The Discordant Opposition Journal Issue 11 - File 12
Cellular Man in the Middle
by cronus [cronus@iol.ie]
I am basing this article on the workings of the Irish Eircell Cellular network which may or may not have any basis on the GSM specifications. I am far from a phreak, but I have proven this to work and I think it could be moulded into a very serious form of attack. This is a proof of concept rather than a how-to.
For the novices in the audience, I shall explain the man in the middle attack. The name of the attack is the best explanation, because the attack centers around the idea that the evil person Bernice is in the middle of the two good people Alice and Catherine. Alice and Catherine don't know that Bernice is in between, them so they start to communicate believing they are safe. But Bernice can intercept the communication channels going each way and alter the data if she so chooses without Alice or Catherine knowing. This form of attack has recently become a problem for SSH/SSL based protocols, but the idea can be adapted to suit any communications medium.
More up-to-date cell phones that use the GSM protocol have a feature called Divert. This allows the owner of a cell phone to setup a Divert for when the phone is turned off, after so many rings or when the phone is already receiving a call. The Divert acts of a shunt, sending the incoming call to another phone number, which could be another mobile, a land line or a message service.
The beauty of this security 'feature' is that a cell network is run on radio waves entirely, which act like a local network. Anyone familiar with sniffers will know that being on a local network means you can see all the traffic that passes through the network. Radio waves spread outward from the source equally in every direction so assuming you are in range of the cell phone and base station that are communicating, you can listen in to all the traffic passing back and forth.
To cut a long story short - it is amazingly trivial to forge Divert packets on the radio network so that when a call is initiated to a cell phone the base station thinks it should divert the traffic to your first phone and you use you're second phone to call the intended number. You are now the man in the middle. You can just incept the call and act like the intended recipient or alternatively you can alter the data stream as it passes through you.