To execute a baseband attack, a hacker must first set up a fake cell tower and convince a nearby phone (the target) to connect to it. The hacker can then download malicious code that will attack vulnerabilities in the GSM/3GPP stacks of the phone’s baseband processor, typically Qualcomm or Infineon chip sets. While this attack type is limited to those individuals or entities with the resources and technical know-how to set up their own bogus cell towers, the cost of setting one up has fallen dramatically in recent years and it can now be accomplished for about $1000.
The system works by first “catching” the International Mobile Subscriber Identity (IMSI) number of passing cell phones, following which it is then able to communicate directly with the baseband processor. “The baseband attack is an extremely technical hack,” according to Don Bailey, Security Consultant with ISEC Partners.The 2G network is by far the most vulnerable. GSMK, a German security company says it detected 17 such fake cell towers in the U.S. on a recent drive through the country. Mobile phones actively seek out the radio signal from cell towers and connect to the nearest one. The phone then has to prove its authenticity to the tower it’s connecting to. Connections between phone and tower are typically encrypted, but the encryption standard is determined by the tower, so if the tower is a bogus one, once the IMSI has been determined for the target phone, it can be configured to transmit with no encryption. Thus, the bogus tower can force decryption on connecting cell phones, and can then inject malware to infect the baseband processor. Alternatively, the malware can transfer the outgoing communications to a legitimate network, thus enabling in a man-in-the-middle network-based eavesdropping attack.