Wednesday, May 28, 2008

Hacking Cellular Networks - The Door Is Already Open

A new smart phone hack has been released which is touted to help attackers understand cellular networks and potentially "open the door to hacking the cellular network itself".
Cell networks weren’t built with security in mind, Maynor says. And knowing the frequency of a smart phone means you can also find control channels for the cell towers, Maynor says, many of which carry information such as SMS messages destined to all phones in that cell area, for instance. “It would be the equivalent of turning on a sniffer on a computer for certain types of data,” he says.

The tool itself is interesting, and gathering frequency and channel information is new information that perhaps the cell owner should not have access to. However, the claims that this tool is opening the door to hacking cellular networks is woefully incorrect. That do is already open and doesn't need a tool like this. This tool allows an attacker to go after the over the air (ota) portion of the cellular network. From an attackers perspective, this is not the path of least resistance.

So what is the path of least resistance? Its through the data connection of the subscriber itself. Connect up your phone to a laptop, and use the data connection to browse through the infrastructure of the cellular network. All of the wonderful security issues we've seen over the years are still present in cellular networks too. The bigger problem is that the subscriber connection is often placed inside the cellular network. So all that stuff about a DMZ and strong perimiter doesn't usually apply in cellular networks (it shoud, but in practice thats not what's happening).

Cellular networks should be concerned about security, but not because of this tool. They should be concerned because most every data subscriber has been given direct access into the internal network of the cellular infrastructure. This isn't theoretical stuff, I've tested several major cellular networks throughout the world. These issues are rampant. The telecom people are getting the message though. They're moving in the right direction. Hopefully they are moving fast enough. :)

Take a look at this presentation topic from Hack in the box Dubai 2008.

Real World Attacks Against 3G Networks Using Subscriber Devices

-Michael Coates