Security Testing of GSM Implementations

Right after its introduction, GSM security was reviewed in a mostly theoretical way, uncovering some major security issues. However, the costs and complexity of the required hardware prohibited most people from exploiting these weaknesses in practice and GSM became one of the most successful technologies ever introduced. However, there is an enormous amount of mobile enabled equipment out there in the wild, which not only have exploitable weaknesses following from the GSM specifications, but also run implementations which were never security tested. Due to the introduction of cheap hardware and available opensource software, GSM found itself under renewed scrutiny in recent years. Practical security research such as fuzzing is now a possibility. This paper gives an overview on the current state of fuzzing research and discusses our efforts and results in fuzzing parts of the extensive GSM protocol, which is described in hundreds of large PDF documents and contains many layers and many, often archaic, options. It is, in short, a prime target for fuzzing. We focus on two parts of GSM: SMS messages and CBS broadcast messages.