While it might cause a carrier a loss of revenue, he said, it wouldn't necessarily attract cybercriminals. This kind of attack would be well beyond the reach of a weekend hacker, and some security researchers think it might not be a real-world threat at all.ĭouglas DePerry, a researcher at Leaf Security Research in Red Bank, N.J., said there would be no way for anyone to make money from such an attack. That would eat up system resources, because it's not something cellular-network software would expect to see.Īmplify that by hundreds or thousands of bogus handsets trying to make voice calls at the same time, and the verification effort could flood the home network's servers and cause it to refuse calls from - in other words, deny service to - legitimate users. With multiple copies of SIM cards with identical IMSIs trying to verify themselves at once, neither the roaming nor the home networks' HLRs would know which phone was the legitimate one. "The network can't check whether you are a legal subscriber or not." "The home network trusts the roaming networks," Xenakis said. Xenakis and Ntantogian's attack would essentially replicate that massive system load, but the calls wouldn’t even need to be connected - all the attack would need to do is tie up an HLR's time with bogus roaming-call verification requests. Cellular networks that routinely handled hundreds of thousands of calls daily were unable to cope with the massive volume of simultaneous calls into and out of the area, and many people trying to reach their loved ones found they couldn't connect. That's what happened in the New York City area during the terrorist attacks of Sept. But too many requests to a local cellular network can overwhelm it. Ordinarily, this system load would not be a problem. Even if the verification request fails and the call isn't connected, the HLR-to-HLR communication and resulting transfer of data eat up computing resources. However, this verification process takes time - a few seconds, on average. If the user has paid for or enabled roaming service, the answer is yes. If a phone's ID is not listed in the database, the local HLR contacts the HLR of the handset's home network and asks whether the phone is legitimate and authorized. The tower queries a home location register (HLR), a central database that contains details of each mobile phone subscriber authorized to use the tower's local network. When a cellphone roams out of its home network, every call it makes is handled by the nearest compatible cell tower. Each harvested IMSI could then be duplicated onto tens or hundreds of blank SIM cards.Īuthentication of a roaming cellphone takes time, because the host network has to check with a handset's home network to verify that a particular phone is legitimate. Xenakis said it would be possible to build, using commercially available hardware, a kind of fake cell tower that could harvest the IMSIs from every handset that passes nearby. To prepare for the attack, a hacker would require a device that can "harvest" the International Mobile Subscriber Identity, or IMSI, numbers of a lot of cellphone SIM cards. Xenakis and Ntantogian's attack is a bit different from regular SIM cloning because it doesn't require that all the information on a SIM card be copied, but just enough information to convince cellular-network software that it should try to authenticate the SIM card. It's an old trick that criminals used in the 1990s to make calls and bill them to someone else. Phone carriers got wise to that and made it harder to do, but it still happens. The total cost, Xenakis and Ntantogian said, could be only a few thousand dollars.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |