SlideShare a Scribd company logo

128-ch2.pptx

Download as PPTX, PDF
H
HiraAshfaqSubhan

There are 5.07 billion internet users in the world today. The total number of internet users around the world grew by 171 million in the past 12 months – that’s an average of almost half a million new users every day. Globally, internet user numbers are growing at an annual rate of 3.5 percent, but year-on-year growth is much higher in many developing economies. Research restrictions caused by the ongoing coronavirus pandemic have also limited updates to internet user numbers over the past year, so we anticipate that actual growth rates may be higher than the latest data suggest. The average global internet user now spends 6 hours and 37 minutes online each day, but this is actually 5 percent less than the daily average for October 2021. Added together, the world’s internet users will spend roughly 1.4 billion years of combined human existence online in 2022.

Economy & Finance
1 of 55
Ch 2: Hacking the Cellular Network CNIT 128: Hacking Mobile Devices
Basics
GSM/CDMA • We'll start with a standard carrier network using – Global System for Mobile (GSM), or – Code Division Multiple Access (CDMA) • With these functions – Phone calls – Text messages via Short Message Service (SMS) – Multimedia Messaging Service (MMS) – Data connectivity via IP
Basic Cellular Network Functionality
Interoperability • Different carriers and connection methods can connect to one another seamlessly • A GSM phone can text or call a CDMA phone
Functions to Target • All major cellular networks support – Voice calls – Voice mail (VM) – Short Message Service (SMS) – Location-based Services (LBS) – IP Connectivity • Most also support – Binary configuration messages – Multimedia messages (MMS) – Faxing
Players • Customer is on the left – Known as Mobile Terminals (MTs) in GSM • Connect to antennas – Called Base Transceiver Stations (BTS) – The connection from a mobile device to a BTS is called an Um (U-channel mobile)
Players • Each BTS connects to a base station – A rack of equipment that takes the signals the antenna receives and converts them to digital packetized data – Base station has two components • Base Station Controller (BSC) for voice and control • Packet Control Unit (PCU) for forwarding IP packets and managing mobile IP
Players • Base Station Subsystem (BSS) – Includes BTS, BSC, and PCU – Can be owned by people who are not part of a large carrier
Voice Calls • Time Division Multiplexing (TDM) – Tried-and-true method for dividing radio capacity among many devices • Time Division Multiple Access (TDMA) – Each device gets time slots – Very successful for slow and medium bit rates – Devices 1, 2, and 3 might get these time slots 1 2 3 1 2 3
Control Channels • Traffic channels – Carry voice data • Control channels – Manage association, usage, handoff, and disconnection • Cell phone jammer – A loud, badly tuned, transmitter – Easy to build – Illegal
The Broadcast Control Channel: Learning About the Network • When a device first turns on, it listens on standard frequencies • First thing it hears will be BCCH (Broadcast Control Channel) – Allows the device to synchronize and understand which network it is attaching to – Features of the network the BTS (Base Transceiver Station) is serving
RACH (Random Access Channel) • The mobile device then knows how to access the RACH – The first step in a GSM handshake – How the mobile asks for information – Mobile sends a cannel request via the RACH – BTS tries to service the request
Standalone Dedicated Control Channel (SDDCH) & Access Granted Channel (AGCH) • If the BTS has slots available, it assigns a control channel, called the Standalone Dedicated Control Channel (SDDCH) to the mobile device • The BTS tells the mobile about this assignment via the Access Granted Channel (AGCH) • Once the mobile has received a SDCCH, it's a member of the network and can request a location update
Location Update • Mobile device is telling the GSM network waat area it's in • Requires authentication with the network • Informs the Home Location Register (HLR) – Database of subscriber information • Of the mobile's geographic area – Hence, which Mobile Switching Center (MSC) a device is located within
Sleep • Once a mobile device has performed a location update • The BSC tells the mobile to go to sleep – By deallocating the SDCCH • This maximizes reuse and capacity in dense cells
Authentication and A5/1, CAVE, and AKA • A5/* ciphers are used in GSM networks – Crackable – see link Ch 2a • CAVE and AKA are used in CDMA
Voicemail • Trivial hack: default password – Enough to make a world of trouble for Rupert Murdoch • Many carriers use IP-based voicemail – Using IMAP servers (originally designed for email)
Short Message Service (SMS) • Sent via control channel • An SMS flood could DoS voice service for a whole city from a single attacking device – Link Ch 2b2
SMS Channels • SMS messages are delivered over either – SDCCH when a user is not on a call – or the Slow Associated Control Channel (SACCH) if the user is talking at the time • Reasonably achievable SMS floods wouldn't stop voice calls in practice
