GPRS Hacked

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

Comments

ShadowHatesYou • August 10, 2011 5:40 PM

GPRS isn’t the only standard to fall, it’s been reported that CDMA and 4g were also compromised at Defcon this year.

http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/81514

The largest threat to these protocols seems to be the ease of compromising pico/femtocells and making them do your bidding: http://wiki.thc.org/vodafone

Clearly things need to be more robust. A compromised base station should not be able to do this.

Thomas • August 10, 2011 8:54 PM

@ShadowHatesYou
“Clearly things need to be more robust. A compromised base station should not be able to do this.”

The main threat for the people paying for the base-stations are worried about is phone-calls being made without a matching billing entry.

I’m sure that threat is catered for.

jkm • August 11, 2011 5:28 AM

I seriously doubt that ‘4G’ was hacked (whaterver 4G means; LTE, WiMAX, WCDMA HSPA?).

wiredog • August 11, 2011 5:51 AM

Anyone who accepts an OTA system update when at DEFCON deserves everything they get…

jggimi • August 11, 2011 6:09 AM

@jkm, according to a post further down the linked thread, it was WiMAX on Sprint/Clearwire.

Natanael L • August 11, 2011 7:05 AM

So, maybe I should set up a proxy at home for my smartphone. Are the Android proxy security “good enough”?

Gabriel • August 11, 2011 8:57 AM

@wiredog: how about “civilians” near or at the hotel who aren’t part of defcon who take an OTA update? Do they deserve it too?

Jon • August 11, 2011 3:41 PM

Of course, there have been several examples of ‘pushed’ over the air upgrades. The user doesn’t get a choice about whether to accept it or not.

And, of course, if the officially designated people can push an “upgrade”, so can everyone else.

Richard Steven Hack • August 11, 2011 10:37 PM

I think the term “smartphone” needs to be rescinded, and the term “stupid phone” (re-)implemented.

I’m glad I don’t have the money yet to buy a “smart (stupid) phone”. And that the stupid Nokia 6030 phone I use (it’s smart enough to randomly shut itself off periodically!) doesn’t get used much except to take client calls. No texting, no SMS, no nada. It can do that crap, but I don’t.

Besides the security flaws, every time Jeri Ryan has to update her phone, she tweets how it didn’t work unless she does it five times…

Obviously these are real quality products being sold…

Nonetheless, nice to know my meme applies equally well to everyone’s phone as it does to their computer. 🙂

Roger • August 14, 2011 4:46 AM

Interesting work, but … GPRS is supposed to have security features!?

Only GPRS app I have been involved in, everyone just assumed it was totally hackable. The application provided its own session security and assumed the link might not be available. (Low priority messages that did not receive a signed acknowledgement would be re-sent later; high priority messages that didn’t get an ACK resulted in a dial-up connection.)

Hmm, reading further, it seems we were right. Security features in GPRS are optional, and it isn’t easy for the app to find out if they are enabled. So you have to assume the transport layer is insecure.

GPRS Hacked

Comments

Leave a comment Cancel reply