Agents discovered electronic devices in five locations in and around the city that could be used to disable cellphone towers. The system could also be used for criminal activities.
Text wall incoming, no offense taken for walking away:
People always talk about distributed denial of service attacks but this is not distributed. It’s concentrated in that one farm, and that informs the types of denial of service attacks it’s suited to carry out without help and influence the govt agencies which might give a shit. A simbox is a machine that can initiate one simultaneous call for each provisioned sim card in it, or whatever other cellular network operations the towers in range support. Look downstream of that for a second though, how many 911 operators are there for that area? Denying service can be more than knocking machines offline! Do I have enough sims to drown them in prerecorded panicked AI calls so they send all their firefighters to the wrong locations? Maybe I want to knife a guy and watch everyone on that block fail to reach 911 while he bleeds out. But they said ‘disable towers’ so let’s focus on denying telephony rather than the service telephony gets you to.
Bullshit scenario to illustrate a point:
Healthy customers operating a phone normally may call a variety of internal services once each until their session is established with the appropriate permissions, and then they’re allowed to make calls or touch websites. What if I pick one of those important steps and just hammer the dick off of it so nobody else can make new connections to the network for a period? If their security teams had the idea before me maybe they built some defenses, but maybe not, or maybe the simbox has sims from many carriers so they can get help. Does MobileX even agree that they carry the obligation to respond to this? Do they even know how since they don’t own all the network devices involved? Did they willfully put their thumb up their ass and ignore so they could continue to get money from the bad actor without caring about the consequences? No of course not companies always act morally!
Imagine my phone attaches to one of three towers in an area. Imagine there’s a back end process that lets a device tell a tower “I’m bcovertigo, so start me a session and look up my plan permissions, then report back with what I’m allowed to access” with a unique identity for the provisioned sim card. What happens when a phone starts that process but just ignores the response and never goes to the next step? What if I repeatedly chain together those half opened requests, and then 100 or so of those processes are just waiting on a response, still consuming resources. Do that for each of 32 sim cards in those pictured simboxes. Now give me a 300 strong swarm of those screaming hydras. 100/minute32sims300simboxes. Can your iphone ever get online if that critical step never completes to tell you your session is allowed to make calls and visit websites? We’re not even considering disruption of IoT security systems. Maybe they found some other flaw that lets them break existing network connections or exhaust something that’s needed for very specific functions to work. Through the magic of computing, anything can go wrong!
But enough about the attack itself. What are you going to do to stop all this?
Ban the identifiers of the sim bank? Fuck you they randomize it. Deprovision the sims as you see them used? Fuck you they have 100k of them as reserve ammo. No you have to physically find it and go there in person, which means plying some investigative govt agency for help.
This shit gets me so excited. I’m not educated on cellular security and possible situations, but mitigating issues and thinking about all the crazy hypothetical situations gets me all geeking out so hard.
Text wall incoming, no offense taken for walking away:
People always talk about distributed denial of service attacks but this is not distributed. It’s concentrated in that one farm, and that informs the types of denial of service attacks it’s suited to carry out without help and influence the govt agencies which might give a shit. A simbox is a machine that can initiate one simultaneous call for each provisioned sim card in it, or whatever other cellular network operations the towers in range support. Look downstream of that for a second though, how many 911 operators are there for that area? Denying service can be more than knocking machines offline! Do I have enough sims to drown them in prerecorded panicked AI calls so they send all their firefighters to the wrong locations? Maybe I want to knife a guy and watch everyone on that block fail to reach 911 while he bleeds out. But they said ‘disable towers’ so let’s focus on denying telephony rather than the service telephony gets you to.
Bullshit scenario to illustrate a point:
Healthy customers operating a phone normally may call a variety of internal services once each until their session is established with the appropriate permissions, and then they’re allowed to make calls or touch websites. What if I pick one of those important steps and just hammer the dick off of it so nobody else can make new connections to the network for a period? If their security teams had the idea before me maybe they built some defenses, but maybe not, or maybe the simbox has sims from many carriers so they can get help. Does MobileX even agree that they carry the obligation to respond to this? Do they even know how since they don’t own all the network devices involved? Did they willfully put their thumb up their ass and ignore so they could continue to get money from the bad actor without caring about the consequences? No of course not companies always act morally!
Imagine my phone attaches to one of three towers in an area. Imagine there’s a back end process that lets a device tell a tower “I’m bcovertigo, so start me a session and look up my plan permissions, then report back with what I’m allowed to access” with a unique identity for the provisioned sim card. What happens when a phone starts that process but just ignores the response and never goes to the next step? What if I repeatedly chain together those half opened requests, and then 100 or so of those processes are just waiting on a response, still consuming resources. Do that for each of 32 sim cards in those pictured simboxes. Now give me a 300 strong swarm of those screaming hydras. 100/minute32sims300simboxes. Can your iphone ever get online if that critical step never completes to tell you your session is allowed to make calls and visit websites? We’re not even considering disruption of IoT security systems. Maybe they found some other flaw that lets them break existing network connections or exhaust something that’s needed for very specific functions to work. Through the magic of computing, anything can go wrong!
But enough about the attack itself. What are you going to do to stop all this?
Ban the identifiers of the sim bank? Fuck you they randomize it. Deprovision the sims as you see them used? Fuck you they have 100k of them as reserve ammo. No you have to physically find it and go there in person, which means plying some investigative govt agency for help.
This shit gets me so excited. I’m not educated on cellular security and possible situations, but mitigating issues and thinking about all the crazy hypothetical situations gets me all geeking out so hard.
Cool as fuck, thanks for sharing :)