Zimperium researchers have unearthed three critical vulnerabilities in widely used software running on base transceiver stations (BTS), i.e. the equipment that makes cellphone towers work.
Exploitation of these flaws could allow attackers to take remote control of the base transceiver stations, hijack GSM traffic, prevent the tower from offering service (by turning the transceiver module off or by jamming frequencies), disclose traffic information, change the BTS identity, and more.
The vulnerabilities affect specific versions of YateBTS (by Legba Incorporated), OpenBTS and OpenBTS-UMTS (by Range Networks), Osmo-TRX and Osmo-BTS (by OsmoCOM), and likely other products that share the same transceiver code base.
The flaws include no authentication on the control channel of the transceiver, externally exposed BTS software services that can be controlled via specially crafted UDP packets, and a remote stack-based buffer overflow bug that can be triggered by sending an oversized UDP packet to the aforementioned control channel.
For more techical details about each of these, check out Zimperium’s blog post.
Some fixes are available
Vendors and developers of the affected software have been informed of the discovered issues, and some of them have already published fixes. But Range Networks, who has done so in May 2016, has reverted two of the fixes in July, and provided no explanation on why they did it.
The researchers have recommended several mitigations telecoms can implement until fixes are provided by the software vendors, and they include binding the sockets used for control and data exchange only to the local interface, using firewalls to block traffic coming from external networks to ports used by the BTS software, and implement an authentication system for various communication channels.