SMS Service Center (SMSC) • SMSCs carry most of the SMS messages when SMS message storm happens • It's the hardest working piece of equipment in modern cellular provider networks
Other Uses for SMS Messages • Java implemented per-application messaging using • Java Mobile Information Device Profile (MIDP) and Connected Limited Device Configuration (CLDC), which use a • User Data Header (UDH) specifying a port to send the message to – Ports are not UDP or TCP ports, but similar
Other SMS Messages • SMS is used not just between users • But between network elements, like configuration servers • For peer-to-peer Java apps • UDH features
SMS Lacks Security Controls • SMS messages have – No authentication – No integrity checking – No confidentiality • So apps shouldn't trust what they get too much
SMS Origin Spoofing • iOS displays the number in the "reply-to" field in the SMS header as the origin of an SMS message – Instead of the actual origin number • So it's easy to send SMS messages that appear to come from someone else – Link Ch 2c
Fake SMS Messages • On Android, a malicious app can fool your device into displaying a fake SMS message – Link Ch 2d
Attacks and Countermeasures
Hacking Mobile Voicemail • MNOs often configure voicemail accounts insecurely – No authentication required if the user's own phone is used to fetch the messages • With a PBX sever like Asterisk, anyone can easily spoof any caller ID value • All they need is your phone number
Internet Spoofing Services • Link Ch 2f
Countermeasures for Mobile Voicemail Hacks • Set a voicemail password • Configure access so that entering the password is required from all phones, including yours
Rogue Mobile Devices • An evil phone could attack the mobile network (theoretical attack only) • Phone OS is not hard to understand, basically – iOS is BSD – Android is Linux • A modified phone could jam or modify broadcast signals from a BTS – But it would only affect a small area
Rogue Mobile Device Countermeasures • The cellular network is carved up into many small parts • Radio earshot is only a few hundred yards in a city, or a few miles on flat terrain • Just a normal radio jammer would be more effective
Early Rogue Station Attacks • Until recently, carriers assumed that attackers lacked the skill to build a base station, so • Network required authentication from the phone, but • Phone didn't require authentication from the network • So it was simple to emulate a cellular network
Attacking in the 1990s
Base Station Hardware • A normal cell phone could act as a base station with only a software change • A phone in "engineering mode" could sniff radio traffic on all bands at the same time • Packets can be logged via RS232 • You get voice and SMS traffic • Flash phone via USB cable
Legal Warning • This was all fantastically illegal, of course • Wiretapping laws are scary • We will be careful in this class only to capture our own phone signals
Hacking in 2002 • Rhode & Schwartz sold test gear for SMS networks, including BTS emulation • Cost was six figures
Rogue Base Station Countermeasures • It's up to the carriers to authenticate their networks • There's nothing an end-user can do
Rogue Femtocell Attacks • OpenBTS: free software that can be used to make a fake base station for about $1500 in 2009 • Femtocells are even simpler
Femtocell • A tiny box with connectors for antenna, power, and Ethernet • Generic Linux distribution running several specialized apps • Loads a couple of drivers • Includes some simple radios
Femtocell Functions • Control signaling – Call setup and teardown and SMS messaging • Converting normal voice calls into real-time protocol streams • Associated SIP setup • Backhaul link uses IPsec connections to special security gateways on the mobile network operator side
Information Disclosure • Femtocells receive raw secrets used to authenticate devices from carriers • They are encrypted in transit with IPsec, but they are present in the femtocell's software and hardware – Hacking AT&T Femtocell (link Ch 2g) – Hacking a Vodaphone Femtocell (link Ch 2h)
Femtocell Membership • Carriers could limit membership to a few cell phones for a single femtocell • But why not let everyone in? That expands their coverage for free! • But it also means customers are using untrustworthy devices and they have no way to know that
Countermeasures for Rogue Femtocells • Femtocells should be more limited in function • Networks need to authenticate themselves to the handsets reliably • SIP and IPsec allow for strong authentication • We just need new standards that use them
The Brave New World of IP
IMS (IP Multimedia Subsystem) • Carriers are moving to an IP-only system • No more – Packetized voice – Loss of data service while on a phone call – Low-speed data links • Everything will use a baseband that connects to a high-speed IP network
Changes to Services
IMS Architecture
Long-Term Evolution (LTE) • Devices connect via IP networks to services, protected by gateways • As networks move from GSM or CDMA to LTE, these changes occur: – Unified bearer protocol—IP – IMS network can service any IP client, including PC, laptop, tablet, smartphone – All these devices could interoperate and replace one another, someday

