GSM services let you do a lot on the go. But the greater the potential, the bigger the attraction for a potential attack.
Global System for Mobile Communications (GSM), the standard used by mobile phone networks, has spawned many variants, such as GPRS and 3G. The extra functionality and convergence associated with these standards has created some interesting security issues.
GSM, GPRS and 3G modems used in corporate networks allow for connectivity when fixed line communications go down. They also make connections from mobile devices easier to trust as communications are direct rather than via the internet. Yet these modems are susceptible to a security vulnerability rooted in the old but effective technique of wardialling.
An attack involves finding out which ranges an organisation uses for its mobile communications, for example 07777 700000 to 07777 700999. Although this will be primarily used for mobile phones it is likely that any GSM modem equipment will share that range. If attackers get hold of a mobile data card - stealing one from a laptop would be any easy way - the SIM card will give up its number. Using this, it's possible to dial every number in the range to establish what you can connect to.
For devices other than phones there will be a modem style response, and this is where a network breach can occur. Many engineers still don't change default usernames and passwords when installing systems and these can be obtained from detailed internet searches. There are examples where this type of attack allows access directly to specific systems. Of course firewalling would make this extremely unlikely, if implemented.
In a typical corporate setting GSM services are used to enable the sending of messages over SMS, but this functionality is extended for many purposes. GSM modems help to manage messaging and equipment in various environments such as electricity distribution, nuclear power stations, railways and vehicle tracking.
The points on a railway can be controlled by GSM, as can service and emergency messaging to the trains computer, hence the “turn GSM on now” signs you see as you pull out of certain stations. If you notice more radio masts being built near railways in the coming years it is probably due to the rollout of Network Rail's GSM-R (the R simply stands for Railways) communications system. Set to be completed by 2013, the system is designed to provide secure train driver-to-signaller communication nationwide.
GSM modems are also used to control switches in electricity substations where they send commands to turn circuit breakers on or off. In nuclear power stations they are more widely employed as part of permanent monitoring stations that can alert key personnel to radiation leaks. Far less critical, but just as beneficial, is the use of GSM technology in water, gas or electricity metering where adoption is driven by cost savings.
So far, there have been no major publicised attacks on infrastructure level GSM systems. This could be because there is no tangible gain for an attacker. However, as GSM modems continue to be introduced into ever more diverse environments, there may come a time when they present a very attractive target to an attacker. Disabling substations (repeatedly flipping circuits open and shut) or redirecting trains at junctions could become the GSM attack of the future. By hardening and firewalling systems these attacks can be avoided. The real danger comes from corporate installations where security is not a priority.
Just like the implications of network based attacks on building management systems, the ill-managed convergence of GMS switching and messaging should be treated with caution.
We all know how annoying mobile phones on trains can be. Imagine their disruptive potential if a hacker taps into the system. You could find you get on at Victoria, but have to get off wherever the hacker decides.