2. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Who we are
SĀ“ebastien Dudek
ā¢ Has joined the ESEC R&D lab this year (2012) after his internship
ā¢ Subject: Attacking the GSM Protocol Stack
ā¢ Developer of a GSM fuzzing framework (āMobiDekeā)
Guillaume DelugrĀ“e
ā¢ Researcher working at Sogeti ESEC R&D lab
ā¢ Working on embedded devices / reverse engineering
ā¢ Developer of āqcombbdbgā (Qualcomm 3G key Icon255 debugger) and
āOrigamiā
MobiDeke: Fuzzing the GSM Protocol Stack 2/38
3. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Summary
1 Introduction
2 Fuzzing over-the-air
3 The MobiDeke Framework
4 Conclusion
MobiDeke: Fuzzing the GSM Protocol Stack 3/38
5. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
User Equipments (mobile phones)
Radio control functions are highly timing dependant, so most of the phones use
two separated CPUs nowadays
The application processor
ā¢ Runs the user OS: Android, iOS, Windows Mobile, and so on
ā¢ Documented (often)
The baseband processor
ā¢ Responsible for handling telecommunications
ā¢ Includes stacks for telephony protocols
ā¢ Closed binary blob running RTOS
See the talk of Guillaume at 28c3 (Chaos Computer Congress) for more
information.
MobiDeke: Fuzzing the GSM Protocol Stack 5/38
6. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Existing attacks
Many papers have been published:
ā¢ Harald Welte: Fuzzing your GSM phone using OpenBSC (2009);
ā¢ Collin Mulliner: Fuzzing the Phone in your Phone (2009);
ā¢ Collin Mulliner, Nico Golde and Jean-Pierre Seifert : SMS of Death: from
analyzing to attacking mobile phones on a large scale (2011);
ā¢ Nico Golde: SMS Vulnerability Analysis on Feature Phones (2011);
ā¢ Ralf-Philipp Weinmann: Baseband Attacks, WOOT 2012
ā¢ ...
MobiDeke: Fuzzing the GSM Protocol Stack 6/38
7. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
What we are looking for
ā¢ The baseband: new angle of attack
ā¢ Setup a network is easy today thanks to SDR contributions (OpenBTS,
OpenBSC, and so on)
ā Attacking a cellphone āover-the-airā could be fun! (+ not completely
explored)
Typical scenario
ā¢ The attacker controls a rogue base station
ā¢ The victim joins the cell and gets remotely exploited
*SDR: Software-Deļ¬ned Radio
MobiDeke: Fuzzing the GSM Protocol Stack 7/38
8. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
To reach our goal
ā¢ Baseband code is proprietary
How to ļ¬nd bugs?
ā¢ Reverse-engineering: Hard because the code is very complex
ā¢ Fuzzing: The easier way, but need some knowledge and a radio device like
the USRP (weāve won one at hack.lu;) or a nanoBTS, UmTRX, Phi card...
For more information: Harald Welteās presentation at SSTIC 2010 gives also a
good overview of the GSM industry and security
MobiDeke: Fuzzing the GSM Protocol Stack 8/38
9. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Fuzzing
4 very important points
ā¢ Choose your target
ā¢ Targeting the baseband GSM stack (2G), not 3G, HSDPA, LTE...
ā¢ SMS are usually not parsed by the baseband (passed as raw PDUs to the APP)
ā¢ Smartphones: HTC Desire S, Desire Z, iPhone 4S. . .
ā¢ Inject malformed data
ā¢ Monitor target activity
ā¢ Classify bugs, behaviours
MobiDeke: Fuzzing the GSM Protocol Stack 9/38
10. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Fuzzing
4 very important points
ā¢ Choose your target
ā¢ Inject malformed data
ā¢ Smart generation of GSM packets (specs, existing librairies. . . )
ā¢ Mutate each ļ¬eld of the generated message (describe a structure with Sulley)
ā¢ Monitor target activity
ā¢ Classify bugs, behaviours
MobiDeke: Fuzzing the GSM Protocol Stack 9/38
11. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Fuzzing
4 very important points
ā¢ Choose your target
ā¢ Inject malformed data
ā¢ Monitor target activity
ā¢ Quite diļ¬cult because we donāt have a debugger
ā¢ Check if the phone is responding
ā¢ Look for strange behaviors / side-eļ¬ects
ā¢ ...