Recommended

CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
Sam Bowne
 
694 cellular network
694 cellular network694 cellular network
694 cellular network
Anubha Rai
 
694_CELLULAR_NETWORK.ppt
694_CELLULAR_NETWORK.ppt694_CELLULAR_NETWORK.ppt
694_CELLULAR_NETWORK.ppt
MedabdelhayeMohameds
 
Mobile Handset Cellular Network
Mobile Handset Cellular NetworkMobile Handset Cellular Network
Mobile Handset Cellular Network
YeasirMalik
 
5432_CELLULAR_NETWORK.ppt
5432_CELLULAR_NETWORK.ppt5432_CELLULAR_NETWORK.ppt
5432_CELLULAR_NETWORK.ppt
SanjitKumar96
 
Cellular network
Cellular networkCellular network
Cellular network
NebinNazar1
 
2G_3G_4G_Tutorial.ppt
2G_3G_4G_Tutorial.ppt2G_3G_4G_Tutorial.ppt
2G_3G_4G_Tutorial.ppt
SwathiShetty79
 
1cellulñar network
1cellulñar network1cellulñar network
1cellulñar network
Emiii
 

Recommended

CNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular networkCNIT 128 Ch 2: Hacking the cellular network
CNIT 128 Ch 2: Hacking the cellular network
Sam Bowne
 
694 cellular network
694 cellular network694 cellular network
694 cellular network
Anubha Rai
 
694_CELLULAR_NETWORK.ppt
694_CELLULAR_NETWORK.ppt694_CELLULAR_NETWORK.ppt
694_CELLULAR_NETWORK.ppt
MedabdelhayeMohameds
 
Mobile Handset Cellular Network
Mobile Handset Cellular NetworkMobile Handset Cellular Network
Mobile Handset Cellular Network
YeasirMalik
 
5432_CELLULAR_NETWORK.ppt
5432_CELLULAR_NETWORK.ppt5432_CELLULAR_NETWORK.ppt
5432_CELLULAR_NETWORK.ppt
SanjitKumar96
 
Cellular network
Cellular networkCellular network
Cellular network
NebinNazar1
 
2G_3G_4G_Tutorial.ppt
2G_3G_4G_Tutorial.ppt2G_3G_4G_Tutorial.ppt
2G_3G_4G_Tutorial.ppt
SwathiShetty79
 
1cellulñar network
1cellulñar network1cellulñar network
1cellulñar network
Emiii
 
5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
Raafat younis
 
5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
Bikash Dash
 
cellular networks
cellular networks cellular networks
cellular networks
korevinaykumar
 
2 g 3g_4g_tutorial
2 g 3g_4g_tutorial2 g 3g_4g_tutorial
2 g 3g_4g_tutorial
nithyasukumar05
 
Telecom journey tutorial
Telecom journey tutorialTelecom journey tutorial
Telecom journey tutorial
Ravikant Sharma
 
Cellular network
Cellular networkCellular network
Cellular network
Aman Niranjan
 
mkkk
mkkkmkkk
mkkk
mayurparmarMK
 
MK by Mobile Communication
MK by Mobile Communication MK by Mobile Communication
MK by Mobile Communication
mayurparmarMK
 
Lectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4gLectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4g
ProfArshadAbbas
 
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas KhanLectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
ProfArshadAbbas
 
GSM Part-20
GSM Part-20GSM Part-20
GSM Part-20
Techvilla
 
Mobile wireles-computing
Mobile wireles-computingMobile wireles-computing
Mobile wireles-computing
Luthfi Prayoga
 
gsm
gsmgsm
gsm
Abhilasha Jain
 
Gsm introduction
Gsm introductionGsm introduction
Gsm introduction
sksaad
 
2 g 3g_4g - brief
2 g 3g_4g - brief2 g 3g_4g - brief
2 g 3g_4g - brief
QuangMan2
 
Class 1
Class 1Class 1
Class 1
5strikers
 
Mobile Handset cellular network Telecommunication
Mobile Handset cellular network TelecommunicationMobile Handset cellular network Telecommunication
Mobile Handset cellular network Telecommunication
shaynetk203
 
GSM
GSM GSM
GSM
deivanayagamramachan
 
Global System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &MaroofGlobal System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &Maroof
Ummer Rashid Dar
 
Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer
MaroofMtechECE
 
aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
HiraAshfaqSubhan
 
2009-06-30.ppt
2009-06-30.ppt2009-06-30.ppt
2009-06-30.ppt
HiraAshfaqSubhan
 

More Related Content

Similar to 128-ch2.pptx

5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
Raafat younis
 
5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
Bikash Dash
 
cellular networks
cellular networks cellular networks
cellular networks
korevinaykumar
 
2 g 3g_4g_tutorial
2 g 3g_4g_tutorial2 g 3g_4g_tutorial
2 g 3g_4g_tutorial
nithyasukumar05
 
Telecom journey tutorial
Telecom journey tutorialTelecom journey tutorial
Telecom journey tutorial
Ravikant Sharma
 
Cellular network
Cellular networkCellular network
Cellular network
Aman Niranjan
 
mkkk
mkkkmkkk
mkkk
mayurparmarMK
 
MK by Mobile Communication
MK by Mobile Communication MK by Mobile Communication
MK by Mobile Communication
mayurparmarMK
 
Lectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4gLectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4g
ProfArshadAbbas
 
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas KhanLectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
ProfArshadAbbas
 
GSM Part-20
GSM Part-20GSM Part-20
GSM Part-20
Techvilla
 
Mobile wireles-computing
Mobile wireles-computingMobile wireles-computing
Mobile wireles-computing
Luthfi Prayoga
 
gsm
gsmgsm
gsm
Abhilasha Jain
 
Gsm introduction
Gsm introductionGsm introduction
Gsm introduction
sksaad
 
2 g 3g_4g - brief
2 g 3g_4g - brief2 g 3g_4g - brief
2 g 3g_4g - brief
QuangMan2
 
Class 1
Class 1Class 1
Class 1
5strikers
 
Mobile Handset cellular network Telecommunication
Mobile Handset cellular network TelecommunicationMobile Handset cellular network Telecommunication
Mobile Handset cellular network Telecommunication
shaynetk203
 
GSM
GSM GSM
GSM
deivanayagamramachan
 
Global System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &MaroofGlobal System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &Maroof
Ummer Rashid Dar
 
Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer
MaroofMtechECE
 

Similar to 128-ch2.pptx (20)

5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
 
5432 cellular network
5432 cellular network5432 cellular network
5432 cellular network
 
cellular networks
cellular networks cellular networks
cellular networks
 
2 g 3g_4g_tutorial
2 g 3g_4g_tutorial2 g 3g_4g_tutorial
2 g 3g_4g_tutorial
 
Telecom journey tutorial
Telecom journey tutorialTelecom journey tutorial
Telecom journey tutorial
 
Cellular network
Cellular networkCellular network
Cellular network
 
mkkk
mkkkmkkk
mkkk
 
MK by Mobile Communication
MK by Mobile Communication MK by Mobile Communication
MK by Mobile Communication
 
Lectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4gLectures on 2 g,3g,3.5g,4g
Lectures on 2 g,3g,3.5g,4g
 
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas KhanLectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
Lectures on 2 g,3g,3.5g,4g By Professor Dr Arshad Abbas Khan
 
GSM Part-20
GSM Part-20GSM Part-20
GSM Part-20
 
Mobile wireles-computing
Mobile wireles-computingMobile wireles-computing
Mobile wireles-computing
 
gsm
gsmgsm
gsm
 
Gsm introduction
Gsm introductionGsm introduction
Gsm introduction
 
2 g 3g_4g - brief
2 g 3g_4g - brief2 g 3g_4g - brief
2 g 3g_4g - brief
 
Class 1
Class 1Class 1
Class 1
 
Mobile Handset cellular network Telecommunication
Mobile Handset cellular network TelecommunicationMobile Handset cellular network Telecommunication
Mobile Handset cellular network Telecommunication
 
GSM
GSM GSM
GSM
 
Global System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &MaroofGlobal System For Mobile Communication by Ummer &Maroof
Global System For Mobile Communication by Ummer &Maroof
 
Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer Global system for mobile communcation by Maroof and Ummer
Global system for mobile communcation by Maroof and Ummer
 

More from HiraAshfaqSubhan

aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
HiraAshfaqSubhan
 
2009-06-30.ppt
2009-06-30.ppt2009-06-30.ppt
2009-06-30.ppt
HiraAshfaqSubhan
 
Gantt.pptx
Gantt.pptxGantt.pptx
Gantt.pptx
HiraAshfaqSubhan
 
rytew.ppt
rytew.pptrytew.ppt
rytew.ppt
HiraAshfaqSubhan
 
xxx.ppt
xxx.pptxxx.ppt
xxx.ppt
HiraAshfaqSubhan
 
PPT MAATEN.ppt
PPT MAATEN.pptPPT MAATEN.ppt
PPT MAATEN.ppt
HiraAshfaqSubhan
 

More from HiraAshfaqSubhan (6)

aphy.pptx
aphy.pptxaphy.pptx
aphy.pptx
 
2009-06-30.ppt
2009-06-30.ppt2009-06-30.ppt
2009-06-30.ppt
 
Gantt.pptx
Gantt.pptxGantt.pptx
Gantt.pptx
 
rytew.ppt
rytew.pptrytew.ppt
rytew.ppt
 
xxx.ppt
xxx.pptxxx.ppt
xxx.ppt
 
PPT MAATEN.ppt
PPT MAATEN.pptPPT MAATEN.ppt
PPT MAATEN.ppt
 

Recently uploaded

BONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
BONKMILLON Unleashes Its Bonkers Potential on Solana.pdfBONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
BONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
coingabbar
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spirit
egoetzinger
 
Earn a passive income with prosocial investing
Earn a passive income with prosocial investingEarn a passive income with prosocial investing
Earn a passive income with prosocial investing
Colin R. Turner
 
This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...
lamluanvan.net Viết thuê luận văn
 
Financial Assets: Debit vs Equity Securities.pptx
Financial Assets: Debit vs Equity Securities.pptxFinancial Assets: Debit vs Equity Securities.pptx
Financial Assets: Debit vs Equity Securities.pptx
Writo-Finance
 
1. Elemental Economics - Introduction to mining.pdf
1. Elemental Economics - Introduction to mining.pdf1. Elemental Economics - Introduction to mining.pdf
1. Elemental Economics - Introduction to mining.pdf
Neal Brewster
 
where can I find a legit pi merchant online
where can I find a legit pi merchant onlinewhere can I find a legit pi merchant online
where can I find a legit pi merchant online
DOT TECH
 
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFiTdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
nimaruinazawa258
 
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
Quotidiano Piemontese
 
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
muslimdavidovich670
 
Donald Trump Presentation and his life.pptx
Donald Trump Presentation and his life.pptxDonald Trump Presentation and his life.pptx
Donald Trump Presentation and his life.pptx
SerdarHudaykuliyew
 
