SlideShare a Scribd company logo

Hack.lu 2012 - Fuzzing the GSM protocol stack

ā€¢
ā€¢
ļæ½
šŸ“” Sebastien Dudek

Presentation of our plateform to fuzz the GSM protocol stack to find vulnerability in basebands

Technology
1 of 41
Download to read offline
MobiDeke: Fuzzing the GSM Protocol Stack SĀ“ebastien Dudek Guillaume DelugrĀ“e Sogeti / ESEC Hack.lu 2012
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Who we are SĀ“ebastien Dudek ā€¢ Has joined the ESEC R&D lab this year (2012) after his internship ā€¢ Subject: Attacking the GSM Protocol Stack ā€¢ Developer of a GSM fuzzing framework (ā€˜MobiDekeā€™) Guillaume DelugrĀ“e ā€¢ Researcher working at Sogeti ESEC R&D lab ā€¢ Working on embedded devices / reverse engineering ā€¢ Developer of ā€˜qcombbdbgā€™ (Qualcomm 3G key Icon255 debugger) and ā€˜Origamiā€™ MobiDeke: Fuzzing the GSM Protocol Stack 2/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 3/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion The GSM (2G) network MobiDeke: Fuzzing the GSM Protocol Stack 4/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion User Equipments (mobile phones) Radio control functions are highly timing dependant, so most of the phones use two separated CPUs nowadays The application processor ā€¢ Runs the user OS: Android, iOS, Windows Mobile, and so on ā€¢ Documented (often) The baseband processor ā€¢ Responsible for handling telecommunications ā€¢ Includes stacks for telephony protocols ā€¢ Closed binary blob running RTOS See the talk of Guillaume at 28c3 (Chaos Computer Congress) for more information. MobiDeke: Fuzzing the GSM Protocol Stack 5/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Existing attacks Many papers have been published: ā€¢ Harald Welte: Fuzzing your GSM phone using OpenBSC (2009); ā€¢ Collin Mulliner: Fuzzing the Phone in your Phone (2009); ā€¢ Collin Mulliner, Nico Golde and Jean-Pierre Seifert : SMS of Death: from analyzing to attacking mobile phones on a large scale (2011); ā€¢ Nico Golde: SMS Vulnerability Analysis on Feature Phones (2011); ā€¢ Ralf-Philipp Weinmann: Baseband Attacks, WOOT 2012 ā€¢ ... MobiDeke: Fuzzing the GSM Protocol Stack 6/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion What we are looking for ā€¢ The baseband: new angle of attack ā€¢ Setup a network is easy today thanks to SDR contributions (OpenBTS, OpenBSC, and so on) ā‡’ Attacking a cellphone ā€˜over-the-airā€™ could be fun! (+ not completely explored) Typical scenario ā€¢ The attacker controls a rogue base station ā€¢ The victim joins the cell and gets remotely exploited *SDR: Software-Deļ¬ned Radio MobiDeke: Fuzzing the GSM Protocol Stack 7/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion To reach our goal ā€¢ Baseband code is proprietary How to ļ¬nd bugs? ā€¢ Reverse-engineering: Hard because the code is very complex ā€¢ Fuzzing: The easier way, but need some knowledge and a radio device like the USRP (weā€™ve won one at hack.lu;) or a nanoBTS, UmTRX, Phi card... For more information: Harald Welteā€™s presentation at SSTIC 2010 gives also a good overview of the GSM industry and security MobiDeke: Fuzzing the GSM Protocol Stack 8/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Targeting the baseband GSM stack (2G), not 3G, HSDPA, LTE... ā€¢ SMS are usually not parsed by the baseband (passed as raw PDUs to the APP) ā€¢ Smartphones: HTC Desire S, Desire Z, iPhone 4S. . . ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Smart generation of GSM packets (specs, existing librairies. . . ) ā€¢ Mutate each ļ¬eld of the generated message (describe a structure with Sulley) ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Quite diļ¬ƒcult because we donā€™t have a debugger ā€¢ Check if the phone is responding ā€¢ Look for strange behaviors / side-eļ¬€ects ā€¢ ... ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours ā€¢ Crash reporting: report with indicators ā€¢ Replay the recorded payload and see what happens MobiDeke: Fuzzing the GSM Protocol Stack 9/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 10/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion GSM layers Layers ā€¢ Layer 3 ā€¢ Radio Ressource: Channel set up and tear-down ā€¢ Mobility Management: User location... ā€¢ Connection Management: Call (CC), SMS and other services ā€¢ Layer 2 ā€¢ Fragmentation ā€¢ Integrity check ā€¢ Layer 1 ā€¢ Transfers data over the air interface ā€¢ Uses GMSK modulation ā€¢ F/TDMA for multiple accesses MobiDeke: Fuzzing the GSM Protocol Stack 11/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion L3 Messages structure There are 5 standards deļ¬ning information elements (described in 11.1.14 in the TS 04.07) MobiDeke: Fuzzing the GSM Protocol Stack 12/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion State Machines: Originating a Call example (simpliļ¬ed) SETUP ASSIGNMENT MS:CALL_CONFIRMED END RELEASE RELEASE CONNECT ASSIGNMENT_COMPLET RELEASE SPEAK BTS:CONNECT_ACK RELEASE Observations ā€¢ There is often a way to exit from a state machine (e.g.: The RELEASE message) ā€¢ Sometimes a state requires user interaction ā€¢ There are ā€˜obscureā€™ elements: present in specs, but never seen in real life. . . MobiDeke: Fuzzing the GSM Protocol Stack 13/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Message exchanges Some message exchanges can be considered as stateless, but there are also ļ¬nite state machines Stateless exchanges ā€¢ Simple to fuzz Finite state machines ā€¢ Complex and harder to fuzz ā€¢ Also harder to program correctly: potential surprises MobiDeke: Fuzzing the GSM Protocol Stack 14/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Letā€™s fuzz it! We have set up our network with OpenBTS as follows But how to send a payload to a targeted cellphone? ā‡’ Use the ā€˜testcallā€™ feature MobiDeke: Fuzzing the GSM Protocol Stack 15/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion The ā€˜testcallā€™ feature The ā€˜testcallā€™ feature ā€¢ Included in OpenBTS (since 2.5 version) and OpenBSC ā€¢ Opens a channel for each targeted IMSI* ā€¢ The channel ties to an UDP socket on local computer ā€¢ Takes packets as Layer 3 messages and forwards them to the mobile *IMSI: International Mobile Subscriber Identity MobiDeke: Fuzzing the GSM Protocol Stack 16/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing problems... Testcall exists for fuzzing handsets, but itā€™s not enough because ā€¢ It works for a limited time ā€¢ OpenBTS crashes a lot ā€¢ The reserved channel is not very stable ā€¢ Youā€™re stuck to your chair while trying to send all your testcases... ā€¢ What about the monitoring? MobiDeke: Fuzzing the GSM Protocol Stack 17/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework Testcases generation and mutation Monitoring Report Future enhancement 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 18/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke? To perform our fuzzing tests, we created a framework that: ā€¢ Generates and mutates L3 messages ā€¢ Sends payload ā€˜over-the-airā€™ ā€¢ Checks if a handset is ready to receive our payload ā€¢ Monitors states (Phone and BTS) ā€¢ Records a ļ¬nal report MobiDeke: Fuzzing the GSM Protocol Stack 19/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke Architecture Diagram MobiDeke: Fuzzing the GSM Protocol Stack 20/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke: Data generation and mutation MobiDeke: Fuzzing the GSM Protocol Stack 21/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Methods for data generation and mutation Creating crafted L3 messages ā€¢ Dumb: using captures (MBUS Nokia, OsmocomBB...) and bit-ļ¬‚ipping ā€¢ Smarter: knowing the structure of the messages ā€¢ gsm um for scapy: interesting but not complete ā€¢ libmich developed by BenoĖ†Ä±t Michau: we have chosen this solution for the most part Mutations ā€¢ ā€˜libmichā€™ Mutor ā€¢ Sulley mutation engine It is better to combine multiple generation methods to cover as much testcases as possible. MobiDeke: Fuzzing the GSM Protocol Stack 22/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke: Monitoring MobiDeke: Fuzzing the GSM Protocol Stack 23/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Methods used to monitor crashes Problems ā€¢ Blackbox monitoring ā€¢ Did the baseband crash? Solutions ā€¢ Check if the baseband still responds correctly to ā€˜ATā€™ commands ā€¢ Look for bugs on the application processor by checking crashlogs ā€¢ Check the radio channel state reserved by OpenBTS MobiDeke: Fuzzing the GSM Protocol Stack 24/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Check the reserved channel: ā€™over-the-airā€™ Motivations ā€¢ OpenBTS crashes a lot! During that time your fuzzer continues to send payloads... ā€¢ Is the reserved channel stable enough? ā€¢ Is the baseband ready to receive the next payload? ā€¢ Did the baseband crash? Solutions ā€¢ Check the radio channel state regularly ā‡’ Transaction entries, paging states in OpenBTS. ā€¢ Send ā€˜pingā€™ requests to the baseband ā€˜over-the-airā€™ ā€¢ Send a IDENTITY REQUEST, the mobile will respond with an IDENTITY RESPONSE MobiDeke: Fuzzing the GSM Protocol Stack 25/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Check ā€˜ATā€™ responses with the ā€™injecATorā€™ locally ā€¢ We checked for phone responsiveness on the radio side ā€¢ What about on the local interface? We modiļ¬ed Collin Mullinerā€™s ā€˜injectorā€™ to forward ā€˜ATā€™ responses over the opened socket. ā€¢ Lack of AT response can indicate a baseband crash/reboot ā€¢ Can also be used to simulate user interactions (e.g. accept a phone call) MobiDeke: Fuzzing the GSM Protocol Stack 26/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Application OS bug report ā€¢ Even though we are targeting the baseband, some messages still get parsed by the application OS ā€¢ Can be the case for SMSs, Information Messages.. . . MobiDeke: Fuzzing the GSM Protocol Stack 27/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Logļ¬les: Android logcats Some useful data... ā€¢ When something crashes, it is likely to be reported in the logcat (Android syslogs) Extract the information ā€¢ Fetch the logs using adb and ļ¬lter this information ā€¢ Check for any known vocabulary in the log that could be related to a crash: ā€˜***ā€™, ā€˜uncaught exceptionā€™, ā€˜Error Processā€™... MobiDeke: Fuzzing the GSM Protocol Stack 28/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Logļ¬les: iOS CrashReporter ā€¢ iOS CrashReporter records application bugs ā€¢ Path: /var/wireless/Library/Logs/CrashReporter Note: On Inļ¬neon X-Gold (iPhone 1 to iPhone 3) itā€™s possible to save baseband core dumps in ā€˜CrashReporterā€™ if the CORE option is enabled. MobiDeke: Fuzzing the GSM Protocol Stack 29/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement The ļ¬nal report Indicators ā€¢ 0: The state changed, but everything is ļ¬ne ā€¢ 1: The baseband takes a little bit longer to respond ā€¢ 2: Maybe something happened (takes to long to respond, applicative crash...) ā€¢ 3: It is probably a crash (canā€™t talk with the baseband at all...) ā€¢ ... You can deļ¬ne new indicators depending on your analysis. MobiDeke: Fuzzing the GSM Protocol Stack 30/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Sample of a crash in the report <?xml v e r s i o n =ā€1.0ā€ ?> <report > <i nformat i ons> <s t art ed> Fri , 07 Sep 2012 16:18:47 </s t art ed> <f i n i s h e d> Fri , 07 Sep 2012 16:21:07 </f i n i s h e d> </i nformat i ons> <events> <event time =ā€16:18:49ā€ i d =ā€0ā€ l a s t p a y l o a d=ā€1658ā€ l e v e l =ā€0ā€> Fuzzing ( re ) s t a r t e d </event> <event time =ā€16:19:52ā€ i d =ā€1ā€ l a s t p a y l o a d=ā€1665ā€ l e v e l =ā€2ā€> AT answer : Timeout ! </event> <event time =ā€16:19:54ā€ i d =ā€2ā€ l e v e l=ā€0ā€> AT i s working once again </event> <event time =ā€16:20:00ā€ i d =ā€3ā€ l a s t p a y l o a d=ā€1666ā€ l e v e l =ā€3ā€> AT E rror </event> <event time =ā€16:20:04ā€ i d =ā€4ā€ l e v e l=ā€0ā€> AT i s working once again </event> <event time =ā€16:20:57ā€ i d =ā€5ā€ l a s t p a y l o a d=ā€1674ā€ l e v e l =ā€4ā€> AT answer : Strange Oo! </event> </events> </report > MobiDeke: Fuzzing the GSM Protocol Stack 31/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Monitoring enhancement ā€¢ Hard without a debugger: a lot of states to check ā€¢ We lately managed to get a qcombbdbg running on some phones: HTC Desire S/Z ā€¢ Itā€™s also possible to debug using the JTAG interface and additional hardware (e.g.: RIFFBOX) ā€¢ With a debugger: we donā€™t need heuristics to detect crashes MobiDeke: Fuzzing the GSM Protocol Stack 32/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Demo! The fuzzing platform (injecATor, OpenBTS and MobiDeke) MobiDeke: Fuzzing the GSM Protocol Stack 33/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 34/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Problems ā€¢ Mostly the unstability of OpenBTS for fuzzing tests ā€¢ Deadlocked phones can require human intervention to reboot ā€¢ Did not have time to test all layers yet: ā€¢ A lot of ļ¬xes required on the monitoring part ā€¢ Checking the phone state slows down fuzzing ā€¢ We donā€™t have debuggers for every phone models ā€¢ A debugger is always needed to decide about exploitability MobiDeke: Fuzzing the GSM Protocol Stack 35/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Our results ā€¢ MobiDeke is a handy way to automate fuzzing tests on GSMs ā€¢ Not a lot of bugs have been found with stateless messages ā€¢ MM INFORMATION: few DoS and applicative crashes ā€¢ TMSI RELOCATION COMMAND: few DoS ā€¢ 1 state of Call Origin: 1 crash and a lot of DoS ā€¢ LOCATION UPDATING: not tested completely, few DoS ā€¢ A fuzzing test takes time: days, weeks or months (depends on the number of testcases and complexity) *DoS: The phone was not responding MobiDeke: Fuzzing the GSM Protocol Stack 36/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Todo ā€¢ There are still plenty of vectors to fuzz ā€¢ Integration with a debugger (e.g. JTAG) ā€¢ Implement state machines ā€¢ Source code not to be released at the moment MobiDeke: Fuzzing the GSM Protocol Stack 37/38
Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Thank you! ;) Any questions? MobiDeke: Fuzzing the GSM Protocol Stack 38/38

