Rogue GSM Towers and Internet of Things Devices
Some attendees at the RSA Conference in April received a message announcing the registration to a new cell network, the number assigned to their terminal, and a contact for more details. The SMS came from a fake GSM tower that accepted registrations from any endpoint with a SIM card in its vicinity, including Internet-of-Things devices.
Cell towers, or base transceiver stations (BTS), intermediate the connection to a mobile network. Terminals (phones, smart toys, mobile modems, smartwatches, laptops, cars) authenticate on the carrier’s network with their SIM cards, and all incoming and outgoing traffic goes through the BTS to reach its destination. The risk of a rogue station becomes obvious in this context.
The illegal base station at the RSA security conference combined YateBTS open source communication software with a radio board that interacted with terminals connecting to it. The author of the network registration note is David Burgess, who implemented the BTS part of the software. The Yate part is the work of Null Team, led by Diana Cionoiu.
Burgess explained in a blog post that the message was included in YateBTS specifically to warn users that their handset connected to a different network than their carrier’s. Cionoiu offered the same motivation in a phone conversation, detailing that advertisement was introduced four years back, as a feature for the Burning Man cultural manifestation. It remained in the code to prevent abuse from an unskilled attacker.
On IoT devices with support for GPRS, a communication service for continuous internet connection, Cionoiu said encryption is needed to prevent the operator of a rogue tower from viewing the information exchanged. Even if the gadget is compatible with a newer cellular technology, like 4G, in a crowded area it may end up using a less secure one, or one that does not encrypt the information to the base station.
With data delivered in clear text, everything reaching the fake tower is exposed. Attackers could listen in to conversations and learn personal details about the victim to use for impersonation. They could also manipulate the responses from the server and prevent messages from getting to the destination.
Although the tools to mount a fake cell tower attack are readily available, and not too expensive, some obstacles act as a deterrent for an inexperienced adversary. This type of threat works better in crowded places to ensure service through a weaker technology. It also requires proximity to the target and knowledge to extract the meaningful parts of the data.
The RSA incident does not seem to be an intentional harmful act. A likely explanation is that it was a joke, or someone just tested YateBTS. As Burgess puts it, if it was not a joke, the episode “was a silly attempt” of an attack “because they ended up broadcasting our message.”
The tools to carry out a fake cell tower attack are easy to get, and so is the knowledge to use them. However, the bad guys can still come across certain obstacles to discourage their actions. This type of threat works better in crowded places to ensure service through a weaker technology. It also requires proximity to the target and knowledge to extract the meaningful parts of the data.
Specifically, being able to reach your child at any time through a toy or a smartwatch is a comfort that should not be denied to you. A SIM card with mobile data will do that for you, but make sure you take all the necessary steps to make sure it doesn’t come with a pitfall.
Credit: Stephen A. Ridleybase station BTS fake cell tower GSM IoT man-in-the-middle MItM mobile data YateBTS