44CON, profile picture
Uploaded by44CON
6,799 views

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic

The document provides a comprehensive overview of the vulnerabilities and technical aspects of 2.5G GSM networks, including discussions on architecture, signal processing, and security flaws. It highlights various attacks that can be implemented against GSM, the components involved such as SIM cards and base transceiver systems, and tools available for analysis. Key topics include encryption weaknesses, diagnostic tools, and methods for cloning base transceiver stations (BTS) to exploit network vulnerabilities.

Embed presentation

Downloaded 178 times
GreedyBTS – Hacking Adventures in GSM
GreedyBTS – Hacking Adventures in GSM Agenda • Who am I? • Technical overview of 2.5G environments • Cellular environment diagnosAcs and tools • Security vulnerabiliAes in GSM • CreaAng an open-­‐source 2.5G simulaAon environment for analysis. • ImplementaAons of GSM aOacks • Demo © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview IntroducAon to GSM • June 2008 – 2.9 BILLION © 2014 MDSec ConsulAng Ltd. All rights reserved. subscribers use GSM. • Replaced Analogue “Total Access CommunicaAon System” in the UK. (TACS) • GSM is a European Wide Standard started in 1982 by Groupe Spécial Mobile. • Digital standard with new Security aOempAng to address losses due to Fraud. • GPRS created to work with GSM and address data needs, 2.5G. • UMTS and LTE, 3rd and 4th generaAon networks have arrived – 2.5G sAll here. • How vulnerable are 2.5G networks & GSM communicaAons today?
2.5G Technical Overview GSM Architecture • Mobile StaAon is your phone. • BSS provides the air interface between network & phone. • Network Switching subsystem provides authenAcaAon, idenAty, billing and more. • The architecture shown is a typical 2G GSM environment. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Mobile StaAon (MS). • InternaAonal mobile staAon equipment idenAty (IMEI) • Contains uniquely idenAfiable informaAon on device. • SIM card contains subscriber informaAon. • InternaAonal mobile subscriber idenAty (IMSI). • Mobile Country Code – MCC -­‐ 3 digits. • Mobile Network Code – MNC – 2 digits. • Mobile Subscriber IdenAficaAon Number – MSIN – (max 10). • SIM card also holds encrypAon keys. • Your phone contains a baseband processor and RTOS used by GSM. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview What is a SIM card? • Described in GSM 11.14. • Subscriber IdenAty Module. • Stores the IMSI and Ki key. • Ki key needed for network authenAcaAon & Air encrypAon. • Programmable card can be used which has a writeable Ki key. • GSM test cards with a writeable Ki key can be bought online. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview ISO7816 & SIM Toolkit • ISO7816 defines a physical smart card standard. • SIM ApplicaAon Toolkit (STK) is implemented by GSM smart cards. • GSM applicaAon provides authenAcaAon APDU's. • COMP128v1 is an encrypAon algorithm that was found to be flawed. • A “stop” condiAon was found that allows Ki to be brute forced. • COMP128v1 aOack takes 12-­‐24 hours and requires physical card. • COMP128v3 is used more widely today and COMP128v1 is rare. • Chinese vendors sell cheap COMP128v1 mulA-­‐SIM cards & cloner. • SIM Trace hOp://bb.osmocom.org/trac/wiki/SIMtrace • For more informaAon on SIM aOacks THC have a SIM Toolkit Research Group project that contains a lot more informaAon! © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview What’s a Base Transceiver System (BTS)? • TransmiOer and receiver equipment, such as antennas and amplifiers. • Has components for doing digital signal processing (DSP). • Contains funcAons for Radio Resource management. • Provides the air (UM) interface to a MS. • This is part of a typical “cell tower” that is used by GSM. • BTS provides the radio signalling between a network and phone. • Base StaAon Subsystem (BSS) has addiAonal component Base StaAon Controller that provides logic & intelligence. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Radio & Cellular? • The spectrum is divided into uplink/downlink “channels”. • GSM uses Absolute Radio Frequency Channel Number (ARFCN). • Cellular Network means channels can be re-­‐used within different spaAal areas. • This is how a small number of frequencies can provide a naAonal network! © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Physical Interface • Waterfall views of GSM ARFCN downlink (leq) and uplink (right). • ARFCN is 200kHz channel and this is divided into TDMA slots. • Five different types of “bursts” are modulated within. