Soldiers sent hate-SMS messages from rogue base stations

Somebody has been bombarding Ukrainian soldiers with SMS messages – and they aren’t nice ones, either.

According to evidence collected by Associated Press (AP), soldiers fighting pro-Russian separatists in the east of the country have received a steady stream of mystery propaganda texts since 2014, around the time the conflict started.

Examples can be viewed in Cyrillic, or in English translation here. As a flavour from November 11 2015:

Who is robbing your family while you are paid pennies waiting for your bullet?

Or a few days later:

Murderer from the Ukrainian Armed Forces. The East won’t forgive you and the West won’t remember you!

With new examples arriving only weeks ago, the immediate issue is how the messages are being directed to lots of mobile phones when the attackers can’t possibly know the numbers used by recipients.

The culprit is almost certainly fake 2G mobile phone base stations called IMSI catchers, which pass themselves off as genuine in a sort of GSM man-in-the middle attack.

Because legitimate base stations will be in the vicinity, the fake bases exploit a design feature of older 2G mobile networks that phones always try to connect to the one with the strongest signal.

Once target phones have been caught, transmissions are passed to the real phone network through a rogue SIM. Simple really – the intercepted phone sees the base while the network sees the rogue SIM in an attack that’s almost impossible to detect in real time.

How encryption and authentication is broken is not clear. On pre-3G networks, this is a doddle as they can disable or crack the weak A5/1 stream cipher. On more recent designs such as 3G and 4G using end-to-end authentication, this sort of attack shouldn’t be possible.

In the Ukraine incident, the attackers spoofed the sending data to nonsense numbers (such as 77777) or by setting the year to 1995. They even posed as payment alerts to increase the chances that soldiers opened the messages.

The Ukraine conflict is probably the first time catchers have been used to spread propaganda, although the potential to abuse them in this way must be obvious to anyone mucking around with the technology.

Anecdotally, they’ve been used by US forces in Afghanistan to track insurgents and cheap laptop homebrew demos have popped up at conferences. In China, the problem got so bad in 2014 a police arrested 1,350 suspects accused of using fake bases to spam people.

It’s even possible that this kind of cellphone “magic box” helped lead the CIA to the hiding place of Osama bin Laden by identifying his helpers.

The chances of anyone in countries using more recent mobile technology being hit by the same attacks is remote.  For the time being at least, base station spoofing is yesterday’s hack in today’s European war.