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
nexop1
 
What price will pi network be listed on exchanges
What price will pi network be listed on exchangesWhat price will pi network be listed on exchanges
What price will pi network be listed on exchanges
DOT TECH
 
一比一原版(IC毕业证)帝国理工大学毕业证如何办理
一比一原版(IC毕业证)帝国理工大学毕业证如何办理一比一原版(IC毕业证)帝国理工大学毕业证如何办理
一比一原版(IC毕业证)帝国理工大学毕业证如何办理
conose1
 
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic DataThe Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
Champak Jhagmag
 
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Donc Test
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designs
egoetzinger
 
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
rlo9fxi
 
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptxSWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
5spllj1l
 

Recently uploaded (20)

BONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
BONKMILLON Unleashes Its Bonkers Potential on Solana.pdfBONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
BONKMILLON Unleashes Its Bonkers Potential on Solana.pdf
 
Instant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School SpiritInstant Issue Debit Cards - High School Spirit
Instant Issue Debit Cards - High School Spirit
 
Earn a passive income with prosocial investing
Earn a passive income with prosocial investingEarn a passive income with prosocial investing
Earn a passive income with prosocial investing
 
This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...This assessment plan proposal is to outline a structured approach to evaluati...
This assessment plan proposal is to outline a structured approach to evaluati...
 
Financial Assets: Debit vs Equity Securities.pptx
Financial Assets: Debit vs Equity Securities.pptxFinancial Assets: Debit vs Equity Securities.pptx
Financial Assets: Debit vs Equity Securities.pptx
 
1. Elemental Economics - Introduction to mining.pdf
1. Elemental Economics - Introduction to mining.pdf1. Elemental Economics - Introduction to mining.pdf
1. Elemental Economics - Introduction to mining.pdf
 
where can I find a legit pi merchant online
where can I find a legit pi merchant onlinewhere can I find a legit pi merchant online
where can I find a legit pi merchant online
 
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFiTdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
Tdasx: Unveiling the Trillion-Dollar Potential of Bitcoin DeFi
 
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
Turin Startup Ecosystem 2024 - Ricerca sulle Startup e il Sistema dell'Innov...
 
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
The WhatsPump Pseudonym Problem and the Hilarious Downfall of Artificial Enga...
 
Donald Trump Presentation and his life.pptx
Donald Trump Presentation and his life.pptxDonald Trump Presentation and his life.pptx
Donald Trump Presentation and his life.pptx
 
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
一比一原版(UoB毕业证)伯明翰大学毕业证如何办理
 
What price will pi network be listed on exchanges
What price will pi network be listed on exchangesWhat price will pi network be listed on exchanges
What price will pi network be listed on exchanges
 
一比一原版(IC毕业证)帝国理工大学毕业证如何办理
一比一原版(IC毕业证)帝国理工大学毕业证如何办理一比一原版(IC毕业证)帝国理工大学毕业证如何办理
一比一原版(IC毕业证)帝国理工大学毕业证如何办理
 
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic DataThe Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
The Rise of Generative AI in Finance: Reshaping the Industry with Synthetic Data
 
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
Solution Manual For Financial Accounting, 8th Canadian Edition 2024, by Libby...
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designs
 
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
快速制作美国迈阿密大学牛津分校毕业证文凭证书英文原版一模一样
 
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptxSWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
SWAIAP Fraud Risk Mitigation Prof Oyedokun.pptx
 
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
在线办理(GU毕业证书)美国贡萨加大学毕业证学历证书一模一样
 