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Radio & Cellular? • GSM communicates using Time Division MulAple Access / Frequency Division MulAple Access (TDMA/ FDMA) principles. • Space Division MulAple Access gives the cellular concept. • Traffic transmiOed as “bursts”. • Radio modulaAon is using Gaussian Minimum Shiq Keying (GMSK). • GMSK is variant of frequency shiq keying (FSK) designed to reduce bandwidth, minimum shiq keying (MSK) with further Gaussian bandpass (GMSK). © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Network Switching Subsystem • The GSM core network components usually not visible to aOacker. • Mobile Switching Centre (MSC). • Home Locality Registrar (HLR). • Visitor Locality Registrar (VLR). • Equipment IdenAty Registrar (EIR). • These are components or databases that handle subscribers informaAon, IMSI/ encrypAon keys and perform processes like billing. • Also where the call switching and rouAng takes place and connecAng to other networks e.g. PSTN. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview GSM Logical Channels • GSM implements logical channels to allow for signalling between handset and network. • There is a defined Traffic Channel (TCH) – Full-­‐rate and Half-­‐rate channels are available as TCH/F (Bm), TCH/H (Lm). • There are Signalling channels (Dm). • Many exploitable weaknesses in GSM are due to “in-­‐band” signalling. • This same class of vulnerability is what allows phreaker “blue boxes” to funcAon and responsible for “format string aOacks.” – where management capability is accessible it has potenAal for subverAng. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Broadcast Channel (BCH) • The BCH is used by a MS to synchronize it’s oscillator and frequency with the BTS. • The BCH consists of sub-­‐channels that assist with this process. • Broadcast Control -­‐ BCCH • Frequency CorrecAon -­‐ FCCH • SynchronizaAon – SCH • The channels are used during the preliminary stages of a MS being powered on and are integral part of “geung a signal”. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Common Control Channel -­‐ CCCH • The CCCH is used by MS and BTS for communicaAng requests for resources with network and handset such as when a call aOempt is placed. • Random Access Channel -­‐ RACH • Access Grant Channel -­‐ AGCH • Paging Channel -­‐ PCH • NoAficaAon Channel – NCH • Temporary Mobile Subscriber IdenAty (TMSI) is used to help prevent tracking of a GSM user, can be frequently changed and has a lifeAme limit. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview Dedicated Control Channels -­‐ DCCH • The DCCH and it’s associated sub-­‐channels perform authenAcaAon requests, cipher selecAon & signalling of call compleAon. • Standalone dedicated control -­‐ SDCCH • Slow associated control -­‐ SACCH • Fast associated control – FACCH • Summary of the three control channels and purpose of each. • AOacker could exploit GSM signalling weaknesses to access subscriber mobile usage. We will look at this in more detail. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview What about Over-­‐the-­‐Air EncrypAon? • Several over-­‐the-­‐air (OTA) encrypAon algorithms exist. These are used to encrypt *some* of the GSM logical channels data (such as TCH). • A5/1 – publicly broken, rainbow tables exist. • A5/2 – offers no real security. • A5/3 – KASUMI Cipher, although some man-­‐in-­‐the-­‐middle aOacks are known – it has not yet been publicly broken in GSM. • A3/A8 -­‐ used during the authenAcaAon process. • AOacker can aOempt to “passively” analyse traffic looking for weak encrypAon or perform man-­‐in-­‐the-­‐middle aOacks against subscriber MS and BTS. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G Technical Overview General Packet Radio Service • Uses exisAng GSM concepts, e.g. Ameslots. • Introduces “Subscriber GPRS Service Node” (SGSN) and “Gateway GPRS Service Node” (GGSN). • Adds Packet Control Unit to BSS. • Data is sent in PCU frames. • Introduces a new Radio Resource (RR) protocol. • Radio Link Control (RLC) / Media Access Control (MAC) © 2014 MDSec ConsulAng Ltd. All rights reserved.
Cell DiagnosAcs & Tools Nokia NetMonitor • Nokia shipped diagnosAc tool in early phones. • Can be enabled on phone such as 3310 using cable • Provides a cellular diagnosAc tool! • ARFCN idenAficaAon! • Signalling channel display! • Uplink Traffic capture! • Very cool “feature” of Nokia ;) © 2014 MDSec ConsulAng Ltd. All rights reserved.
Cell DiagnosAcs & Tools Dedicated Test Hardware • eBay is your friend. • GSM tesAng hardware prices vary wildly. • Open-­‐source tools are now more flexible. • GSM tesAng hardware is oqen not very featured. • The price of dedicated hardware can be very high. • Vendors oqen not forthcoming with help. © 2014 MDSec ConsulAng Ltd. All rights reserved.
Cell DiagnosAcs & Tools Osmocom-­‐bb & GNU/Plot • Osmocom-­‐bb allows you to write tools for MS baseband. • Lots of useful diagnosAcs already available in the public repository. • You can extend the code to visually represent the GSM spectrum or perform more detailed analysis of a GSM cell tower. • Requires a <£30 phone to use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
Cell DiagnosAcs & Tools GSMTAP • Useful to debug the radio interface. • GSMTAP encapsulates RF informaAon and transmits it in a UDP encapsulated packet. • This allows us to see the Um interface traffic from a BTS or MS of downlink and uplink. • Extremely useful capability when analysing GSM. © 2014 MDSec ConsulAng Ltd. All rights reserved.