Recommended

NFV Usecase in OpenStack(vEPC)
NFV Usecase in OpenStack(vEPC)NFV Usecase in OpenStack(vEPC)
NFV Usecase in OpenStack(vEPC)
Nicholas H. Park
Ā 
802 15-4 tutorial
802 15-4 tutorial802 15-4 tutorial
802 15-4 tutorial
SHUBHAM MORGAONKAR
Ā 
5G Network Introduction
5G Network Introduction5G Network Introduction
5G Network Introduction
Michelle Holley
Ā 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
Ā 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
MyNOG
Ā 
Openstack meetup NFV
Openstack meetup NFV Openstack meetup NFV
Openstack meetup NFV
Marie-Paule Odini
Ā 
Summit 16: Open Baton Overview
Summit 16: Open Baton OverviewSummit 16: Open Baton Overview
Summit 16: Open Baton Overview
OPNFV
Ā 
VoWifi 02 - VoWifi architecture overview (pdf ppt)
VoWifi 02 - VoWifi architecture overview (pdf ppt)VoWifi 02 - VoWifi architecture overview (pdf ppt)
VoWifi 02 - VoWifi architecture overview (pdf ppt)
Vikas Shokeen
Ā 

Recommended

NFV Usecase in OpenStack(vEPC)
NFV Usecase in OpenStack(vEPC)NFV Usecase in OpenStack(vEPC)
NFV Usecase in OpenStack(vEPC)
Nicholas H. Park
Ā 
802 15-4 tutorial
802 15-4 tutorial802 15-4 tutorial
802 15-4 tutorial
SHUBHAM MORGAONKAR
Ā 
5G Network Introduction
5G Network Introduction5G Network Introduction
5G Network Introduction
Michelle Holley
Ā 
Hallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul CogginHallowed be thy packets by Paul Coggin
Hallowed be thy packets by Paul Coggin
EC-Council
Ā 
Software Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable NetworksSoftware Defined Networking/Openflow: A path to Programmable Networks
Software Defined Networking/Openflow: A path to Programmable Networks
MyNOG
Ā 
Openstack meetup NFV
Openstack meetup NFV Openstack meetup NFV
Openstack meetup NFV
Marie-Paule Odini
Ā 
Summit 16: Open Baton Overview
Summit 16: Open Baton OverviewSummit 16: Open Baton Overview
Summit 16: Open Baton Overview
OPNFV
Ā 
VoWifi 02 - VoWifi architecture overview (pdf ppt)
VoWifi 02 - VoWifi architecture overview (pdf ppt)VoWifi 02 - VoWifi architecture overview (pdf ppt)
VoWifi 02 - VoWifi architecture overview (pdf ppt)
Vikas Shokeen
Ā 
Summit 16: Vodafone Ocean - Updates and Next Steps
Summit 16: Vodafone Ocean - Updates and Next StepsSummit 16: Vodafone Ocean - Updates and Next Steps
Summit 16: Vodafone Ocean - Updates and Next Steps
OPNFV
Ā 
Summit 16: Cengn Experience in Opnfv Projects
Summit 16: Cengn Experience in Opnfv ProjectsSummit 16: Cengn Experience in Opnfv Projects
Summit 16: Cengn Experience in Opnfv Projects
OPNFV
Ā 
Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN ControllersSummit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
OPNFV
Ā 
Freeswitch
FreeswitchFreeswitch
Freeswitch
Suneet Saini
Ā 
Tutorial on SDN data plane evolution
Tutorial on SDN data plane evolutionTutorial on SDN data plane evolution
Tutorial on SDN data plane evolution
Antonio Capone
Ā 
Virt july-2013-meetup
Virt july-2013-meetupVirt july-2013-meetup
Virt july-2013-meetup
nvirters
Ā 
International SIP conference 2009
International SIP conference 2009International SIP conference 2009
International SIP conference 2009
Victor Pascual Ɓvila
Ā 
Non-Fluff Software Defined Networking, Network Function Virtualization and IoT
Non-Fluff Software Defined Networking, Network Function Virtualization and IoTNon-Fluff Software Defined Networking, Network Function Virtualization and IoT
Non-Fluff Software Defined Networking, Network Function Virtualization and IoT
Mark Ryan Castellani
Ā 
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PROFIBUS and PROFINET InternationaI - PI UK
Ā 
Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Open Baton: a Framework for Virtual Network Function Management and Orchestra...Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Giuseppe Carella
Ā 
SDN basics
SDN basicsSDN basics
SDN basics
Anto Joeis
Ā 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4
UmaMahesh Sistu
Ā 
Acronym Soup ā€“ NFV, SDN, OVN and VNF
Acronym Soup ā€“ NFV, SDN, OVN and VNFAcronym Soup ā€“ NFV, SDN, OVN and VNF
Acronym Soup ā€“ NFV, SDN, OVN and VNF
Emulex Corporation
Ā 
Janet access solutions
Janet access solutionsJanet access solutions
Janet access solutions
Jisc
Ā 
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJMPROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
PROFIBUS and PROFINET InternationaI - PI UK
Ā 
Superfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the artSuperfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the art
Stefano Salsano
Ā 
Understanding NFV Management and Orchestration
Understanding NFV Management and OrchestrationUnderstanding NFV Management and Orchestration
Understanding NFV Management and Orchestration
Alberto Diez
Ā 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
Ā 
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
IMTC
Ā 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or Enemies
Justyna Bak
Ā 
Remote PC Administration Using Mobile Phone
Remote PC Administration Using Mobile PhoneRemote PC Administration Using Mobile Phone
Remote PC Administration Using Mobile Phone
Chhatrapati shivaji institute of technology, Deori
Ā 
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Benjamin CabƩ
Ā 

More Related Content

What's hot

Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN ControllersSummit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
OPNFV
Ā 
Virt july-2013-meetup
Virt july-2013-meetupVirt july-2013-meetup
Virt july-2013-meetup
nvirters
Ā 
Janet access solutions
Janet access solutionsJanet access solutions
Janet access solutions
Jisc
Ā 
Superfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the artSuperfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the art
Stefano Salsano
Ā 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
Ā 

What's hot (20)

Summit 16: Vodafone Ocean - Updates and Next Steps
Summit 16: Vodafone Ocean - Updates and Next StepsSummit 16: Vodafone Ocean - Updates and Next Steps
Summit 16: Vodafone Ocean - Updates and Next Steps
Ā 
Summit 16: Cengn Experience in Opnfv Projects
Summit 16: Cengn Experience in Opnfv ProjectsSummit 16: Cengn Experience in Opnfv Projects
Summit 16: Cengn Experience in Opnfv Projects
Ā 
Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN ControllersSummit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Summit 16: NetIDE: Integrating and Orchestrating SDN Controllers
Ā 
Freeswitch
FreeswitchFreeswitch
Freeswitch
Ā 
Tutorial on SDN data plane evolution
Tutorial on SDN data plane evolutionTutorial on SDN data plane evolution
Tutorial on SDN data plane evolution
Ā 
Virt july-2013-meetup
Virt july-2013-meetupVirt july-2013-meetup
Virt july-2013-meetup
Ā 
International SIP conference 2009
International SIP conference 2009International SIP conference 2009
International SIP conference 2009
Ā 
Non-Fluff Software Defined Networking, Network Function Virtualization and IoT
Non-Fluff Software Defined Networking, Network Function Virtualization and IoTNon-Fluff Software Defined Networking, Network Function Virtualization and IoT
Non-Fluff Software Defined Networking, Network Function Virtualization and IoT
Ā 
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and TestingPI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
PI UK Seminar (Nov 2021) - PROFINET Implementation and Testing
Ā 
Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Open Baton: a Framework for Virtual Network Function Management and Orchestra...Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Open Baton: a Framework for Virtual Network Function Management and Orchestra...
Ā 
SDN basics
SDN basicsSDN basics
SDN basics
Ā 
Sdn and open flow tutorial 4
Sdn and open flow tutorial 4Sdn and open flow tutorial 4
Sdn and open flow tutorial 4
Ā 
Acronym Soup ā€“ NFV, SDN, OVN and VNF
Acronym Soup ā€“ NFV, SDN, OVN and VNFAcronym Soup ā€“ NFV, SDN, OVN and VNF
Acronym Soup ā€“ NFV, SDN, OVN and VNF
Ā 
Janet access solutions
Janet access solutionsJanet access solutions
Janet access solutions
Ā 
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJMPROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
PROFINET implementation and testing - Dave Tomlin, Hitex and Andy Morse, AJM
Ā 
Superfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the artSuperfluid networking for 5G: vision and state of the art
Superfluid networking for 5G: vision and state of the art
Ā 
Understanding NFV Management and Orchestration
Understanding NFV Management and OrchestrationUnderstanding NFV Management and Orchestration
Understanding NFV Management and Orchestration
Ā 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
Ā 
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
IMTC VoLTE Webinar - Voice over LTE: Industry, Standardization and Market Rea...
Ā 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or Enemies
Ā 

Similar to Hack.lu 2012 - Fuzzing the GSM protocol stack

Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Benjamin CabƩ
Ā 
[Dec./2017] My Personal/Professional Journey after Graduate Univ.
[Dec./2017] My Personal/Professional Journey after Graduate Univ.[Dec./2017] My Personal/Professional Journey after Graduate Univ.
[Dec./2017] My Personal/Professional Journey after Graduate Univ.
Hayoung Yoon
Ā 
Mohamed_El-Tokhy_Resume_last
Mohamed_El-Tokhy_Resume_lastMohamed_El-Tokhy_Resume_last
Mohamed_El-Tokhy_Resume_last
Mohamed El-Tokhy
Ā 
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Alan Quayle
Ā 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
Srikanth Pilli
Ā 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
EC-Council
Ā 

Similar to Hack.lu 2012 - Fuzzing the GSM protocol stack (20)

Remote PC Administration Using Mobile Phone
Remote PC Administration Using Mobile PhoneRemote PC Administration Using Mobile Phone
Remote PC Administration Using Mobile Phone
Ā 
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Using Eclipse and Lua for the Internet of Things with Eclipse Koneki, Mihini ...
Ā 
[Dec./2017] My Personal/Professional Journey after Graduate Univ.
[Dec./2017] My Personal/Professional Journey after Graduate Univ.[Dec./2017] My Personal/Professional Journey after Graduate Univ.
[Dec./2017] My Personal/Professional Journey after Graduate Univ.
Ā 
How to control remote LED at the easiest and cheapest with Azure
How to control remote LED at the easiest and cheapest with AzureHow to control remote LED at the easiest and cheapest with Azure
How to control remote LED at the easiest and cheapest with Azure
Ā 
Mohamed_El-Tokhy_Resume_last
Mohamed_El-Tokhy_Resume_lastMohamed_El-Tokhy_Resume_last
Mohamed_El-Tokhy_Resume_last
Ā 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Ā 
zigbee
zigbee zigbee
zigbee
Ā 
Unit 4
Unit 4Unit 4
Unit 4
Ā 
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Practical Experiences of Multi-Operator Neutral Hosting James Body, TADSummit...
Ā 
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
M2M One & M2M Connectivity - Developing a Cellular IoT or M2M Solution in Aus...
Ā 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
Ā 
Connected home - market evolution & protocol wars
Connected home - market evolution & protocol warsConnected home - market evolution & protocol wars
Connected home - market evolution & protocol wars
Ā 
SigfoxMakersDay Total
SigfoxMakersDay TotalSigfoxMakersDay Total
SigfoxMakersDay Total
Ā 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hackedDEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Ā 
Google global Cache operations for youtube
Google global Cache operations for youtubeGoogle global Cache operations for youtube
Google global Cache operations for youtube
Ā 
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
iOS Bootcamp: learning to create awesome apps on iOS using Swift (Lecture 7)
Ā 
MIMIC Simulator Network Simulator
MIMIC Simulator Network SimulatorMIMIC Simulator Network Simulator
MIMIC Simulator Network Simulator
Ā 
2022 Portfolio English
2022 Portfolio English2022 Portfolio English
2022 Portfolio English
Ā 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
Ā 
R43019698
R43019698R43019698
R43019698
Ā 

More from šŸ“” Sebastien Dudek

More from šŸ“” Sebastien Dudek (17)

The current state of LoRaWAN security
The current state of LoRaWAN securityThe current state of LoRaWAN security
The current state of LoRaWAN security
Ā 
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Ā 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
Ā 
Beerump 2018 - Modmobmap
Beerump 2018 - ModmobmapBeerump 2018 - Modmobmap
Beerump 2018 - Modmobmap
Ā 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
Ā 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
Ā 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
Ā 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
Ā 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Ā 
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Ā 
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
Ā 
SSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - ModmobjamSSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - Modmobjam
Ā 
Intercom hacks with GSM interception
Intercom hacks with GSM interceptionIntercom hacks with GSM interception
Intercom hacks with GSM interception
Ā 
Synacktiv mobile communications attacks
Synacktiv mobile communications attacksSynacktiv mobile communications attacks
Synacktiv mobile communications attacks
Ā 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
Ā 
Troopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internalsTroopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internals
Ā 
Usrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyesUsrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyes
Ā 

Recently uploaded

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Safe Software
Ā 
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
Wonjun Hwang
Ā 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
Ā 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
Ā 
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdfā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
Muhammad Subhan
Ā 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
FIDO Alliance
Ā 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
Ā 

Recently uploaded (20)