ā¢ Classify bugs, behaviours
MobiDeke: Fuzzing the GSM Protocol Stack 9/38
12. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Fuzzing
4 very important points
ā¢ Choose your target
ā¢ Inject malformed data
ā¢ Monitor target activity
ā¢ Classify bugs, behaviours
ā¢ Crash reporting: report with indicators
ā¢ Replay the recorded payload and see what happens
MobiDeke: Fuzzing the GSM Protocol Stack 9/38
13. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Summary
1 Introduction
2 Fuzzing over-the-air
3 The MobiDeke Framework
4 Conclusion
MobiDeke: Fuzzing the GSM Protocol Stack 10/38
14. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
GSM layers
Layers
ā¢ Layer 3
ā¢ Radio Ressource: Channel set up and
tear-down
ā¢ Mobility Management: User location...
ā¢ Connection Management: Call (CC),
SMS and other services
ā¢ Layer 2
ā¢ Fragmentation
ā¢ Integrity check
ā¢ Layer 1
ā¢ Transfers data over the air interface
ā¢ Uses GMSK modulation
ā¢ F/TDMA for multiple accesses
MobiDeke: Fuzzing the GSM Protocol Stack 11/38
15. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
L3 Messages structure
There are 5 standards deļ¬ning information elements (described in 11.1.14 in the
TS 04.07)
MobiDeke: Fuzzing the GSM Protocol Stack 12/38
16. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
State Machines: Originating a Call example (simpliļ¬ed)
SETUP
ASSIGNMENT
MS:CALL_CONFIRMED
END
RELEASE
RELEASE
CONNECT
ASSIGNMENT_COMPLET
RELEASE SPEAK
BTS:CONNECT_ACK
RELEASE
Observations
ā¢ There is often a way to exit from a
state machine (e.g.: The RELEASE
message)
ā¢ Sometimes a state requires user
interaction
ā¢ There are āobscureā elements: present
in specs, but never seen in real life. . .
MobiDeke: Fuzzing the GSM Protocol Stack 13/38
17. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Message exchanges
Some message exchanges can be considered as stateless, but there are also ļ¬nite
state machines
Stateless exchanges
ā¢ Simple to fuzz
Finite state machines
ā¢ Complex and harder to fuzz
ā¢ Also harder to program correctly: potential surprises
MobiDeke: Fuzzing the GSM Protocol Stack 14/38
18. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Letās fuzz it!
We have set up our network with OpenBTS as follows
But how to send a payload to a targeted cellphone? ā Use the ātestcallā
feature
MobiDeke: Fuzzing the GSM Protocol Stack 15/38
19. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
The ātestcallā feature
The ātestcallā feature
ā¢ Included in OpenBTS (since 2.5 version) and OpenBSC
ā¢ Opens a channel for each targeted IMSI*
ā¢ The channel ties to an UDP socket on local computer
ā¢ Takes packets as Layer 3 messages and forwards them to the mobile
*IMSI: International Mobile Subscriber Identity
MobiDeke: Fuzzing the GSM Protocol Stack 16/38
20. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Fuzzing problems...
Testcall exists for fuzzing handsets, but itās not enough because
ā¢ It works for a limited time
ā¢ OpenBTS crashes a lot
ā¢ The reserved channel is not very stable
ā¢ Youāre stuck to your chair while trying to send all your testcases...
ā¢ What about the monitoring?
MobiDeke: Fuzzing the GSM Protocol Stack 17/38
21. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Summary
1 Introduction
2 Fuzzing over-the-air
3 The MobiDeke Framework
Testcases generation and mutation
Monitoring
Report
Future enhancement
4 Conclusion
MobiDeke: Fuzzing the GSM Protocol Stack 18/38
22. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
MobiDeke?
