GSM-devices become more popular. Users can set them up fast, use them without landline internet and Wi-Fi, and control them remotely. But now they are also an interesting target for hackers. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands). This talk will cover the question of mass attacks on these devices. There are some main questions:
1) Which devices are in danger?
2) How can hackers attack them?
3) What about mass attacks and botnets?
4) What can hackers do after a successful hack?
5) How can you protect yourself?
1) There are several popular types of GSM-devices:
* Smart homes control systems
* Industrial GSM-control systems
* Access control systems and locks
* Some communication systems
* Smartwatches for kids
There are different models for every type of devices. I will tell you about several models, which are more secure, which are insecure.
2) I will make a short introduction on attacks on GSM-devices:
The main idea of attacks is easy: make a call to a device, bypass an authorization, perform actions.
Main questions of this chapter:
* When is it necessary to spoof a Caller ID? When can an attacker make a call with a random number?
* How to bypass authorization? Security of Caller ID check.
* Brute-force attacks: typical rules for passwords (several popular GSM-alarms only allow to use a 4-digit password). An attacker can silently find it in less than 24 hours.
These methods (spoofing Caller ID and brute-force) allow to hack most of GSM-alarms and some other GSM-devices fast.
3) The hacking of one device is easy. So, is it possible to perform a mass attack and create a botnet? This question will be covered in the following chapter.
There are two main steps for a mass attack:
* Find devices.
* Hack found devices.
I will tell you how attackers can find devices: from scanning all phone numbers to a more effective combination of OSINT methods, data leakages and small vulnerabilities at mobile operators systems.
For example, an attacker can scan all live mobile numbers in Russia (my country) and spend less than 10 000 USD.
After a successful scanning an attacker can hack most devices with methods from the previous chapter.
I will show the estimated time for attacks, estimated costs and an estimated amount of victims. These results show that it is faster and less expensive than you might expect.
So, this problem of security of GSM-devices should be considered.
Also, I will show a faster method of mass hacking of GSM-devices. It's based on data leakages of contact lists from people. The main idea is to check data leakages (for example, applications like GetContact) and try to find contacts with titles, related with devices (like "home", "door", "car", "village", "alarm", "pump"). This method allows to find devices fast, but the results are not so full.
4) After a successful mass hack, an attacker will control thousands of GSM-devices. I will tell in this chapter, what s/he can do.
There are some different effective and dangerous methods of exploitation:
* Firstly, an attacker can control thousands GSM-alarms. S/he can do anything: switch on and switch off an alarm, listen in to rooms, switch on and switch off connected devices. This can be used to collect confidential data (such as conversations in an apartment or office). Also, an attacker can use it for effective burglary (s/he can listen in to rooms to find a moment, when everybody leaves home, disable the alarm and do anything). Also, s/he can sell this information to other burglars.
* S/he can hack some smart home system and perform all available actions.
* An attacker can attack some industrial GSM-controllers. It allows to destroy business process in some cases or can cause an emergency.
* An attacker can use it to scare people. What about an alarm alert every night?
* Some devices are locks. An attacker can remotely open or close doors.
* An attacker can use a botnet of GSM-devices to perform DDOS attacks with SMS or calls.
* Finally, some devices allow to perform USSD or SMS commands. An attacker can use it to gain access to an account at an mobile operator site to steal money.
5) In the last chapter, I will talk about how you can protect yourself or your company when you use GSM-systems. Also, I will tell you what you should consider if you want to create your own device.
Short brief: these attacks methods allows to gain full access to thousands GSM-devices, use it to get private data, hack user's accounts, use as botnet, and perform dangerous actions in the real world.
Aleksandr Kolchanov is an independent security researcher and consultant. Ex penetration tester of a bank in Russia. He takes part in different bug bounty programs (PayPal, Facebook, Yahoo, Coinbase, Protonmail, Yandex, Privatbank). Aleksandr is interested in uncommon security issues, telecom problems, privacy, and social engineering.