The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
Ā 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
Ā 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
Ā 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
Ā 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Ā 
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
CORS (Kitworks Team Study ģ–‘ė‹¤ģœ— ė°œķ‘œģžė£Œ 240510)
Ā 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Ā 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
Ā 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
Ā 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
Ā 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Ā 
How to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in PakistanHow to Check GPS Location with a Live Tracker in Pakistan
How to Check GPS Location with a Live Tracker in Pakistan
Ā 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Ā 
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdfā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
ā€œIamnobody89757ā€ Understanding the Mysterious of Digital Identity.pdf
Ā 
Ų§Ł„Ų£Ł…Ł† Ų§Ł„Ų³ŁŠŲØŲ±Ų§Ł†ŁŠ - Ł…Ų§ Ł„Ų§ ŁŠŲ³Ų¹ Ł„Ł„Ł…Ų³ŲŖŲ®ŲÆŁ… Ų¬Ł‡Ł„Ł‡
Ų§Ł„Ų£Ł…Ł† Ų§Ł„Ų³ŁŠŲØŲ±Ų§Ł†ŁŠ - Ł…Ų§ Ł„Ų§ ŁŠŲ³Ų¹ Ł„Ł„Ł…Ų³ŲŖŲ®ŲÆŁ… Ų¬Ł‡Ł„Ł‡Ų§Ł„Ų£Ł…Ł† Ų§Ł„Ų³ŁŠŲØŲ±Ų§Ł†ŁŠ - Ł…Ų§ Ł„Ų§ ŁŠŲ³Ų¹ Ł„Ł„Ł…Ų³ŲŖŲ®ŲÆŁ… Ų¬Ł‡Ł„Ł‡
Ų§Ł„Ų£Ł…Ł† Ų§Ł„Ų³ŁŠŲØŲ±Ų§Ł†ŁŠ - Ł…Ų§ Ł„Ų§ ŁŠŲ³Ų¹ Ł„Ł„Ł…Ų³ŲŖŲ®ŲÆŁ… Ų¬Ł‡Ł„Ł‡
Ā 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
Ā 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Ā 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Ā 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
Ā 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
Ā 