To perform our fuzzing tests, we created a framework that:
ā¢ Generates and mutates L3 messages
ā¢ Sends payload āover-the-airā
ā¢ Checks if a handset is ready to receive our payload
ā¢ Monitors states (Phone and BTS)
ā¢ Records a ļ¬nal report
MobiDeke: Fuzzing the GSM Protocol Stack 19/38
23. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
MobiDeke Architecture Diagram
MobiDeke: Fuzzing the GSM Protocol Stack 20/38
24. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
MobiDeke: Data generation and mutation
MobiDeke: Fuzzing the GSM Protocol Stack 21/38
25. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Methods for data generation and mutation
Creating crafted L3 messages
ā¢ Dumb: using captures (MBUS Nokia, OsmocomBB...) and bit-ļ¬ipping
ā¢ Smarter: knowing the structure of the messages
ā¢ gsm um for scapy: interesting but not complete
ā¢ libmich developed by BenoĖıt Michau: we have chosen this solution for the
most part
Mutations
ā¢ ālibmichā Mutor
ā¢ Sulley mutation engine
It is better to combine multiple generation methods to cover as much testcases as
possible.
MobiDeke: Fuzzing the GSM Protocol Stack 22/38
26. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
MobiDeke: Monitoring
MobiDeke: Fuzzing the GSM Protocol Stack 23/38
27. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Methods used to monitor crashes
Problems
ā¢ Blackbox monitoring
ā¢ Did the baseband crash?
Solutions
ā¢ Check if the baseband still responds correctly to āATā commands
ā¢ Look for bugs on the application processor by checking crashlogs
ā¢ Check the radio channel state reserved by OpenBTS
MobiDeke: Fuzzing the GSM Protocol Stack 24/38
28. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Check the reserved channel: āover-the-airā
Motivations
ā¢ OpenBTS crashes a lot! During that time your fuzzer continues to send
payloads...
ā¢ Is the reserved channel stable enough?
ā¢ Is the baseband ready to receive the next payload?
ā¢ Did the baseband crash?
Solutions
ā¢ Check the radio channel state regularly ā Transaction entries, paging states
in OpenBTS.
ā¢ Send āpingā requests to the baseband āover-the-airā
ā¢ Send a IDENTITY REQUEST, the mobile will respond with an IDENTITY
RESPONSE
MobiDeke: Fuzzing the GSM Protocol Stack 25/38
29. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Check āATā responses with the āinjecATorā locally
ā¢ We checked for phone responsiveness on the radio side
ā¢ What about on the local interface?
We modiļ¬ed Collin Mullinerās āinjectorā to forward āATā responses over the opened
socket.
ā¢ Lack of AT response can indicate a baseband crash/reboot
ā¢ Can also be used to simulate user interactions (e.g. accept a phone call)
MobiDeke: Fuzzing the GSM Protocol Stack 26/38
30. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Application OS bug report
ā¢ Even though we are targeting the baseband, some messages still get parsed
by the application OS
ā¢ Can be the case for SMSs, Information Messages.. . .
MobiDeke: Fuzzing the GSM Protocol Stack 27/38
31. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Logļ¬les: Android logcats
Some useful data...
ā¢ When something crashes, it is likely to be reported in the logcat (Android
syslogs)
Extract the information
ā¢ Fetch the logs using adb and ļ¬lter this information
ā¢ Check for any known vocabulary in the log that could be related to a crash:
ā***ā, āuncaught exceptionā, āError Processā...
MobiDeke: Fuzzing the GSM Protocol Stack 28/38
32. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Logļ¬les: iOS CrashReporter
ā¢ iOS CrashReporter records application bugs
ā¢ Path: /var/wireless/Library/Logs/CrashReporter
Note: On Inļ¬neon X-Gold (iPhone 1 to iPhone 3) itās possible to save baseband
core dumps in āCrashReporterā if the CORE option is enabled.
MobiDeke: Fuzzing the GSM Protocol Stack 29/38
33. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
The ļ¬nal report
Indicators
ā¢ 0: The state changed, but everything is ļ¬ne
ā¢ 1: The baseband takes a little bit longer to respond
ā¢ 2: Maybe something happened (takes to long to respond, applicative crash...)
ā¢ 3: It is probably a crash (canāt talk with the baseband at all...)
ā¢ ...
You can deļ¬ne new indicators depending on your analysis.
MobiDeke: Fuzzing the GSM Protocol Stack 30/38
34. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Sample of a crash in the report
<?xml v e r s i o n =ā1.0ā ?>
<report >
<i nformat i ons>
<s t art ed>
Fri , 07 Sep 2012 16:18:47
</s t art ed>
<f i n i s h e d>
Fri , 07 Sep 2012 16:21:07
</f i n i s h e d>
</i nformat i ons>
<events>
<event time =ā16:18:49ā i d =ā0ā l a s t p a y l o a d=ā1658ā l e v e l =ā0ā>
Fuzzing ( re ) s t a r t e d
</event>
<event time =ā16:19:52ā i d =ā1ā l a s t p a y l o a d=ā1665ā l e v e l =ā2ā>
AT answer : Timeout !
</event>
<event time =ā16:19:54ā i d =ā2ā l e v e l=ā0ā>
AT i s working once again
</event>
<event time =ā16:20:00ā i d =ā3ā l a s t p a y l o a d=ā1666ā l e v e l =ā3ā>
AT E rror
</event>
<event time =ā16:20:04ā i d =ā4ā l e v e l=ā0ā>
AT i s working once again
</event>
<event time =ā16:20:57ā i d =ā5ā l a s t p a y l o a d=ā1674ā l e v e l =ā4ā>
AT answer : Strange Oo!
</event>
</events>
</report >
MobiDeke: Fuzzing the GSM Protocol Stack 31/38
35. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Monitoring enhancement
ā¢ Hard without a debugger: a lot of states to check
ā¢ We lately managed to get a qcombbdbg running on some phones: HTC
Desire S/Z
ā¢ Itās also possible to debug using the JTAG interface and additional hardware
(e.g.: RIFFBOX)
ā¢ With a debugger: we donāt need heuristics to detect crashes
MobiDeke: Fuzzing the GSM Protocol Stack 32/38
36. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Testcases generation and mutation
Monitoring
Report
Future enhancement
Demo!
The fuzzing platform (injecATor, OpenBTS and MobiDeke)
MobiDeke: Fuzzing the GSM Protocol Stack 33/38
37. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Summary
1 Introduction
2 Fuzzing over-the-air
3 The MobiDeke Framework
4 Conclusion
MobiDeke: Fuzzing the GSM Protocol Stack 34/38
38. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Problems
ā¢ Mostly the unstability of OpenBTS for fuzzing tests
ā¢ Deadlocked phones can require human intervention to reboot
ā¢ Did not have time to test all layers yet:
ā¢ A lot of ļ¬xes required on the monitoring part
ā¢ Checking the phone state slows down fuzzing
ā¢ We donāt have debuggers for every phone models
ā¢ A debugger is always needed to decide about exploitability
MobiDeke: Fuzzing the GSM Protocol Stack 35/38
39. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Our results
ā¢ MobiDeke is a handy way to automate fuzzing tests on GSMs
ā¢ Not a lot of bugs have been found with stateless messages
ā¢ MM INFORMATION: few DoS and applicative crashes
ā¢ TMSI RELOCATION COMMAND: few DoS
ā¢ 1 state of Call Origin: 1 crash and a lot of DoS
ā¢ LOCATION UPDATING: not tested completely, few DoS
ā¢ A fuzzing test takes time: days, weeks or months (depends on the number of
testcases and complexity)
*DoS: The phone was not responding
MobiDeke: Fuzzing the GSM Protocol Stack 36/38
40. Introduction
Fuzzing over-the-air
The MobiDeke Framework
Conclusion
Todo
ā¢ There are still plenty of vectors to fuzz
ā¢ Integration with a debugger (e.g. JTAG)
ā¢ Implement state machines
ā¢ Source code not to be released at the moment
MobiDeke: Fuzzing the GSM Protocol Stack 37/38