GSM-AT Commands Misused, Hackers Secretly Create Covert Channels
Two researchers keen on mobile privacy and security, Alfonso Muñoz and Jorge Cuadrado found a way abusable GSM-AT command to create covert communications channels via GSM. The results will be announced at the Hack in the Box Security Conference in Amsterdam, next week.
The two security researchers first made a mobile phone. To Munoz’s surprise, creating a covert communication channel over the GSM network modifies the AT command in the client antenna.
After several months of research, the researchers managed to create a simple control flow using metadata and error codes in missed calls to transfer data over the GSM network without paying.
Muñoz pointed out that they dialed tens of thousands of “missed” calls (like a one-second ring harassing phone) within a few hours, and the SIM card was never blocked. Given the anonymity and global connectivity of this technology, the use of anonymous SIM cards by malicious attackers poses a major threat. This technique can be abused to achieve various malicious goals, such as exfiltrate information from an organization, activate remote devices, covert criminal communications, and so on.
Worryingly, this attack technique is cheap and easy to obtain. Munoz said that less than 50 euros can buy the necessary components from most online DIY hardware stores.
Since this type of attack uses the GSM network standard protocol, all GSM networks are vulnerable to such attacks. Munoz said that there is currently no real solution. The only thing an operator can do is to monitor the calling behavior of the SIM card and block it when it finds that its behavior is too different from other users.
Despite this, it is still impossible to ensure that the attack can be detected and prevented. The reason is that the attack can adjust the covert channel to avoid it and increase the detection difficulty.