29C3: Budget mobile turns into GSM base station
Motorola's C123 budget mobile phone, which was introduced in 2006, can be turned into a GSM transmitter station using available open source solutions and a bit of custom software. Belgian hacker Sylvain Munaut presented a proof of concept at the 29th Chaos Communication Congress (29C3) in Hamburg on Saturday. The developer managed to get the budget mobile (connected to a laptop for additional computations) to transmit the signals bursts that are usually broadcast by a base station. Using the Wireshark sniffer, Munaut demonstrated that a couple of mobile phones in the lecture hall had already logged into the cell he established, and that an SMS text message had already been sent through it.
The hack is based on known vulnerabilities in the GSM network and on previous research such as that from OsmocomBB, a project whose team members include Munaut. The functionality that is required to implement a GSM base station and appropriate control unit has been available in the free OpenBTS and OpenBSC software solutions for some time. The OsmocomBB team made use of the fact that GSM transmissions require no mutual authentication between phone and network, which also opens up the possibility to locate subscribers and implement bugging measures via IMSI catchers. Furthermore, the system's encryption algorithms are weak and relatively easy to bypass, as demonstrated by Munaut and Berlin-based security researcher Karsten Nohl at the 27C3 hacker conference in 2010.
The Osmocom hackers had already identified a suitable baseband processor that runs the GMS protocol on a mobile phone. The team chose a TI Calypso module because this module's protocol stack and documentation were already available. The component was used in phones such as Motorola's C123, which can now be bought at online auctions for a few Pounds. Two years ago, the experts had already managed to use it to establish channels to a network, send arbitrary control messages, scan cell information and simulate fake location data.
Munaut continued to develop the project and turned the Motorola phone's Calypso platform into a full-fledged transmitting and receiving station. To do so, the developer said that he had to make "some changes" to the mobile's general signal processing and to the appropriate channel encoding and implementation. At the 29C3 conference, Munaut explained that a base station continuously broadcasts signals to enable mobile phones to log into the established cell, and that a mobile phone, which is intended as a receiving device, isn't originally designed to do this.
According to the hacker, timing the signal broadcasts in a way that is appropriate for GSM presented a further challenge. Munaut said that he noticed that the mobile phone's clock generator can be tethered to that of a conventional commercial wireless cell and he added that he also exploited various flaws in the phone's signal processor. For example, the researcher explained that he managed to use new start addresses in the boot process and other trickery to customise the signal processor code and manipulate the phone's modulation.
This allowed the team to furnish the mobile phone with new capabilities to broadcast sequences that consisted of several signals and to transmit the burst types that are normally only available in base stations. The researcher added that the phase information data was sent to the connected laptop for demodulation.
For his practical test, Munaut first used the computer to install new firmware on the Motorola mobile, installed OpenBTS and selected a reference mobile cell; in this case, he used the custom GSM network that was set up for the duration of the congress. The next step was to select a mobile radio frequency, which, the researcher pointed out, requires a valid licence. After opening OpenBTS, it was possible to launch the transmitter and receiver features, synchronise the networks and start transmitting.
Munaut said that the code for the hack will be released "in early 2013", as it is yet undocumented. The project is directed at "developers and GSM enthusiasts", he explained, adding that anyone who can operate Osmocom and OpenBTS should be able to run the "not quite standards-conformant" base station software once the required test licence has been acquired. However, the developer pointed out that a certain amount of common sense is required when doing so because GSM is sometimes used for "critical applications".
The future plans of the project partners are to implement OpenBSC, increase the program's reliability and develop a solution that uses multiple mobile phones. This will probably also mean that a voice transmission channel can be provided, noted Munaut, and that the simulated base station's sniffer functionality can be extended.
- Building a GSM network with open source, a feature on The H.
- The open GSM future arrives, a feature on The H.
(Stefan Krempl / fab)