Attackers Hijack Cellular Phone Towers Thanks To Critical Flaws
You and I are afraid of somebody hacking our smartphones and stealing critical information, but what happens when hackers hijack a whole cellular network by hacking into cellphone towers? No, this is not an empty threat because, security researchers from the mobile security firm, Zimperium have discovered three serious security flaws in BTS stations which can allow potential hacker remotely hijack the entire cell phone tower. The Zimperium researchers have said that the flaw is so critical that it allows hackers to abuse, hijack, and crash mobile cell towers.
BTS (Base Transceiver Station) is the technical term used to define cellular phone towers we see plastered in our cities, towns, villages, and spread all over the fields, hills, and mountains. The cell towers are basically composed of software and radio equipment that allows mobile stations (cellular phones) to connect to the GSM, UMTS, and LTE networks.
BTS stations for the gist of GSM telephony network and are used by service providers to pass on your SMS messages, transmit calls, and data packets from our phones to the mobile operator’s data center, which in turn relays the SMS messages to their destination, interconnect calls, and sends data packets over the Internet to the servers we are trying to reach.
Irrespective of whether the primary mobile network runs on GSM, UMTS, or LTE technologies, BTS stations are universally deployed.
Zimperium says it found out there were three serious errors in many of the software packages that run on BTS stations.
According to Zimperium, other software packages not included in their tests might also be affected since they all appear to run in the same manner, with a similar design.
Affected vendors and their software include Legba Incorporated (YateBTS <= 5.0.0), Range Networks (OpenBTS <= 4.0.0 and OpenBTS-UMTS <= 1.0.0), and OsmoCOM (Osmo-TRX <= 0.1.10 and Osmo-BTS <= 0.1.10).
At present, there are three issues which mobile operators and BTS software vendors need to take care of in their equipment.
The first is the bug in a main BTS software service that uncovers the device to external connections, which allows an attacker to reach the BTS station’s transceiver via the Internet.
Attackers can take advantage of the device’s built-in features by sending UDP packets to certain management ports (5700, 5701, 5702). This allows the attacker to take remote control of the BTS station, remove information from the passing data, make changes to the GSM traffic, crash the BTS station, or worse.
In this case, Zimperium suggests that companies bind the sockets used for control and data exchange only to the local interface (127.0.0.1), or install a firewall to stop external traffic.
The second concern is a memory buffer overflow caused by enormous UDP packets. This is a classic remote code execution flaw (RCE) that allows the attacker run malicious code on the device. This bug is as unsafe as the attacker’s skills.
The third problem relates to the first. An attacker can perform commands on the BTS station’s transceiver module, if the attacker can send routine UDB traffic to the BTS station, as the control channel features no validation. The transceiver is the key hardware factor in the BTS station rig, which transmits and receives data between the BTS core software and the radio antenna.
This specific error lets an attacker to control the transceiver module distantly without having to enter any administrative authorizations.
Zimperium says the attacker with access to the control channel can turn the BTS off, alter the BTS identity, or block antenna radio frequencies, making it behave like another BTS station from the same network or eliminating the BTS from the mobile operator’s network, and carry MitM attacks.
While all vendors who were affected pushed patches, Range Networks has returned fixes for the first two problems in OpenBTS on July 6 and July 13, restoring the vulnerabilities in its software after it was fixed by them in the past on May 6.
