A security researcher from Thailand demonstrated today how he could take down local cell phone networks that use the commonly used GSM global standard for cell phone radios.
The demo took place at the Black Hat conference in Las Vegas. The researcher, who goes by the handle The Grugq, works for Singapore's Coseinc security firm (he's based in Thailand). He showed a room of about 1,000 hackers and security professionals how he could hack into a cell phone radio network with an ordinary Motorola C123 or C118 cell phone and take out a local cell, which can handle about 1,000 or so calls at a time. GSM stands for the Global System for Mobile communications.
(See our roundup of all Black Hat and Defcon stories).
Cell phone networks are made up of small networks known as cells. A single cell phone tower and its baseband communications equipment supports callers within a given radius and then hands the call off to the next tower when the user moves into a different cell territory. The problem is that the baseband equipment, which receives and transmits GSM radio signals, is often decades old and isn't hard to penetrate. The security protecting the network is based on the notion that GSM was built by companies using relatively obscure code in "walled garden" networks that once seemed too difficult to break into. Fortunately for carriers, there are no indications that the attack methods used could bring down an entire national cell phone network.
The Grugq used software on an older cell phone to hack into the radios. The cell phone tricks the network into thinking it is one user when it really isn't. The attack makes use of open source software tools as well as custom tools to flood the radio network with requests to make calls. The cell phone equipment gets overloaded and drops the calls of all of the users in the cell at a given time. So multiple people in different cell networks can take down GSM networks and cause a lot of annoyance for cell phone users in given areas.
The Grugq couldn't do a live demonstration because he didn't have the right cell phone available for the U.S. But he said he had demonstrated the attacks on T-Mobile's GSM network. He showed several different methods to do the attacks.
"It's very cool," he said. "For a very long time, GSM security was based on the idea that GSM was a walled garden. But now there are open source tools available to do this and it isn't very expensive to do."
In the future, The Grugq said he wanted to figure out attacks against 3G networks.