Tuesday, May 3, 2011

Selective attack with a rogue GSM/GPRS base station

An attacker employing a rogue GSM/GPRS base station usually wants to compromise the communications of a particular user, while trying to generate the least possible activity for the rest of mobile users within his radio range. We call this a “selective attack”. In order to perform it, the attacker must know the victim’s IMSI (the number that identifies a SIM card) in advance.
There are two widespread misconceptions regarding this type of attack. Most people think that:

A.- It is difficult to obtain the victim’s IMSI, and
B.- It is difficult not to affect the other users in the radio range of the rogue base station

However, there are some techniques that allow the attacker to solve the aforementioned issues. In this article we explain one of them as an illustrative example.

Discovering the victim’s IMSI

To solve point A, the attacker could do the following:
  • Step 1: the attacker positions himself in the area where his victim lives (the victim’s home location) when the victim is inside and captures all the IMSIs in the range of his rogue base station. He will probably use a directional antenna to limit the geographical area where he is capturing IMSIs. During this operation, the rogue base station will reject all registration attempts from any mobile, but it will annotate the IMSI numbers of the subscribers that are trying to register.
  • Step 2: afterwards (for example the next working day), the attacker positions himself in the victim’s office location, and performs the same procedure. It is to be expected that the first IMSI that is present in both IMSI lists will be the one of the victim.
  • Step 3: after that, the attacker should authorize the registration of the victim’s IMSI (and only this one) in his rogue base station in order to intercept all its communications. The registration attempts from any other IMSI will be rejected.
Avoiding affecting the rest of users.

Once point A is solved, let’s see how the attacker can tackle point B. First, and most important, notice that the attacker didn’t leave the registration open for all mobile stations at any time, thus preventing the appearance of any symptom that could alert the mobile users in the area (such as a sudden change in the coverage indicator, any abnormal error in outgoing calls, the absence of incoming calls, etc.) and any overload problem for his rogue base station (that will typically have limited capabilities for traffic and call management).
For every aforementioned step, the attacker performs the following configuration actions to affect the least possible the rest of mobiles in his radio range:
  • Step 1: the attacker will configure its rogue base station so that each IMSI tries to register to it only once. This is convenient for him for several reasons: it will minimize any symptoms in the mobile phones in his range, and also he will reduce to the minimum redundant and useless information in his logs. One way to achieve this objective is to configure a Reject Cause Code 0x0C “Location Area Not Allowed”. This reject code is included by the base station in the “Location Update Procedure Reject” message, sent whenever the base station rejects a registration attempt. According to 3GPP 24.008 and the tests in our lab, the mobile station annotates the LAI (Location Area Identifier) in its “forbidden location areas” list and it will not try to register to any cell with this LAI (at least not until the mobile station is reset or the SIM is removed). This way, the attacker is forcing the mobile terminals in his range to try to register only once to his rogue base station, but they will continue to be able to register back to a legitimate base station.
  • Step 2: at this moment the attacker wants the victim’s mobile station to be rejected in its first registration attempt, as well as the other subscribers in his radio range. He can configure its rogue base station with a LAI different from the one used in the previous day, so that he will ensure that the mobile station will try to register again. Once identified the first IMSI matching any one stored the previous day, he shutdowns the base station.
  • Step 3: at this time, the attacker already knows the victim’s IMSI. He can then turn on again his rogue base station with a new LAI and with the victim’s IMSI authorized. When the victim’s mobile station tries to register, the registration will succeed and the attacker will be able to intercept the communications of the victim. All other mobile stations will try to register only once in the rogue base station and will register back to a legitimate cell, because the configured Reject Cause Code will still be 0x0C.
This procedure would allow an attacker to identify the victim’s IMSI with a first capture session that would last some minutes, and a second session in which he would be able to selectively intercept the victim’s communications. The only collateral effect on other mobile terminals in the attacker’s range would be that they would try to register to his rogue base station, but only once (or twice at most), and the users won’t even get an indication of this fact on their screens.

NOTE: We first published this article, in Spanish, in this post of the blog “Un inform├ítico en el lado del mal”


Anonymous said...


How do you force the mobile to run what you call "registration attempt" (IMSI attach, I assume)?

Without that, if the phone is only running location update, it identifies by TMSI, which probably means that you can't discriminate the victim from "the rest".

Jose Pico said...


assuming that the mobile station is currently registered in the legitimate base station (normal case), it will initiate a Location Update Procedure after the "Cell Reselection Procedure", run in the mobile station, decides to change to the rogue cell. First message will be a "Location Update Request" of type "Normal Location Updating" (not IMSI attach) where it will, as you mentioned, include its previous TMSI for identification.

After that message, several intermediate steps can occur before the completion of the "Location Update Procedure". Whether these steps should be performed or not is always decided by the network. One of these steps is the "Identification Procedure". In our case, our rogue base station initiates this "Identification Procedure" asking for the IMSI. That is the way we obtain the IMSI.

After that, the network finishes the "Location Update Procedure" by sending "Location Update Procedure REJECT" message or "Location Update Procedure ACCEPT" message, depending on the case.

We cover this and many other details in our 2G/3G security course.

Post a Comment