Abstract
Right after its introduction, GSM security was reviewed in a mostly theoretical way, uncovering some major security issues. However, the costs and complexity of the required hardware prohibited most people from exploiting these weaknesses in practice and GSM became one of the most successful technologies ever introduced. Now there is an enormous amount of mobile enabled equipment out there in the wild, which not only have exploitable weaknesses following from the GSM specifications, but also run implementations which were never security tested. Due to the introduction of cheap hardware and available open-source software, GSM found itself under renewed scrutiny in recent years. Practical security research such as fuzzing is now a possibility.
This paper gives an overview on the current state of fuzzing research and discusses our efforts and results in fuzzing parts of the extensive GSM protocol. The protocol is described in hundreds of large PDF documents and contains many layers and many, often archaic, options. It is, in short, a prime target for fuzzing. We focus on two parts of GSM: SMS messages and CBS broadcast messages.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
GSM-Association: data and analysis for the mobile industry, https://gsmaintelligence.com/
UK smartmeter company using GSM/GPRS, http://www.smsmetering.co.uk/products/smart-meters/gsm-gprs-meters.aspx
Hack a day website on sim card carrying traffic lights, http://hackaday.com/2011/01/28/sim-card-carrying-traffic-lights/
GSM-R Industry Group, http://www.gsm-rail.com/
News story on the absence of plans to stop 2g services, http://www.computerweekly.com/news/2240160984/Will-the-UK-turn-off-its-2G-networks-in-2017
Briceno, M., Goldberg, I., Wagner, D.: A pedagogical implementation of the GSM A5/1 and A5/2 “voice privacy” encryption algorithms (1999), http://cryptome.org/gsm-a512.htm (originally on www.scard.org )
Website of the Ettus company, selling USRPs, http://www.ettus.com/
Burgess, D.: Homepage of the OpenBTS project, http://openbts.sourceforge.net/
Nohl, K.: Attacking phone privacy. Blackhat 2010 (2010), https://srlabs.de/blog/wp-content/uploads/2010/07/Attacking.Phone_.Privacy_Karsten.Nohl_1.pdf
van den Broek, F., Poll, E.: A comparison of time-memory trade-off attacks on stream ciphers. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013. LNCS, vol. 7918, pp. 406–423. Springer, Heidelberg (2013)
ETSI. Digital cellular telecommunications system (Phase 2+); UMTS; LTE; Point-to-Point (PP) Short Message Service (SMS) support on mobile radio interface (3GPP TS 24.011 version 11.1.0 Release 11) (2012)
ETSI. Digital cellular telecommunications system (Phase 2+); UMTS;Technical realization of the Short Message Service (SMS), (3GPP TS 23.040 version 11.5.0 Release 11) (2013)
Myers, G.J.: The Art of Software Testing. John Wiley & Sons (1979)
Kuipers, R., Takanen, A.: Fuzzing embedded devices. GreHack 2012, 38 (2012)
Welte, H.: Anatomy of contemporary GSM cellphone hardware (2010), http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf
Mulliner, C., Miller, C.: Injecting SMS Messages into Smart Phones for Security Analysis. In: Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT). Montreal, Canada (August 2009)
van den Broek, F., Wichers Schreur, R.: Femtocell Security in Theory and Practice. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 183–198. Springer, Heidelberg (2013)
Welte, H.: Homepage of the OpenBSC project, http://openbsc.osmocom.org/
Homepage of the GNU Radio project, http://gnuradio.org/
Welte, H.: Homepage of the OsmoBTS project, http://openbsc.osmocom.org/trac/wiki/OsmoBTS
Collection of fuzzing software, http://fuzzing.org/
Code archive of the sulley fuzzing framework, https://github.com/OpenRCE/sulley
Engel, T.: S60 Curse of Silence. CCC Berlin (2008) http://berlin.ccc.de/~tobias/cos/
Vuontisjärvi, M., Rontti, T.: SMS Fuzzing. Codenomicon whitepaper (2011), http://www.codenomicon.com/resources/whitepapers/codenomicon_wp_SMS_fuzzing_02_08_2011.pdf
Mulliner, C., Golde, N., Seifert, J.-P.: SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In: USENIX (2011)
Mulliner, C., Miller, C.: Fuzzing the Phone in your Phone. Black Hat USA (June 2009)
Hond, B.: Fuzzing the GSM protocol. Master’s thesis, Radboud University Nijmegen, Kerckhoff’s Master, The Netherlands (2011)
Torres, A.C.: GSM cell broadcast service security analysis. Master’s thesis, Technical University Eindhoven, Kerckhoff’s Master, The Netherlands (2013)
Mulliner, C., Vigna, G.: Vulnerability Analysis of MMS User Agents. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), Miami, FL (December 2006)
Weinmann, R.-P.: Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. In: WOOT, pp. 12–21 (2012)
Weinmann, R.-P.: The baseband apocalypse. In: 27th Chaos Communication Congress Berlin (2010)
P1Security. website detailing a fuzzing product for telco core-networks, http://www.p1sec.com/corp/products/p1-telecom-fuzzer-ptf/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
van den Broek, F., Hond, B., Cedillo Torres, A. (2014). Security Testing of GSM Implementations. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-04897-0_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04896-3
Online ISBN: 978-3-319-04897-0
eBook Packages: Computer ScienceComputer Science (R0)