Hack.lu 2012 - Fuzzing the GSM protocol stack

  • 1. MobiDeke: Fuzzing the GSM Protocol Stack SĀ“ebastien Dudek Guillaume DelugrĀ“e Sogeti / ESEC Hack.lu 2012
  • 2. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Who we are SĀ“ebastien Dudek ā€¢ Has joined the ESEC R&D lab this year (2012) after his internship ā€¢ Subject: Attacking the GSM Protocol Stack ā€¢ Developer of a GSM fuzzing framework (ā€˜MobiDekeā€™) Guillaume DelugrĀ“e ā€¢ Researcher working at Sogeti ESEC R&D lab ā€¢ Working on embedded devices / reverse engineering ā€¢ Developer of ā€˜qcombbdbgā€™ (Qualcomm 3G key Icon255 debugger) and ā€˜Origamiā€™ MobiDeke: Fuzzing the GSM Protocol Stack 2/38
  • 3. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 3/38
  • 4. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion The GSM (2G) network MobiDeke: Fuzzing the GSM Protocol Stack 4/38
  • 5. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion User Equipments (mobile phones) Radio control functions are highly timing dependant, so most of the phones use two separated CPUs nowadays The application processor ā€¢ Runs the user OS: Android, iOS, Windows Mobile, and so on ā€¢ Documented (often) The baseband processor ā€¢ Responsible for handling telecommunications ā€¢ Includes stacks for telephony protocols ā€¢ Closed binary blob running RTOS See the talk of Guillaume at 28c3 (Chaos Computer Congress) for more information. MobiDeke: Fuzzing the GSM Protocol Stack 5/38
  • 6. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Existing attacks Many papers have been published: ā€¢ Harald Welte: Fuzzing your GSM phone using OpenBSC (2009); ā€¢ Collin Mulliner: Fuzzing the Phone in your Phone (2009); ā€¢ Collin Mulliner, Nico Golde and Jean-Pierre Seifert : SMS of Death: from analyzing to attacking mobile phones on a large scale (2011); ā€¢ Nico Golde: SMS Vulnerability Analysis on Feature Phones (2011); ā€¢ Ralf-Philipp Weinmann: Baseband Attacks, WOOT 2012 ā€¢ ... MobiDeke: Fuzzing the GSM Protocol Stack 6/38
  • 7. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion What we are looking for ā€¢ The baseband: new angle of attack ā€¢ Setup a network is easy today thanks to SDR contributions (OpenBTS, OpenBSC, and so on) ā‡’ Attacking a cellphone ā€˜over-the-airā€™ could be fun! (+ not completely explored) Typical scenario ā€¢ The attacker controls a rogue base station ā€¢ The victim joins the cell and gets remotely exploited *SDR: Software-Deļ¬ned Radio MobiDeke: Fuzzing the GSM Protocol Stack 7/38
  • 8. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion To reach our goal ā€¢ Baseband code is proprietary How to ļ¬nd bugs? ā€¢ Reverse-engineering: Hard because the code is very complex ā€¢ Fuzzing: The easier way, but need some knowledge and a radio device like the USRP (weā€™ve won one at hack.lu;) or a nanoBTS, UmTRX, Phi card... For more information: Harald Welteā€™s presentation at SSTIC 2010 gives also a good overview of the GSM industry and security MobiDeke: Fuzzing the GSM Protocol Stack 8/38
  • 9. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Targeting the baseband GSM stack (2G), not 3G, HSDPA, LTE... ā€¢ SMS are usually not parsed by the baseband (passed as raw PDUs to the APP) ā€¢ Smartphones: HTC Desire S, Desire Z, iPhone 4S. . . ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
  • 10. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Smart generation of GSM packets (specs, existing librairies. . . ) ā€¢ Mutate each ļ¬eld of the generated message (describe a structure with Sulley) ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
  • 11. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Quite diļ¬ƒcult because we donā€™t have a debugger ā€¢ Check if the phone is responding ā€¢ Look for strange behaviors / side-eļ¬€ects ā€¢ ... ā€¢ Classify bugs, behaviours MobiDeke: Fuzzing the GSM Protocol Stack 9/38
  • 12. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing 4 very important points ā€¢ Choose your target ā€¢ Inject malformed data ā€¢ Monitor target activity ā€¢ Classify bugs, behaviours ā€¢ Crash reporting: report with indicators ā€¢ Replay the recorded payload and see what happens MobiDeke: Fuzzing the GSM Protocol Stack 9/38
  • 13. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 10/38
  • 14. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion GSM layers Layers ā€¢ Layer 3 ā€¢ Radio Ressource: Channel set up and tear-down ā€¢ Mobility Management: User location... ā€¢ Connection Management: Call (CC), SMS and other services ā€¢ Layer 2 ā€¢ Fragmentation ā€¢ Integrity check ā€¢ Layer 1 ā€¢ Transfers data over the air interface ā€¢ Uses GMSK modulation ā€¢ F/TDMA for multiple accesses MobiDeke: Fuzzing the GSM Protocol Stack 11/38
  • 15. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion L3 Messages structure There are 5 standards deļ¬ning information elements (described in 11.1.14 in the TS 04.07) MobiDeke: Fuzzing the GSM Protocol Stack 12/38
