Researchers from the College of Science and Technology, University of Minnesota have demonstrated a new method to covertly determine if the subscriber network in range of a particular base station GSM. In some cases, this allows you to set the location to within one square kilometer.
At the core of the proposed attack is the fact that the base stations and subscriber terminals GSM network share some official data in unencrypted form. An attacker could call the number of the victim and find out whether it is in a certain area of the base station by simply monitoring the radio.
To carry out attacks quite mobile, laptop and distributed on the principles of open source Radio scanners Osmocom GSM (http://bb.osmocom.org/trac/). First, you must define a mobile phone service identifiers of the victim. To do this, the attacker is located close to the object of surveillance, when it is in interest to the attacker site, for example, at home, and calls on his cell phone. At the same time on his laptop attacker monitors the broadcast base station, which sends out the one with a fixed interval of time to determine if your phone is in its area of responsibility. In these queries, the base station broadcast in an unencrypted form specifies the unique identifier of a mobile phone of the victim, known as a TMSI (Temporary Mobile Subscriber Identity) and, rarely, ID, IMSI (International Mobile Subscriber Identity).
After making a few calls the victim and listening to broadcast, the attacker can calculate these identifiers. To remain undetected, it is enough to make short, no more than five seconds, the calls. That's enough to make a mobile phone of the victim could reply to a broadcast call to the base station, but not enough, he began to beep.
At the preparatory stage of the attack can be considered complete, since for a couple of "base station - User Terminal" identifiers TMSI and IMSI remain unchanged. In the future, an attacker rather sit in the control area of the base station, make a call and find out the object of surveillance, whether it responds to a mobile phone.
Denise Tsui-Kang Fu (Denis Foo Kune), one of the authors of the attack, said that for its neutralization mobile operators need to complicate the process of determining the location of the subscriber. According to him, it can be done in several ways, for example, sending broadcast queries are not one and the last three base stations, which was registered by the subscriber terminal. Or change the identifier TMSI after each broadcast paging to an attacker could easily compare it with the victim's mobile phone number. The third method is to randomly dispatch intervals broadcast calls to malicious traffic analysis more difficult.
For more information on simple and inexpensive method for establishing the location of the subscriber in GSM cellular networks can be read in a scientific paper published on the website of the University of Minnesota at http://www-users.cs.umn.edu/ ~ foo / research / docs / fookune_ndss_gsm . pdf.
Комментариев нет:
Отправить комментарий