Cross layer attacks on GSM mobile networks using software defined radios

Abstract

The ubiquitous adoption of cellular technologies, such as, Long Term Evolution (LTE) and Wide-band Code Division Multiple Access (WCDMA) has not diminished the impact of Global System for Mobile communication (GSM) technologies. Despite 20 years of deployment, GSM still poses significant security threats to its users due to adversaries exploiting protocol vulnerabilities. In this paper, we present an attack which leverages cross-layer information from network or data link layers to craft an attack vector targeting the physical layer. The cross-layer attack provides attacker sufficient knowledge to specifically target cells, control channels, and mobile stations (MS) with minimal investment of communication and energy resources. We have designed and implemented an experimental testbed, which comprises of, software defined radios (SDR) (USRP and gnuradio), open source GSM channel sniffer (gr-gsm), and distributed processing engine (Apache Spark). The experimental testbed will also facilitate cloning a base transceiver station (BTS) which will benefit from availability of cross-layer information to create customized attack vectors. The cross-layer attack capability on our experimental testbed provides a cost effective scheme to achieve desired benefits with optimal usage of communication and energy resources. Experimental results shows that the testbed can be used to successfully attack multiple mobile stations with minimal usage of power resources.