It Takes Just $200 to Tie Cell Networks in Knots

LAS VEGAS— Almost of the attacks featured at the Black Lid briefing in Las Vegas swivel on stealing coin, exfiltrating data, or, in extreme cases, blowing upwardly factories with bubbles.

Black Hat Bug Art Altaf Shaik, the principal security researcher at Kaitiaki Labs, had a different goal. Past using just $200 and the fundamental structure of LTE networks, Shaik institute a manner to wreak havoc on cellular networks.

This Is My SON

A diversity of well-documented attacks can be leveraged against cellular networks, but Shaik was more interested in investigating the fundamental structure of cellular networks.

"The favorite target is ever the mobile phone, because the person is carrying this," said Shaik. "What almost attacking base of operations stations? I don't hateful physically damaging or plugging in, is information technology actually possible to assail these without beingness detected?"

With that in mind, Shaik looked to Self Organizing Networks (SONs). These are cellular base of operations stations that, one time placed in the field, volition automatically probe their environs, looking for other base stations and cell phones. Using the information it collects, a SON base of operations station tin so assign itself a unique Cell ID and even automatically brand adjustments to optimize functioning. Depending on how its configured, a SON can practice this without any guidance from human operators.

Our new inquiry at #BlackHat2018 attacking LTE network side this time - we will bear witness how $ 200 hardware setup can exist used remotely to kill a base station & change LTE network configurations. This tiny hardware can be hands mounted on a drone @fgsect @SINTEF_Infosec #BlackHAT flick.twitter.com/rmGbu03iDP
— Ravishankar Borgaonk (@raviborgaonkar) August iii, 2022

In lodge for a SON to work, the base stations receive information from individual cell phones. This includes data measurement on the altitude between the cell phone and nearby base of operations station. The base of operations stations tin as well communicate with each other through what's called the X2 interface. The problem with both of these avenues of communication, Shaik explained, is that they are trusted and unverified and therefore, ripe for exploitation.

Using just $200 worth of equipment, Shaik built a rudimentary rogue base of operations station. The device had a range of fifty meters and up to 100 meters with additional amplification.

Attacking the Network

In one assail, Shaik showed how the low-toll device could inject junk data into a SON. He broadcast the cell ID of a faraway base station while near a target base station. The target base station thinks, 'Oh! A new base station that'southward close by! I should create an X2 human relationship with information technology!' In doing so, these base stations now begin to create rules between each other well-nigh how to communicate and manus off cellphones moving betwixt each station.

Just all those rules are based on faulty information. Do this enough, he said, and it would exist possible to necktie the network in knots.

In another attack, Shaik had his rogue base of operations station mimic the frequency and jail cell ID of a nearby base station. That stations thinks 'That's my cell ID! I'd improve change information technology!' But to change a cell ID, the base station needs to reboot, which tin can take upwardly to eight minutes. That's bad for the network operator, merely it's also bad for any jail cell phones that were using that base station.

According to Shaik, when an LTE base station isn't bachelor, cell phones will sometimes be handed over to 2G and 3G base stations. While still in employ as carriers begin to scroll out 5G networks, 2G and 3G have known security issues that cell phones potentially exposed to attack.

We've seen at previous Black Chapeau conferences that information technology's possible to intercept cell phone data by jamming the LTE band and forcing phones to connect to phony cell towers using the less-secure 2G and 3G bands. Jamming, withal, requires a lot of power and is easily spotted as upshot. Shaik'due south set on, on the other hand, doesn't have those issues.

In a final attack, Shaik put all the pieces together. This time, Shaik'southward rogue base of operations station impersonates a distant, real base of operations station. Nearby cell phones volition pick upward this data and study it to the victim base of operations station. Via X2, the rogue station then contacts the real base station and makes arrangements to paw off the cell phone. The victim base station signals the cell telephone to switch to the closer rogue base station, but the rogue station doesn't take the proper keys or authenticators to handle the cell phone so the call is simply dropped.

Dropped calls are annoying for customers, but the consequences can be far-reaching in a SON because each base of operations station keeps rails of other base of operations stations' operation. If a station becomes notorious for dropping calls, the other stations will blacklist it. Similar in the previous attacks, adding this bogus information makes a SON less effective and, in extreme cases, would require the cell phone company to waste matter fourth dimension and money dispatching repair teams to blacklisted base of operations stations that are really functioning properly.

A Central Issue

The bad news is that Shaik's attack affects any telephone that complies with the latest 3G standard. While the attacks rely on the SON operating largely autonomously, information technology would still generate a lot of bogus data even if the base stations require manual input before reconfiguring themselves.

"These are not implementations problems," said Shaik. "These are standards problems." To fix information technology, Shaik reached out the GSMA, the organisation that manages the GSM standard used by many jail cell phones. The system has apparently been very responsive, and is working to share information about Shaik'southward findings with vendors.

Merely to really gear up, not just mitigate the problem, Shaik says SON needs to alter fundamentally. The system, he said, needs a means to cosign the information it receives from base stations and cell phones. Information technology cannot blindly trust these devices. A database of base stations and their actual locations, Shaik said, would go a long way toward preventing these attacks.

And at that place is some pressure to make that work. SON, Shaik said, is really useful, and will only become more widely used. "In 5G, there will exist a huge deployment of SON." Let's hope they work out the kinks earlier then.

Be sure to keep reading PCMag to keep up with the latest from Black Hat 2022.