  • 16. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion State Machines: Originating a Call example (simpliļ¬ed) SETUP ASSIGNMENT MS:CALL_CONFIRMED END RELEASE RELEASE CONNECT ASSIGNMENT_COMPLET RELEASE SPEAK BTS:CONNECT_ACK RELEASE Observations ā€¢ There is often a way to exit from a state machine (e.g.: The RELEASE message) ā€¢ Sometimes a state requires user interaction ā€¢ There are ā€˜obscureā€™ elements: present in specs, but never seen in real life. . . MobiDeke: Fuzzing the GSM Protocol Stack 13/38
  • 17. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Message exchanges Some message exchanges can be considered as stateless, but there are also ļ¬nite state machines Stateless exchanges ā€¢ Simple to fuzz Finite state machines ā€¢ Complex and harder to fuzz ā€¢ Also harder to program correctly: potential surprises MobiDeke: Fuzzing the GSM Protocol Stack 14/38
  • 18. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Letā€™s fuzz it! We have set up our network with OpenBTS as follows But how to send a payload to a targeted cellphone? ā‡’ Use the ā€˜testcallā€™ feature MobiDeke: Fuzzing the GSM Protocol Stack 15/38
  • 19. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion The ā€˜testcallā€™ feature The ā€˜testcallā€™ feature ā€¢ Included in OpenBTS (since 2.5 version) and OpenBSC ā€¢ Opens a channel for each targeted IMSI* ā€¢ The channel ties to an UDP socket on local computer ā€¢ Takes packets as Layer 3 messages and forwards them to the mobile *IMSI: International Mobile Subscriber Identity MobiDeke: Fuzzing the GSM Protocol Stack 16/38
  • 20. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Fuzzing problems... Testcall exists for fuzzing handsets, but itā€™s not enough because ā€¢ It works for a limited time ā€¢ OpenBTS crashes a lot ā€¢ The reserved channel is not very stable ā€¢ Youā€™re stuck to your chair while trying to send all your testcases... ā€¢ What about the monitoring? MobiDeke: Fuzzing the GSM Protocol Stack 17/38
  • 21. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework Testcases generation and mutation Monitoring Report Future enhancement 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 18/38
  • 22. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke? To perform our fuzzing tests, we created a framework that: ā€¢ Generates and mutates L3 messages ā€¢ Sends payload ā€˜over-the-airā€™ ā€¢ Checks if a handset is ready to receive our payload ā€¢ Monitors states (Phone and BTS) ā€¢ Records a ļ¬nal report MobiDeke: Fuzzing the GSM Protocol Stack 19/38
  • 23. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke Architecture Diagram MobiDeke: Fuzzing the GSM Protocol Stack 20/38
  • 24. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke: Data generation and mutation MobiDeke: Fuzzing the GSM Protocol Stack 21/38
  • 25. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Methods for data generation and mutation Creating crafted L3 messages ā€¢ Dumb: using captures (MBUS Nokia, OsmocomBB...) and bit-ļ¬‚ipping ā€¢ Smarter: knowing the structure of the messages ā€¢ gsm um for scapy: interesting but not complete ā€¢ libmich developed by BenoĖ†Ä±t Michau: we have chosen this solution for the most part Mutations ā€¢ ā€˜libmichā€™ Mutor ā€¢ Sulley mutation engine It is better to combine multiple generation methods to cover as much testcases as possible. MobiDeke: Fuzzing the GSM Protocol Stack 22/38
  • 26. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement MobiDeke: Monitoring MobiDeke: Fuzzing the GSM Protocol Stack 23/38
  • 27. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Methods used to monitor crashes Problems ā€¢ Blackbox monitoring ā€¢ Did the baseband crash? Solutions ā€¢ Check if the baseband still responds correctly to ā€˜ATā€™ commands ā€¢ Look for bugs on the application processor by checking crashlogs ā€¢ Check the radio channel state reserved by OpenBTS MobiDeke: Fuzzing the GSM Protocol Stack 24/38
  • 28. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Check the reserved channel: ā€™over-the-airā€™ Motivations ā€¢ OpenBTS crashes a lot! During that time your fuzzer continues to send payloads... ā€¢ Is the reserved channel stable enough? ā€¢ Is the baseband ready to receive the next payload? ā€¢ Did the baseband crash? Solutions ā€¢ Check the radio channel state regularly ā‡’ Transaction entries, paging states in OpenBTS. ā€¢ Send ā€˜pingā€™ requests to the baseband ā€˜over-the-airā€™ ā€¢ Send a IDENTITY REQUEST, the mobile will respond with an IDENTITY RESPONSE MobiDeke: Fuzzing the GSM Protocol Stack 25/38
  • 29. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Check ā€˜ATā€™ responses with the ā€™injecATorā€™ locally ā€¢ We checked for phone responsiveness on the radio side ā€¢ What about on the local interface? We modiļ¬ed Collin Mullinerā€™s ā€˜injectorā€™ to forward ā€˜ATā€™ responses over the opened socket. ā€¢ Lack of AT response can indicate a baseband crash/reboot ā€¢ Can also be used to simulate user interactions (e.g. accept a phone call) MobiDeke: Fuzzing the GSM Protocol Stack 26/38
