Mobile users vulnerable to 'rogue base station' attacks

Stuart Corner
Friday, 28 January 2011 08:45

Business IT - Security

Analysts from Spanish security company, Taddong, have demonstrated how an attacker with a budget of less than $US10,000 can set up a rogue cellular base station, make user mobiles connect to it and gain full control over the victim's data communications.

In a paper presented at the recent Black Hat hacking conference in Arlington, USA - and reported in New Scientist - the researchers, David Pérez and José Picó, explained how two vulnerabilities make the attack possible.

First, they say, is "The absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack,' Second is "The mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices."

The researchers explained that it was possible to jam a live 3G network and cause devices to fall back to 2G so they could be made to connect to the rogue base station.

According to New Scientist, once the phone is connected to the spoof network, the attacker can route all data traffic through their own computer. "Pérez and Picó say this allows the hacker to monitor browsing and also to mount phishing attacks by replacing legitimate online banking websites with their own versions. In the latter case the victim's browser will warn them that the site is not secure, but users often ignore these messages."

The searchers added that the flaw could not be easily fixed by network operators, leaving the onus of protection to users by either encrypting their communications or setting their device to use only 3G. However many devices, including the iPhone, do not support this option.