128-ch2.pptx

  • 1. Ch 2: Hacking the Cellular Network CNIT 128: Hacking Mobile Devices
  • 3. GSM/CDMA • We'll start with a standard carrier network using – Global System for Mobile (GSM), or – Code Division Multiple Access (CDMA) • With these functions – Phone calls – Text messages via Short Message Service (SMS) – Multimedia Messaging Service (MMS) – Data connectivity via IP
  • 4.
  • 6. Interoperability • Different carriers and connection methods can connect to one another seamlessly • A GSM phone can text or call a CDMA phone
  • 7. Functions to Target • All major cellular networks support – Voice calls – Voice mail (VM) – Short Message Service (SMS) – Location-based Services (LBS) – IP Connectivity • Most also support – Binary configuration messages – Multimedia messages (MMS) – Faxing
  • 8.
  • 9. Players • Customer is on the left – Known as Mobile Terminals (MTs) in GSM • Connect to antennas – Called Base Transceiver Stations (BTS) – The connection from a mobile device to a BTS is called an Um (U-channel mobile)
  • 10. Players • Each BTS connects to a base station – A rack of equipment that takes the signals the antenna receives and converts them to digital packetized data – Base station has two components • Base Station Controller (BSC) for voice and control • Packet Control Unit (PCU) for forwarding IP packets and managing mobile IP
  • 11. Players • Base Station Subsystem (BSS) – Includes BTS, BSC, and PCU – Can be owned by people who are not part of a large carrier
  • 12. Voice Calls • Time Division Multiplexing (TDM) – Tried-and-true method for dividing radio capacity among many devices • Time Division Multiple Access (TDMA) – Each device gets time slots – Very successful for slow and medium bit rates – Devices 1, 2, and 3 might get these time slots 1 2 3 1 2 3
  • 13. Control Channels • Traffic channels – Carry voice data • Control channels – Manage association, usage, handoff, and disconnection • Cell phone jammer – A loud, badly tuned, transmitter – Easy to build – Illegal
  • 14. The Broadcast Control Channel: Learning About the Network • When a device first turns on, it listens on standard frequencies • First thing it hears will be BCCH (Broadcast Control Channel) – Allows the device to synchronize and understand which network it is attaching to – Features of the network the BTS (Base Transceiver Station) is serving
  • 15. RACH (Random Access Channel) • The mobile device then knows how to access the RACH – The first step in a GSM handshake – How the mobile asks for information – Mobile sends a cannel request via the RACH – BTS tries to service the request
  • 16. Standalone Dedicated Control Channel (SDDCH) & Access Granted Channel (AGCH) • If the BTS has slots available, it assigns a control channel, called the Standalone Dedicated Control Channel (SDDCH) to the mobile device • The BTS tells the mobile about this assignment via the Access Granted Channel (AGCH) • Once the mobile has received a SDCCH, it's a member of the network and can request a location update
  • 17.
  • 18. Location Update • Mobile device is telling the GSM network waat area it's in • Requires authentication with the network • Informs the Home Location Register (HLR) – Database of subscriber information • Of the mobile's geographic area – Hence, which Mobile Switching Center (MSC) a device is located within
  • 19. Sleep • Once a mobile device has performed a location update • The BSC tells the mobile to go to sleep – By deallocating the SDCCH • This maximizes reuse and capacity in dense cells
  • 20. Authentication and A5/1, CAVE, and AKA • A5/* ciphers are used in GSM networks – Crackable – see link Ch 2a • CAVE and AKA are used in CDMA
  • 21. Voicemail • Trivial hack: default password – Enough to make a world of trouble for Rupert Murdoch • Many carriers use IP-based voicemail – Using IMAP servers (originally designed for email)
  • 22. Short Message Service (SMS) • Sent via control channel • An SMS flood could DoS voice service for a whole city from a single attacking device – Link Ch 2b2
  • 23. SMS Channels • SMS messages are delivered over either – SDCCH when a user is not on a call – or the Slow Associated Control Channel (SACCH) if the user is talking at the time • Reasonably achievable SMS floods wouldn't stop voice calls in practice
  • 24. SMS Service Center (SMSC) • SMSCs carry most of the SMS messages when SMS message storm happens • It's the hardest working piece of equipment in modern cellular provider networks
  • 25. Other Uses for SMS Messages • Java implemented per-application messaging using • Java Mobile Information Device Profile (MIDP) and Connected Limited Device Configuration (CLDC), which use a • User Data Header (UDH) specifying a port to send the message to – Ports are not UDP or TCP ports, but similar
