Thursday, January 20, 2011

Baseband Hacking Using Fake Cell Towers

In my last post I wrote about femtocells and femotozone services. Femtocells are little mini-antennas that can be place in a home, business, hotel, etc that connect using a broadband connection (DSL, Cable, Fiber, etc). They are great when it comes to filling in areas of poor cell reception.

Baseband hacking is described in an IDG News Service report along with a LinuxInsider report. Basically, the attack involves setting up a fake cell tower. There’s a couple of ways to do this - you can spend around $2000 and build your own cell tower or you can purchase a femtocell from one of the providers (AT&T, Verizon, etc) for $150-$200.

How can devices like femtocells be used by hackers? This is from a post over at ReadWriteWeb titled Baseband Hacking: A New Frontier for Smartphone Break-ins:

Security researcher Ralf-Philipp Weinmann says he has found a new way to hack into mobile devices - by using a baseband hack that takes advantage of bugs found in the firmware on mobile phone chipsets sold by Qualcomm and Infineon Technologies. Weinmann will demonstrate the hack on both an iPhone and an Android device at this week's Black Hat conference in Washington D.C.

To perform the attack according to Weinmann, a hacker sets up a rogue base transceiver station which is used to send malicious code over the air to the target devices. The code exploits vulnerabilities found in the GSM/3GPP stacks on the phones' baseband processors. Weinmann goes on to say industry bodies like the GSM Association and the European Telecommunications Standards Institute have not considered the possibility of attacks like this.

What’s really interesting about this is the attack exploits bugs in chip firmware which is something most hackers do not have a lot of experience with. What’s firmware? Here’s a quick definition from Wikipedia:

In electronics and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices.

The Wikipedia definition goes on:

The term firmware was originally coined in order to contrast to higher level software which could be changed without replacing a hardware component, and firmware is typically involved with very basic low-level operations without which a device would be completely non-functional.

Most hacks to this point have been software based and not firmware because it is typically much easier to hack using software. Here’s more from the ReadWriteWeb post:

According to Sophos security consultant Graham Cluley, "if someone wanted to spy on your mobile phone conversations it would be easier to trick the user into installing an app that spied on them or gain physical access to the mobile to install some spyware code," he said. "I would be surprised if anyone went to all of the effort that this researcher suggests."

Interesting stuff.

No comments: