Survey Report on CDMA ——Learning Triggered by GSM Hijacking

电子科技大学格拉斯哥学院 2017级刘钰玺无同组同学

1. Introduction

Recently, the real experience of a netizen on Weibo has aroused many people’s concerns. In his blog " the theft of Alipay and bank app", he recorded such an incredible experience. The criminals stole his Alipay and bank account for consumption and loan, spending a total amount of 18696.29 yuan. During this period, the mobile phone of this netizen is put next to his pillow, his bank card is also in the home, and the password was also not known by others.
        If you have ever used Alipay or Mobile Internet banking, you should still have some impression that the opening and login of these financial apps are verified by mobile phone number, my name, id number, and bank card. Once upon a time, this verification method is reliable. Mobile phone is right in his hand, and, after all, when you receive the verification code which is only effective within 60 seconds, and then fill it to the verification box, which is so perfect that it seems that people feel safe enough. For convenience, a lot of apps’ landing or binding mode is simplified to phone number and authentication code. But in this way, the lawbreakers are left with an opportunity.
        The mobile phones we are using now, whether Huawei, iPhone or which can support 4G, 4G+ network, in fact, all are come from GSM system. The development of mobile network is from 1.0 (analog communication) to 2.0 (GSM) to 3.0 (3G) to 4.0 (4G/4G+).
        In mobile phone network 2.0, which is also named GSM system era, mobile phone voice and SMS transmitted the digital signal for the first time. Due to the long age and the technical restrictions at that time, GSM mobile phone’ message is one-way authentication and in clear text transmission. That is to say, if your mobile phone receives a short message, and it is sent and received under GSM system, the base station (mobile operator terminal) will only verify whether the mobile phone is true (the network operator’s), but the mobile phone will not identify whether the base station is true (if it is not the really network operator).This loophole has led to the rise of fake base-stations (devices that criminals build to replace operators’ real base-stations on a small scale and commit crimes). At the beginning, the criminals’ brains were not so clever, they only used the fake base station to send some junk advertising to nearby mobile phones, but later this kind of SMS was automatically blocked by some SMS blocking apps, and thus no one used it anymore. They start to upgrade it to services that pretend to be carriers or some big Internet companies and use SMS messages to send you a web address to steal users’ private information or implant Trojan horses into their phones. Today, Internet finance has made great progress in China. The popularity of various online finance apps, banking apps and various takeout and e-commerce platforms has created an excellent opportunity for these criminals to steal.

2. Main Body

2.1 SMS Attacks

2.1.1 GSM-Sniffing of SMS
The principle of GSM sniffing of SMS is that GSM messages are not encrypted and so criminals can use some eavesdropping techniques to hear the message content. The method is passive, that is, only “listen” but do not emit any illegal wireless signals.

2.1.2 GSM-Middlemen Obtain the Phone Number
        Attackers only hear the SMS messages, in fact, it is not useful. SMS verification code needs to cooperate with the website or app verification process to work. Therefore, an attacker must know the target’s mobile phone number, and may need other information, such as ID number, bank account and so on, which can be obtained by “bumping into the database” or by hacking into the account of some applications.
        So, an attacker gets the phone number through a man-in-the-middle attack.
        An attacker needs a 2G fake base station and a 2G fake terminal to allow the target phone to access the 2G fake base station, and then use the 2G fake terminal to pretend to be the target phone and access the operator network. When authentication information is needed during connection, it is taken from the target phone. After connecting to the network, call out a phone to a mobile phone that the attacker can see, and the attacker can see the phone number through the caller’s ID.

2.1.3 Principle of GSM-SMS Sniffing
        Intercept cell phone signals and analyze text messages and conversations, which sounds like something out of a movie, but it’s not as hard as you might think.
        As we all know, as a wireless device, a mobile phone must use a common base station for data exchange. No matter it is 2G, 3G or 4G networks, the essence of communication between the mobile phone and the base station is through radio waves, and radio waves are spread around, theoretically as long as any device within the range of the power emitted by the mobile phone can receive these radio waves.
        The radio wave reception method and format agreed between the base station and the mobile phone is the communication protocol.
        In China, 4G protocols of LTE is what we often see in the status bar (OFDM UWB), and it contains two benefits. The first one is that we can feel the speed is fast and low latency, and the second one is that there is a particularly important advantage: support VoIP calls, or what we say that voice and data can not only walk 4G channel, but also can use wired and wireless network transmission to get rid of the dependence on mobile signal. 3G used UMTS/WCDMA/ td-scdma. In this period, different operators had different systems and lacked a unified standard. Compared with 2G, 3G did not have many innovative points, and the speed could not meet the demand at that time. 2G networks use the GSM protocol, which is today’s culprit. The 2G network architecture is open source, and there is no encryption when it transfers data. As a result, the content of SMS is transmitted in plaintext, which provides an opportunity for criminals.
        Now that 2G networks are not completely obsolete, the threshold for doing bad things is falling off a cliff.
        On the hardware, criminals often modify the mobile phone MOTOROLA C118 on the Internet as cheap as that a dozen yuan can buy a set, along with data lines and other materials and tools, the total cost of the crime is only a few dozen yuan.
        In software, they no longer need professional help,As long as it makes use of OSMOCOMBB. The full name is Open Source Mobile Communications Baseband. It is a complete and Open Source GSM protocol implementation project from the hardware layer to the application layer. Its emergence makes it possible to make changes and add functions in the GSM protocol according to one’s own needs without learning complex network communication and hardware knowledge of communication equipment. GSM sniffing is one of the added features.
        In practice, criminals only need to compile a modified version of OSMOCOMBB into any mobile phone, combining software and hardware, so the phone can become a device that can be used to make reverse acquisition of radio waves emitted by a nearby base station, along with a computer that can easily make it complete with text messages flying around in the air.

2.2 Overview of CDMA

GSM is short for the Global System of Mobile Communication, which is a kind of communication standard of telephone. In China, China Mobile and China Unicom use the GSM system. China Telecom uses CDMA, which is called Code Division Multiple Access with a Chinese name as “Code Division Multiple Access”.
        The technology of CDMA is based on the spread spectrum technology. Specifically, the information data with a certain signal bandwidth which needs to be transmitted is modulated with a high-speed pseudo-random code whose bandwidth is much higher than the signal bandwidth, so that the bandwidth of the original data signal is extended and transmitted through carrier modulation. The receiver uses exactly the same pseudo random code for correlation processing with the received bandwidth signal, and replaces the broadband signal with the narrow-band signal of the original information data, namely de-amplification, to achieve the information communication. In CDMA communication systems, signals transmitted by different users are not distinguished by different frequencies or time slots but by different coding sequences or different waveforms of signals. Multiple CDMA signals will overlap mutually when observing in the frequency domain or the time domain.
        The receiver correlator can select the predetermined code type signal from multiple CDMA signals. Other signals that use different code types cannot be demodulated because they differ from the code types generated locally by the receiver. It is similar to the introduction of noise and interference in the channel, which is often called multiple access interference.
        Because the CDMA system has the abilities of anti-jamming, narrow band anti-interference, multipath anti-interference, and multipath delay spread anti-interference. Besides, it can improve the communication capacity of cellular system and facilitate the transition of coexistence and analog and digital system, which makes the CDMA digital cellular system to become a powerful competitor to the TDMA (time division multiple access) digital cellular system.

2.3 Application of CDMA to GSM hijacking and SMS sniffing

Therefore, what are the advantages of the CDMA theory for the recent GSM hijacking + SMS sniffing technology? The most fundamental reason is that CDMA complex encoding and decoding methods make it difficult for ordinary people to hijack, and CDMA does not need to identify with the base station, which avoids the GSM hijacked vulnerability.

2.4 Solution to GSM hijacking and SMS sniffing

The inspiration for a student who majors in communication engineering is that it involves the operation of network security. Nowadays, if each software wants to realize its function, then it is inseparable from the network. However, GSM’s inherent design flaws lead to its security problems that cannot be completely solved. Therefore, if you want to ensure the user’s information security in the future, then the use of CDMA module is essential in companies’ products.

3. End

To solve the problems of GSM hijacking and SMS sniffing, we can consider that it is complex for ordinary to hijack due to CDMA’s complex encoding and decoding methods, and CDMA does not need to identify with the base station, which avoids the GSM hijacked vulnerability. What inspires us is that this involves the operation of network security. Nowadays, if the software wants realize its function, then it is inseparable from the network. Whereas, GSM’s inherent design flaws lead to its security problems that cannot be completely solved. So, to ensure the user’s information security, it is essential for companies to use the CDMA module in their products.