Establishing covert communication channels by abusing GSM AT commands

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

Security research often starts as a hobby project, and Alfonso Muñoz’s and Jorge Cuadrado’s probe into mobile privacy is no exception.

covert communication channels

The duo, who’s scheduled to reveal the results of their research at the Hack in the Box Conference in Amsterdam next week, ended up finding a way to establishing covert communication channels over GSM by abusing GSM AT commands.

The investigation

The first step of their investigation was to build a DIY mobile phone, and they plan to explain how they did it and share they lessons they learned from the experience.

The possibility of establishing a covert communication channel through the GSM network by modifying exclusively AT commands in the client antenna came as a surprise, Muñoz told Help Net Security.

After months of research, they managed to create a simple control flow using metadata and error codes in missed calls that allowed them to transfer data through a GSM network without paying.

“In our tests we made tens of thousands of missed calls in the range of a few hours and the SIM cards were never blocked. If an attacker uses an anonymous SIM card, the degree of anonymity and global connectivity of this technique is very interesting, ” he shared.

The technique can be misused to achieve various malicious goals: exfiltrate information from an organization, activate remote devices, covert criminal communications, and so on.

And, unfortunately, the technology to pull off this kind of attack is cheap and easily available. “You can get the needed components for less than 50 Euros from most online DIY hardware stores,” Muñoz pointed out.

Is there a solution?

The researchers plan to demonstrate at the conference three methods for creating and improving a covert communication channel through GSM.

All GSM networks are vulnerable to them, as the attacks take advantage of standard protocols of the GSM networks

“There is no real solution to this problem. The only thing that the operator can do is to monitor the calling behavior of a SIM and block its access if that behavior differs a lot from the behaviour of other users (e.g., a user makes 720 missed calls in a day),” Muñoz told us.

Still, even that is not a guarantee that an attack will be spotted and thwarted, as the attackers can adapt the covert channel to cause less noise and be more difficult to detect.