While his Black Hat DC Conference demonstration was not flawless, a University of Luxembourg student on Wednesday did show that it's possible to trick iPhone users into joining a fake GSM network.
Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network.
Weinmann, who is researching vulnerabilities in cellular networks, said that with the right equipment, the range for the rogue GSM station he built can be 35 kilometers.
"You want to get phones not just used by the teenage crowd but executives," said Weinmann, adding that it is possible to "have complete control of the phone." Part of the reason these fake GSM network attacks are possible is because the code base used in smartphones such as the iPhone, which is Infineon-based, goes back to the 1990s. A little sleuthing allowed Weinmann to discover vulnerabilities that can be exploited. For instance, he got help by finding that an Italian company that went bankrupt in the 1990s put up some code for GSM stacks in Sourceforge for four years before taking it down.
Weinmann's attack would allow him to take advantage of iPhones lured into his rogue base station to "enable and disable auto-answer on the iPhone" he said, or with an attack payload to record the audio on the iPhone, store it in RAM and then transmit the data that was sniffed.
Weinmann said he doesn't want to encourage data theft, but he does want to get carriers and vendors to improve security in the wireless networks. He adds that technology such as femtocells could be used to replace the OpenBTS software, which would only amplify the types of attacks he's investigating.