  • 26. Other SMS Messages • SMS is used not just between users • But between network elements, like configuration servers • For peer-to-peer Java apps • UDH features
  • 27. SMS Lacks Security Controls • SMS messages have – No authentication – No integrity checking – No confidentiality • So apps shouldn't trust what they get too much
  • 28. SMS Origin Spoofing • iOS displays the number in the "reply-to" field in the SMS header as the origin of an SMS message – Instead of the actual origin number • So it's easy to send SMS messages that appear to come from someone else – Link Ch 2c
  • 29. Fake SMS Messages • On Android, a malicious app can fool your device into displaying a fake SMS message – Link Ch 2d
  • 31. Hacking Mobile Voicemail • MNOs often configure voicemail accounts insecurely – No authentication required if the user's own phone is used to fetch the messages • With a PBX sever like Asterisk, anyone can easily spoof any caller ID value • All they need is your phone number
  • 33. Countermeasures for Mobile Voicemail Hacks • Set a voicemail password • Configure access so that entering the password is required from all phones, including yours
  • 34. Rogue Mobile Devices • An evil phone could attack the mobile network (theoretical attack only) • Phone OS is not hard to understand, basically – iOS is BSD – Android is Linux • A modified phone could jam or modify broadcast signals from a BTS – But it would only affect a small area
  • 35. Rogue Mobile Device Countermeasures • The cellular network is carved up into many small parts • Radio earshot is only a few hundred yards in a city, or a few miles on flat terrain • Just a normal radio jammer would be more effective
  • 36. Early Rogue Station Attacks • Until recently, carriers assumed that attackers lacked the skill to build a base station, so • Network required authentication from the phone, but • Phone didn't require authentication from the network • So it was simple to emulate a cellular network
  • 38.
  • 39. Base Station Hardware • A normal cell phone could act as a base station with only a software change • A phone in "engineering mode" could sniff radio traffic on all bands at the same time • Packets can be logged via RS232 • You get voice and SMS traffic • Flash phone via USB cable
  • 40. Legal Warning • This was all fantastically illegal, of course • Wiretapping laws are scary • We will be careful in this class only to capture our own phone signals
  • 41. Hacking in 2002 • Rhode & Schwartz sold test gear for SMS networks, including BTS emulation • Cost was six figures
  • 42. Rogue Base Station Countermeasures • It's up to the carriers to authenticate their networks • There's nothing an end-user can do
  • 43. Rogue Femtocell Attacks • OpenBTS: free software that can be used to make a fake base station for about $1500 in 2009 • Femtocells are even simpler
  • 44.
  • 45. Femtocell • A tiny box with connectors for antenna, power, and Ethernet • Generic Linux distribution running several specialized apps • Loads a couple of drivers • Includes some simple radios
  • 46. Femtocell Functions • Control signaling – Call setup and teardown and SMS messaging • Converting normal voice calls into real-time protocol streams • Associated SIP setup • Backhaul link uses IPsec connections to special security gateways on the mobile network operator side
  • 47. Information Disclosure • Femtocells receive raw secrets used to authenticate devices from carriers • They are encrypted in transit with IPsec, but they are present in the femtocell's software and hardware – Hacking AT&T Femtocell (link Ch 2g) – Hacking a Vodaphone Femtocell (link Ch 2h)
  • 48.
  • 49. Femtocell Membership • Carriers could limit membership to a few cell phones for a single femtocell • But why not let everyone in? That expands their coverage for free! • But it also means customers are using untrustworthy devices and they have no way to know that
  • 50. Countermeasures for Rogue Femtocells • Femtocells should be more limited in function • Networks need to authenticate themselves to the handsets reliably • SIP and IPsec allow for strong authentication • We just need new standards that use them
  • 51. The Brave New World of IP
  • 52. IMS (IP Multimedia Subsystem) • Carriers are moving to an IP-only system • No more – Packetized voice – Loss of data service while on a phone call – Low-speed data links • Everything will use a baseband that connects to a high-speed IP network
  • 55. Long-Term Evolution (LTE) • Devices connect via IP networks to services, protected by gateways • As networks move from GSM or CDMA to LTE, these changes occur: – Unified bearer protocol—IP – IMS network can service any IP client, including PC, laptop, tablet, smartphone – All these devices could interoperate and replace one another, someday