Abstract
Private mobile communication systems (MCS) can be established easily with an open project and small MCS base stations are increasingly deployed in experiment environment. They can support not only voice communication, but also short message services (SMS) and data services. If a user has small base station (BS), then establishing a private real-world MCS becomes a clear option. For a private MCS to function properly, the services of private MCSs based on open projects should be configured similarly to those provided by commercial MCSs. In other words, the service should include voice communication, a SMS, and a General Packet Radio Services/Enhanced Data rates for GSM Evolution service. Also, the subscriber station, likewise, should be configured to support such services. In this paper, we consider attack scenarios using experimental MCSs with small BSs. We experimentally show the feasibility of attacks resulting in the leakage of private information, attacks on OpenBSC control, and DNS spoofing at the network level, all without subscriber knowledge.
Similar content being viewed by others
References
3GPP LTE Encyclopedia (2010) An introduction to LTE
Motorola (2010) Long term evolution (LTE): a technical overview
Mouly M, Pautet MB (1992) The GSM system for mobile communication. Telecom Publishing, Phoenix
Ekdahl P, Johansson T (2003) Another attack on A5/1. In: IEEE transactions on information theory, vol 49.1
Gendrullis T, Novotny M, Rupp A (2008) A real-world attack breaking A5/1 within hours. In: Cryptographic hardware and embedded systems (CHES). Springer, Berlin
Ageev DV (1935) Bases of the theory of linear selection. Code demultiplexing. In: Proceedings of the Leningrad Experimental Institute of Communication, pp 3–35
BTS. http://en.wikipedia.org/wiki/Base_transceiver_station. Accessed Oct 2013
3GPP TS 33.320 : 3GPP security aspect of home NodeB and home eNodeB, release 9. 10th December 2009
Chen J, Wong M (2012) Security implications and considerations for Femtocells. RP Journal
Bilogrevic I, Jadliwala M, Hubaux J-P (2010) Security issues in next generation mobile networks: LTE and femtocells. 2nd international femtocell workshop, Luton
Rao JR, Rohatgi P, Scherzer H, Tinguely S (2003) Partitioning attacks: or how to rapidly clone some GSM cards. In: Proceedings of the 2002 IEEE symposium on security and privacy
Wary J-P (2003) Another countermeasure for the Barkan–Biham–Keller attack on A5/2, 3GPP
Kumar S, Pelzl J, Pfeiffer G, Schimmler M, Paar C (2003) Breaking ciphers with COPACOBANA a cost-optimized parallel code breaker. In: Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems. Springer
Nohl K, Kribler S (2010) A5/1 cracking project. Black Hat USA
Paglieri N, Benjamin O (2011) Implementation and performance analysis of Barkan, Biham and Kellers attack on A5/2
Perez D, Pico J (2011) A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications. Black Hat DC
Boccuzzi J (2010) Femtocells design & application. McGrawHill, New York
Femtocell. http://en.wikipedia.org/wiki/Femtocell. Accessed June 2013
Hulton D (2008) Intercepting GSM traffic. Black Hat Europe
Borgaonkar RB (2013) Security analysis of femtocell-enabled cellular network architecture. Technical University of Berlin, Berlin
Dunkelman O, Keller N, Shamir A (2010) A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. IACR
Handschuh H, Paillier P (2000) Reducing the collision probability of alleged Comp128, smart card research and applications. Lecture notes in computer science, vol 1820. Springer, New York, pp 380–385
Weinmann R-P (2012) Attacks baseband: remote exploitation of memory corruptions in cellular. protocol stacks, USENIX
Weinmann R-P (2011) The baseband apocalypse. In: 27th CCC
SS7 MTP2-user peer-to-peer adaptation layer (2004) SS7 MTP2-user peer-to-peer adaptation layer
European Telecommunications Standards Institute (1996) Digital cellular telecommunications system (phase 2\(+\)). In: Mobile application part (MAP) specification (GSM 09.02)
Handover. http://en.wikipedia.org/wiki/Handover/. Accessed June 2013
OpenBSC. http://openbsc.osmocom.org/trac/. Accessed June 2013
osmo-nitb (BSC, MSC, HLR, AuC and EIR). http://openbsc.osmocom.org/trac/wiki/osmo-nitb/. Accessed Oct 2013
OpenSGSN. http://openbsc.osmocom.org/trac/wiki/osmo-sgsn/. Accessed Oct 2013
OpenGGSN. http://sourceforge.net/projects/ggsn/. Accessed Oct 2013
Acknowledgments
This work was supported by Korea University Grant.
Conflict of interest
None.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kim, E., Moon, J. A new approach to deploying private mobile network exploits. J Supercomput 72, 46–57 (2016). https://doi.org/10.1007/s11227-015-1461-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-015-1461-5