The typical cell phone towers are omnipresent through the countryside and in the cities. In the cities they may be located on parking structures, buildings, in vacant lots, or near buildings. These cell phone towers or base transceiver stations (BST) function to facilitate the communications between the user’s equipment and the network. This communication is the transmitting and receiving of signals.
This equipment serves a vital need for society. Nearly everyone is tied to their smart phone and enjoy the functionality. There is an issue with the BST and vulnerabilities. If these were to be exploited, the threat actor could attack and compromise the cell tower or BTS. In effect, the person could take control of the cell phone network. Specifically, the person could take remote control of the BTS, take over the traffic through the BTS, prevent the BTS from offering the services as accomplished by turning off the transceiver module or jamming frequencies. This would have immediate and negative effects on people simply wanting to make a cell phone call.
Not all systems are affected by this. The issue does not affect all manufacturers. Certain manufacturers have address this. The affected systems are:
YatesBTS<=5.0.0 manufactured by Legba Incorporated
OpenBTS<=4.0.0 manufactured by Range Networks
OpenBTS-UMTS<=1.0.0 manufactured by Range Networks
Osmo-TRX/OSMO-BTS<=0.1.10 manufactured by OsmoCom
These are most of the affected systems. If another manufacturer were to use the identical transceiver code base, the vulnerability may be applicable.
The attacks, thankfully, are a proof of concept at this junction. This was researched by Zimperium. The exploitable vulnerability has three points of attack. Each of these is viable.
The first issue involves the service binding being exposed to a greater extent than what was needed. This is more of a configuration issue. The transceiver sockets are configured to find with IN ADRR_ ANY versus a user noted value (this defaults to 127.0.0.1). Any attacker with internet access is able to connect to the BTS system to send and receive packets. The access to the UDP network socket is not secured or requires any authentication. This is a significant issue. Thus this is exceptionally problematic in that if connected, the person could hijack the BTS, monitor and modify the traffic through the BTS, the BTS may be attacked with the DDoS or DoS, and many more issues.
The second issue revolves around an age old, established attack. The system tends to be overly susceptible to DoS and DDoS attacks. This would be operationalized by the third party threat sending overly large UDP packets to the transceiver control channel.
The last primary vulnerability is related to the first. The third party threat is able to remotely connect to the control channel and may do so without authentication. This is an issue in that anyone can connect to the BTS and turn the functions off, jam its frequencies, and do much more.
There is hope for the smart phone users and others dependent on the traffic through the BTS. With the UDP packet attack, the socket used with the control and data exchange should be bound only with the local interface. As an alternative a firewall should be installed and patched as needed to block external traffic to ports 5700, 5701, and 5702. With regard to the DoS or DDoS attack, this may be also remedied by applying the appropriate flags in compile time.
Our current society, for better or worse, is dependent on cell phones and their technology. This is based on convenience for the consumers, and also services rendered (defense, fire, rescue, and others needed for national operations). Over the years, it appears security was not overly applied by certain manufacturers. The issues noted here could have been addressed much earlier. Although this provided a significant issue, these have a plan for remediation. The remediation itself is not exceptionally drastic. These workable solutions are clearly a step in the correct direction.
Blalock, R. (2011, June). Telecommunication network hacking and security. Retrieved from http://www.rafayhackingarticles.net/2011/06/telecommunication-network-hacking-and.html
Hacking-Lab. (n.d.). 4052 IMSI catcher: Introduction. Retrieved from https://www.hacking-lab.com/cases4052-imsi-catcher/index.html
Iyer, K. (2016, August 24). This is how hackers can hijack cell phone towers! Retrieved from https://www.techworm.net/2016/08/hackers-can-hijack-cell-phone-towers.html
Margaritelli, S. (2016). Analysis of multiple vulnerabilities in different open source BTS products. Retrieved from https://blog.zimperium.com/analysis-of-multiple-vulnerabilities-in-different-open-source-bts-products/
Zorz, Z. (2016, August 24). Hackers can easily take over cellphone towers, researchers found. Retrieved from https://www.helpnetsecurity.com/2016/08/24/hackers-cellphone-towers/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!