Thread: GSM firewall
View Single Post
joerg_rw's Avatar
Posts: 2,222 | Thanked: 12,651 times | Joined on Mar 2010 @ SOL 3
#9
Originally Posted by juiceme View Post
Well, in an infinite universe anything is possible, and I do not doubt that the UMTS signaling stack is perfect: far from it. There might well be bugs that allow some undocumented functionality to emerge.
However, there is no possible legal state transition that could lead to this kind of action.

The only way I can see for this to happen would be if the attacker could inject malicious code into the target UE and get it running; imagine for example an instance of Prey on the device controlled by remote malicious party.
Such attack would be device-dependent however, there might be some manufacturer/model that is vulnerable to a hand-crafted attack vector specifically targeted to it but no possibility to create a generic attack.




The attack device can easily masquarade using existing cell area&BTS signatures that it anyway can observe. There is pretty much no way that the target UE can shield against this type of attack.
However please note that Neo900 has NO way the GSM/UMTS stack can inject ANY commands into the main system. Our modem is sandboxed and we even do more than this, we have surveillance for the sandbox, detecting every little move the modem does, then decide if it's concerning or expected. Worst case we shoot complete modem down when it misbehaves. In that regard we're even better than cryptophone used for the IMSI-catcher "firewall" liked to in above post.

Regarding masquerading an IMSI-catcher as regular BTS (incl Cell_ID and all): _can_ be done, but begs for trouble, so usually they don't do it aiui.

/j
 

The Following 4 Users Say Thank You to joerg_rw For This Useful Post: