preload preload preload preload preload preload
0 Comments | Dec 20, 2018

Baseband Attack

us-mapThe Threat

The baseband processor in a mobile phone is the system that communicates via radio waves with the cell tower in order to complete cellular calls. Because your mobile phone communicates via cell towers, in order to intercept the radio signal from a cell phone, the hacker must first set up a fake cell tower and convince a nearby phone (the target) to connect to it. The hacker can then download malicious code that will attack vulnerabilities in the GSM/3GPP stacks of the phone’s baseband processor, typically Qualcomm or Infineon chip sets. While this attack type is limited to those individuals or entities with the resources and technical know-how to set up their own bogus cell towers, the cost of setting one up has fallen dramatically in recent years and it can now be accomplished for about $1000.


How It Works

The system works by first “catching” the International Mobile Subscriber Identity (IMSI) number of passing cell phones, following which it is then able to communicate directly with the baseband processor.

“The baseband attack is an extremely technical hack,” according to Don Bailey, Security Consultant with ISEC Partners.

The 2G network is by far the most vulnerable. GSMK, a German security company says it detected 17 such fake cell towers in the U.S. on a recent drive through the country. Following that assessment, an additional 28 bogus towers were identified, bringing the total to at least 45 nationwide.

Mobile phones actively seek out the radio signal from cell towers and connect to the nearest one. The phone then has to prove its authenticity to the tower it’s connecting to. Connections between phone and tower are typically encrypted, but the encryption standard is determined by the tower, so if the tower is a bogus one, once the IMSI has been determined for the target phone, it can be configured to transmit with no encryption. Thus, the bogus tower can force decryption on connecting cell phones, and can then inject malware to infect the baseband processor. Alternatively, the malware can transfer the outgoing communications to a legitimate network, thus enabling in a man-in-the-middle eavesdropping attack.

“It sounds like the radio parts of the phone are very shaky indeed and pretty vulnerable,” says Dragos Ruiu, organizer of the Vancouver CanSecWest hacking conference.


The Bottom Line

Because mobile calls that use the Vysk QS1 system are encrypted from the moment they leave our dedicated microphone and not decrypted until they reach our dedicated speaker at the other end, interception of the call provides no value to the attacker because all they will have obtained is a strong encrypted data stream. So, while the QS1 cannot keep a bogus cell tower from potentially interacting with your mobile phone’s baseband processor, or even learning your phone’s IMSI number, any call information obtained by doing so will be of no value to the attacker.


Leave a Reply

* Required
** Your Email is never shared