  • 30. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Application OS bug report ā€¢ Even though we are targeting the baseband, some messages still get parsed by the application OS ā€¢ Can be the case for SMSs, Information Messages.. . . MobiDeke: Fuzzing the GSM Protocol Stack 27/38
  • 31. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Logļ¬les: Android logcats Some useful data... ā€¢ When something crashes, it is likely to be reported in the logcat (Android syslogs) Extract the information ā€¢ Fetch the logs using adb and ļ¬lter this information ā€¢ Check for any known vocabulary in the log that could be related to a crash: ā€˜***ā€™, ā€˜uncaught exceptionā€™, ā€˜Error Processā€™... MobiDeke: Fuzzing the GSM Protocol Stack 28/38
  • 32. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Logļ¬les: iOS CrashReporter ā€¢ iOS CrashReporter records application bugs ā€¢ Path: /var/wireless/Library/Logs/CrashReporter Note: On Inļ¬neon X-Gold (iPhone 1 to iPhone 3) itā€™s possible to save baseband core dumps in ā€˜CrashReporterā€™ if the CORE option is enabled. MobiDeke: Fuzzing the GSM Protocol Stack 29/38
  • 33. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement The ļ¬nal report Indicators ā€¢ 0: The state changed, but everything is ļ¬ne ā€¢ 1: The baseband takes a little bit longer to respond ā€¢ 2: Maybe something happened (takes to long to respond, applicative crash...) ā€¢ 3: It is probably a crash (canā€™t talk with the baseband at all...) ā€¢ ... You can deļ¬ne new indicators depending on your analysis. MobiDeke: Fuzzing the GSM Protocol Stack 30/38
  • 34. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Sample of a crash in the report <?xml v e r s i o n =ā€1.0ā€ ?> <report > <i nformat i ons> <s t art ed> Fri , 07 Sep 2012 16:18:47 </s t art ed> <f i n i s h e d> Fri , 07 Sep 2012 16:21:07 </f i n i s h e d> </i nformat i ons> <events> <event time =ā€16:18:49ā€ i d =ā€0ā€ l a s t p a y l o a d=ā€1658ā€ l e v e l =ā€0ā€> Fuzzing ( re ) s t a r t e d </event> <event time =ā€16:19:52ā€ i d =ā€1ā€ l a s t p a y l o a d=ā€1665ā€ l e v e l =ā€2ā€> AT answer : Timeout ! </event> <event time =ā€16:19:54ā€ i d =ā€2ā€ l e v e l=ā€0ā€> AT i s working once again </event> <event time =ā€16:20:00ā€ i d =ā€3ā€ l a s t p a y l o a d=ā€1666ā€ l e v e l =ā€3ā€> AT E rror </event> <event time =ā€16:20:04ā€ i d =ā€4ā€ l e v e l=ā€0ā€> AT i s working once again </event> <event time =ā€16:20:57ā€ i d =ā€5ā€ l a s t p a y l o a d=ā€1674ā€ l e v e l =ā€4ā€> AT answer : Strange Oo! </event> </events> </report > MobiDeke: Fuzzing the GSM Protocol Stack 31/38
  • 35. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Monitoring enhancement ā€¢ Hard without a debugger: a lot of states to check ā€¢ We lately managed to get a qcombbdbg running on some phones: HTC Desire S/Z ā€¢ Itā€™s also possible to debug using the JTAG interface and additional hardware (e.g.: RIFFBOX) ā€¢ With a debugger: we donā€™t need heuristics to detect crashes MobiDeke: Fuzzing the GSM Protocol Stack 32/38
  • 36. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Testcases generation and mutation Monitoring Report Future enhancement Demo! The fuzzing platform (injecATor, OpenBTS and MobiDeke) MobiDeke: Fuzzing the GSM Protocol Stack 33/38
  • 37. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Summary 1 Introduction 2 Fuzzing over-the-air 3 The MobiDeke Framework 4 Conclusion MobiDeke: Fuzzing the GSM Protocol Stack 34/38
  • 38. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Problems ā€¢ Mostly the unstability of OpenBTS for fuzzing tests ā€¢ Deadlocked phones can require human intervention to reboot ā€¢ Did not have time to test all layers yet: ā€¢ A lot of ļ¬xes required on the monitoring part ā€¢ Checking the phone state slows down fuzzing ā€¢ We donā€™t have debuggers for every phone models ā€¢ A debugger is always needed to decide about exploitability MobiDeke: Fuzzing the GSM Protocol Stack 35/38
  • 39. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Our results ā€¢ MobiDeke is a handy way to automate fuzzing tests on GSMs ā€¢ Not a lot of bugs have been found with stateless messages ā€¢ MM INFORMATION: few DoS and applicative crashes ā€¢ TMSI RELOCATION COMMAND: few DoS ā€¢ 1 state of Call Origin: 1 crash and a lot of DoS ā€¢ LOCATION UPDATING: not tested completely, few DoS ā€¢ A fuzzing test takes time: days, weeks or months (depends on the number of testcases and complexity) *DoS: The phone was not responding MobiDeke: Fuzzing the GSM Protocol Stack 36/38
  • 40. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Todo ā€¢ There are still plenty of vectors to fuzz ā€¢ Integration with a debugger (e.g. JTAG) ā€¢ Implement state machines ā€¢ Source code not to be released at the moment MobiDeke: Fuzzing the GSM Protocol Stack 37/38
  • 41. Introduction Fuzzing over-the-air The MobiDeke Framework Conclusion Thank you! ;) Any questions? MobiDeke: Fuzzing the GSM Protocol Stack 38/38