes be handed over to 2G and 3G base stations. While still in use as carriers begin to roll out 5G networks, 2G and 3G have known security issues that cell phones potentially exposed to attack.
We've seen at previous Black Hat conferences that it's possible to intercept cell phone data by jamming the LTE band and forcing phones to connect to phony cell towers using the less-secure 2G and 3G bands. Jamming, however, requires a lot of power and is easily spotted as result. Shaik's attack, on the other hand, doesn't have those issues.
In a final attack, Shaik put all the pieces together. This time, Shaik's rogue base station impersonates a distant, real base station. Nearby cell phones will pick up this information and report it to the victim base station. Via X2, the rogue station then contacts the real base station and makes arrangements to hand off the cell phone. The victim base station signals the cell phone to switch to the closer rogue base station, but the rogue station doesn't have the proper keys or authenticators to handle the cell phone so the call is simply dropped.
Dropped calls are annoying for customers, but the consequences can be far-reaching in a SON because each base station keeps track of other base stations' performance. If a station becomes notorious for dropping calls, the other stations will blacklist it. Like in the previous attacks, adding this bogus information makes a SON less effective and, in extreme cases, would require the cell phone company to waste time and money dispatching repair teams to blacklisted base stations that are actually functioning properly.
A Fundamental Issue
The bad news is that Shaik's attack affects any phone that complies with the latest 3G standard. While the attacks rely on the SON operating largely autonomously, it would still generate a lot of bogus information even if the base stations require manual input before reconfiguring themselves.
"These are not implementations problems," said Shaik. "These are standards problems." To fix it, Shaik reached out the GSMA, the organisation that manages the GSM standard used by many cell phones. The organization has apparently been very responsive, and is working to share information about Shaik's findings with vendors.
- Fastest Mobile Networks 2018
- Black Hat 2018: What to Expect
- Can Security Software Compromise Your Privacy?
But to really fix, not just mitigate the problem, Shaik says SON needs to change fundamentally. The system, he said, needs a means to authenticate the information it receives from base stations and cell phones. It cannot blindly trust these devices. A database of base stations and their actual locations, Shaik said, would go a long way toward preventing these attacks.
And there is some pressure to make that work. SON, Shaik said, is really useful, and will only become more widely used. "In 5G, there will be a huge deployment of SON." Let's hope they work out the kinks before then.
Be sure to keep reading PCMag to keep up with the latest from Black Hat 2018.