Sunday, April 02, 2017

Crime: Base Station Monitoring and Regular Stress Tests

Photo courtesy of the Macau Post Daily

There is no shortage of police investigations, articles and reports into cellular technology being used for some sort of illegal purposes, and that is beyond the normal seizure of mobile devices in criminal proceedings. The recent prosecution of a construction worker, reported (10-03-2017) in the Macau Post Daily, running not one but two fake base stations, is such an example.

Whilst there is a huge effort to deal with Cybercrime attacks over networks, there is a growing emphasis suggesting that more attention could be focussed to actually dealing with physical devices creating the cyber activity behind the crime.

On the 22-03-2017 Information Age website reported Chinese cybercriminals sent Android malware via fake BTSs ( ). The report was also mentioned at a number of other websites ( ; and so on). Blog.knowbe4 added useful information content beyond Information Age's report that the malware was involved, but identifies the malware as attack called "Smishing"; a subject mentioned here at previously back in 2015 ( Smishing Maybe Smashed, but Fake Tache Goes On  - ).

It isn't clear from these reports as to what is actually meant by 'fake BTSs'? Are the attackers merely hacking the network exploiting (S3000688) MAP security and getting hold of authentication vectors to mount a false base station attack?; maybe this is a man-in-the-middle attack using a false mobile BTS? (3GPP TS 21.133); using mobile redirector techniques for Android smartphones opening the SMS text message link to download the '.apk'; or whether a false physical tower has been erected on land through which the attacks are made?   If the latter is correct, there is more involved with this than anonymously hiding in the background. For a false physical tower to happen either the attacker/s might 'hijack' equipment on an existing tower?; add new equipment to an existing tower?; or land-base a whole new tower? The latter is possibly the most improbable to happen without the attacker/s needing new landline connections, microwave, RF and electrical power facilities, cabinets, cabling, tower rig, antenna/TRXs, etc. etc., something that resembles a cellular tower in order to get a smartphone to use its rogue radio coverage.

How can a mobile network operator deal with this? It largely depends how well the operator knows its own installation base and how regularly the operator OMC (operations and maintenance centre) and site visits are co-ordinated for stress testing. Those co-ordinated tests may need to take into account site inventory inspection across a wide range of components. For instance, has the operator sufficient information of Inventory of components for each site? One example being the Antenna Interface Standards Group (AISG), which has been around for many years, its members count amongst some of the leading global players in this arena ( ):

Membership of the Group at 1st May 2016

Ace Technologies Corp.
Kathrein Werke KG
Amphenol Antenna Solutions
KGP Tech Co. Ltd.
China Mobile
KMW Inc.
Comba Telecom Systems Int'l
Commscope, Inc
Communications Components Inc.
Orange / France Telecom
Ericsson AB
Oriel Laboratories Ltd
Galtronics Corporation Ltd
Radio Design
Gammanu Inc
Gemintek Corporation
RFM Wireless
Gemtek Technology Co. Ltd.
Rosenberger Asia Pacific Electronic Co. Ltd.
Guangzhou Sunrise Telecoms Equipment Co Ltd
SGC Technologies Inc
Heji Co Ltd.
Shenzhen Haina Telecom Equipment Co Ltd
Huawei Technologies Co Ltd
Shenzhen Tatfook Technology Co Ltd.
Innertron Inc
Sunsea Telecommunication Co Ltd.
Innova Telecommunication Co. Ltd.
Sunwoo Communication Co Ltd
Jiangsu YaXin Electronics, Science & Technology Co Ltd
Wuhan Hongxin Telecommunication Technologies Co. Ltd.
JMA Wireless LLC
Tongyu Communications Equipment Co Ltd
Kaelus Pty Ltd
Westell, Inc.
The following companies are members of the Ancillary Equipment Group
Amphenol-Tuchel GmbHRecodeal Interconnect System Co. Ltd.
Franz-Binder GmbHSam Woo Electroncs Co. Ltd.
Guangzhou Huafeng Qiwang Electronic                               Technology Co. Ltd.Syskim International
Lumberg Connect GmbH

Furthermore, the obvious site checks, such as, break-in to an external cabinet or site equipment room, checking CCTV and trip alarms should normally be examined against regular site visit logs and also time-to-site and time-at-site. Checking fault management, configuration management, performance management & Security Management ports and panels at site to see if they have not been tampered with to disguise normal operation is another consideration. There is a full range of security measures at site and network stress tests that can be performed.

Regulators may wish to assess the security breach with an operator and see if an industry-wide practice is involved selling equipment on the merits on merely the forecast of Total Cost of Ownership and Return On Investment as opposed to an assessment of the person/organisation buying equipment? Another assessment might be to considered reports of stolen equipment and marking of components etc.

It isn't difficult to imagine more cases like the above could occur but it doesn't mean it will; and doom and gloom is not the note this discussion is going to end. Think about all of the towers and base station installed around the world and the customer-base they serve. The mobile network operators provide an amazing service delivering trillions of calls, communications and other services annually. It is a testament to their predominantly well run mobile networks that they operate that the majority of users will not be talking in terms of throwing in the towel and ditching their mobiles tomorrow for landline telephones because of these crime reports.

Finally, India's state-owned quality control agency, Standardisation Testing & Quality Certification (STQC), has started ( ) screening of all mobile network components, feature phones and smartphone under the requirements of National Security. This may pave the way for other countries without such a screen procedure to adopt a similar model.

No comments: