Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Like this? Share it with your network

Share

festival ICT 2013: Mobile Network Security: stato dell’arte e oltre

  • 409 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
409
On Slideshare
409
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Mobile Network Security: stato dell’arte ed oltre Festival Della Tecnologia ICT Milano, 18.09.2013 Version: 1.0 Author: L. Bongiorni Responsible: L. Bongiorni Date: 18.09.2013 Confidentiality Class: Public
  • 2. © 2013 SEC Consult– All rights reserved SEC Consult– Who we are Canada India Singapore SEC Consult Office SEC Consult Headquarter Other SEC Consult Clients Lithuania Germany Austria Central and Easter Europe •  Leading international application security consultancy •  Founded 2002 •  Headquarters near Vienna, Austria •  Delivery Centers in Austria, Germany, Lithuania and Singapore •  Strong customer base in Central and Eastern Europe •  Increasing customer base of clients with global business (esp. out of Top-10 US and European software vendors) •  35+ application security experts •  Industry focus banks, software vendors, government USA 2
  • 3. © 2013 SEC Consult– All rights reserved 3 Luca Bongiorni ü  Security Consultant ü  Telco Enthusiast ü  Interests: break stuff , lockpicking & collect PayPhones Work at . . . ! !a company Who am I
  • 4. © 2013 SEC Consult– All rights reserved La Rete GSM 4 A tutt'oggi, sebbene progettualmente datato (1987), lo standard di radio- comunicazione cellulare più diffuso al mondo è il GSM (Global System for Mobile Communications), esso conta, infatti, oltre 4.4 miliardi di utenti in più di 200 stati. Esso ha garantito negli anni, la possibilità di comunicare mantenendo un'efficiente mobilità, grazie la quale è massivamente utilizzato non solo dalla gente comune, ma anche da criminali ed organizzazioni terroristiche.
  • 5. © 2013 SEC Consult– All rights reserved Negli ultimi 5 anni un gran numero di Progetti OpenSource ed Attacchi Pratici sono stati resi pubblici… GSM + OpenSource == FUN Um Passive Sniffing A5/1 Cracking Um Active MITM RachDoS IMSI-Detach GPRS Sniffing 5
  • 6. © 2013 SEC Consult– All rights reserved •  IMSI-Catcher: • Known Victim Mode (Italia) • GPRS & Data Connections •  GPRS Passive Sniffing: • XXXXX (EU Nation 1) • Wind (Italia) • XXXXX (EU Nation 2) •  What’s Next?! • GSM-R (Catching & DoSsing) Alcuni Casi di Studio… 6
  • 7. © 2013 SEC Consult– All rights reserved 7 Vulnerabilità Architetturali Sfruttate •  No Mutua Autenticazione o  La rete autentica la MS e non viceversa • Mobilità degli utenti o  Il segnale più forte vince (Cell Selection e Reselection) o  Location Update forzato (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) • La Cifratura è Opzionale o  A5/0 No Encryption
  • 8. © 2013 SEC Consult– All rights reserved Prototipo Lab’s Configuration IMSI-Catcher: Il Prototipo 8
  • 9. © 2013 SEC Consult– All rights reserved Location Disclosure Catch-and-Relay CallerID vittima Lista Città ed IMSI Local Area Known Victim Mode (Italia) 9
  • 10. © 2013 SEC Consult– All rights reserved 10 Known Victim Mode (Italia): Location Disclosure
  • 11. © 2013 SEC Consult– All rights reserved + CRO = 63 (max) + T3212 = 0 11 Known Victim Mode (Italia): Catch & Relay
  • 12. © 2013 SEC Consult– All rights reserved • Spoofing CallerID • Intercettazione Chiamate ed SMS in uscita • Dirottamento Chiamate d’Emergenza Qualche Risultato… 12
  • 13. © 2013 SEC Consult– All rights reserved What happens if we JAM the UMTS & LTE frequencies?! Le GSM: “Welcome back my dear” Le UE: “Nice to meet you again sir GSM” 13 Interoperabilità con UMTS & LTE
  • 14. © 2013 SEC Consult– All rights reserved 14
  • 15. © 2013 SEC Consult– All rights reserved E’ una Picocella commerciale sviluppata da ip.Access 100% compatibile con OpenBSC (software OpenSource) GPRS [the newest one, also EDGE] Encryption A5/1 – A5/2IP connection PoE powered PCS band (1900 MHz) Welcome home IMSI-Catcher 2.0 15
  • 16. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Attacchi Man-In-The-Middle verso interessanti ME! • Video Poker • Point-Of-Sale • Smart Meters • SCADA Remote Stations • Mobile HotSpots A quale scopo?! Principalmente tutti gli attacchi disponibili tramite TCP/IP! •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?! • Alarm Systems IMSI-Catcher 2.0 for Fun & Profit 16
  • 17. © 2013 SEC Consult– All rights reserved Esempio: Point-Of-Sale 2G (test preliminare) 17
  • 18. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! • Video Poker•  Point-Of-Sale • Smart Meters • SCADA Remote Stations • Mobile HotSpots A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! • Alarm Systems IMSI-Catcher 2.0 for Fun & Profit 18 2G Antenna •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?!
  • 19. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! •  Point-Of-Sale • Smart Meters • SCADA Remote Stations • Mobile HotSpots A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! • Alarm Systems IMSI-Catcher 2.0 for Fun & Profit 19 • Video Poker •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?!
  • 20. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! •  Point-Of-Sale • SCADA Remote Stations • Mobile HotSpots A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! • Alarm Systems IMSI-Catcher 2.0 for Fun & Profit 20 • Video Poker • Smart Meters •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?!
  • 21. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! IMSI-Catcher 2.0 for Fun & Profit 21 • Smart Meters •  Point-Of-Sale • SCADA Remote Stations • Mobile HotSpots • Alarm Systems • Video Poker •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?!
  • 22. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! IMSI-Catcher 2.0 for Fun & Profit 22 • Smart Meters •  Point-Of-Sale • SCADA Remote Stations • Alarm Systems • Video Poker •  Mobile HotSpots •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?!
  • 23. © 2013 SEC Consult– All rights reserved Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso interessanti ME! A quale scopo? Principalmente tutti gli attacchi disponibili tramite TCP/IP! IMSI-Catcher 2.0 for Fun & Profit 23 • Smart Meters •  Point-Of-Sale • SCADA Remote Stations • Video Poker •  Mobile HotSpots •  Sniffing communications (e.g. Wireshark + SSLstrip) •  Hijacking trusted connections (e.g. Stealing Credentials) •  Deploying malicious software (e.g. Squid + Metasploit) •  Malware Analysis •  Protocol Analysis •  Etc. What about UMTS and LTE?! • Alarm Systems
  • 24. © 2013 SEC Consult– All rights reserved Catturare ed Intercettare un modem LTE 24
  • 25. © 2013 SEC Consult– All rights reserved “GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 They patched OsmocomBB and developed GPRSDecode to analyze GPRS packets. http://tinyurl.com/gprs-nohl-slides Alcuni Casi di Studio... GPRS Passive Sniffing 25
  • 26. © 2013 SEC Consult– All rights reserved Col fine di stimolare traffico dati, é stato utilizzato un vecchio modem GPRS Telit MG-10. Come sniffer invece, un Pirelli DP-L10 con un firmware ad-hoc basato su Osmocom-BB. GPRS Passive Sniffing XXXXX (EU Nation 1) 26
  • 27. © 2013 SEC Consult– All rights reserved 27 GPRS Passive Sniffing Wind (Italia)
  • 28. © 2013 SEC Consult– All rights reserved 28 GPRS Passive Sniffing Wind (Italia)
  • 29. © 2013 SEC Consult– All rights reserved 29 GPRS Passive Sniffing Wind (Italia) Analisi del 14/09/2013 del canale ARFCN 983 (222-88 – Wind Italia)
  • 30. © 2013 SEC Consult– All rights reserved Quale tipologia di sevizio potrebbe utilizzare le reti cellulari come mezzo di comunicazione? GPRS Passive Sniffing: XXXXX (EU Nation 2) 30
  • 31. © 2013 SEC Consult– All rights reserved “Securing your World. G4S is the world’s leading international security solutions group” From http://www.g4s.com/ GPRS Passive Sniffing: XXXXX (EU Nation 2) 31
  • 32. © 2013 SEC Consult– All rights reserved What’s Next?: GSM-R Catching 32
  • 33. © 2013 SEC Consult– All rights reserved 33 What’s Next?: GSM-R DoSsing
  • 34. © 2013 SEC Consult– All rights reserved Fine 34
  • 35. © 2013 SEC Consult– All rights reserved Bibliografia & Link 35 http://www.openbts.org http://openbsc.osmocom.org http://bb.osmocom.org https://srlabs.de/gprs http://tinyurl.com/gprs-nohl-slides http://www.youtube.com/watch?v=vqjnhKYEDs0 http://patentscope.wipo.int/search/en/WO2008104739 http://www.tombom.co.uk/blog/?p=262 http://www.etsi.org/deliver/etsi_ts/ 101100_101199/101181/08.05.00_60/ts_101181v080500p.pdf Ringrazio le community di OpenBTS & Osmocom e tutti i ricercatori che hanno reso le reti cellulari piú interessanti!
  • 36. © 2013 SEC Consult– All rights reserved Contatti Mooslackengasse 17 A-1190 Vienna Austria Tel: +43 (0)1 890 30 43-0 Fax: +43 (0)1 890 30 43-15 Email: office@sec-consult.com www.sec-consult.com Austria Saulėtekio al. 15, LT-10224, Vilnius Lituania Tel: +370 671 84203 Email: l.bongiorni@sec-consult.com Email: office-vilnius@sec-consult.com www.sec-consult.com Lituania 36