Cell DiagnosAcs & Tools AirProbe & Sniffing • GNU/Radio is used to capture the RF of a GSM ARFCN. • GSM receiver and toolkit exists for doing capture of GSM bursts & decoding of the data. • £20< RTLSDR dongles can be used to capture GSM traffic. • Purely passive analysis allows for idenAficaAon of call requests. TCH channel should use encrypAon. • Kraken tool can decrypt A5/1 on TCH, requires 1.6TB rainbow tables. • Wireshark can parse the GSMTAP output and sniff the air interface. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security MS Power-­‐On Process • MS starts a search for BCCH carriers performing RSSI measurements. • Aqer idenAfying the BCCH, the phone probes for presence of FCCH. • The phone “syncs” and obtains informaAon about the BTS it has idenAfied. • The phone now knows to monitor “neighbour cells” it has decoded from the transmission. • This process is what is exploited by IMSI capture devices and fake BTS aOack tools. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security IMSI Capture & DetecAon • During a Public Land Network Mobile (PLNM) Search(PLNMS) this is trivial. Only performed during MS Power-­‐on & if no service can be found. • MS has path loss criterion C1 and reselecAon criterion C2. These are dynamic variables used by the phone to determine if a “neighbour cell” has beOer radio condiAons. These variables are taken dynamically and frequently. • ManipulaAng C1 and C2 can force an MS to join our BTS without requiring the phone to perform a PLMNS. • The network can also request an IMEI during this update locaAon request. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security IMEI & Device Fingerprint IMEI TAC TAC (FAC) Serial (Luhn Checksum) IMEI 013035 00 561434 0 • IMEI AA BB BB BB CC CC CC D or EE contains Type AllocaAon Code (TAC), serial number and checksum. • TAC starts with two digit ReporAng Body IdenAfier (RBI), determines country. • Remaining six digits of TAC idenAfy vendor who produced the device. • RBI: 01 Org: PTCRB Country: United States • TAC: 01303500 Manufacturer: Apple Model: iPhone 4S model MD239B/A © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security LocaAon Update Request © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security Clone a BTS • AOacker needs to simulate condiAon to enAce MS to fake BTS. • Locates the MCC / MNC of target phone provider or roaming agreement. • IdenAfies the Neighbor ARFCN for target MS by performing PLMN locally. • Creates a BTS using the MCC, MNC, ARFCN, LAC and any other parameters to match a weak signal ARFCN BTS to reduce interference. • This will create an environment where target in close physical proximity to the BTS will trigger cell re-­‐selecAon as MS sees a beOer RF environment. • Cell diagnosAcs tools need to be used to obtain this data for aOacker to use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security Clone a BTS • Osmocom-­‐BB is very versaAle, GNU/Radio or gsm-­‐receiver tool could also be used. Osmocom-­‐BB mobile includes “monitor” command that provides RSSI monitoring of current and Neighbor ARFCN. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security RACH & TMSI Paging AOacks • Random Access requests have a finite resource. • AOacker can conAnually request resources via RACH prevenAng users being able to place new calls once all available resources are consumed. • TMSI is vulnerable to a race condiAon when the BTS is paging, aOacker can answer all pages prevenAng legiAmate communicaAon. • An aOacker responds to pages made by the BTS to idenAfy a parAcular phone causing the original request to be unanswered. • Both aOacks can be implemented in osmocom-­‐bb. • Both aOacks could be used to perform a “DoS” of a BTS. © 2014 MDSec ConsulAng Ltd. All rights reserved.
GSM Security Downgrade & Jamming • LTE, UMTS and GSM can be “jammed” to downgrade/force connecAons. • Overpower the analogue components of a radio with a stronger signal. • Asian devices are oqen mulA-­‐band 1-­‐10WaO radios and go against EMC. • Protocols aOempt to address “noise” or “sawtooth” jamming. • None suitable for researchers or tesAng. • Effect can be simulated by disabling 4G/3G. • Wireless & Telegraphy Act in UK forbids use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G SimulaAon OpenBTS -­‐ Architecture © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS – USRP E100 • GumsAx Overo (computer-­‐on-­‐module) • TI OMAP-­‐3 SoC ARM Cortex-­‐A8 • C64 DSP • Xilinx Spartan 3A-­‐DSP 1800 FPGA • SBX (400Mhz – 4.4Ghz) 100 mW • GPSDO Kit –or-­‐ Clock Tamer • EOus provide Angstrom Linux Image (e1xx-­‐003) with GNU/Radio 3.6.4.1 © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G SimulaAon EMC & Shielding TX 50 Ω (ohm) load & RX 900Mhz omnidirecAonal antenna. Spectrum Analyser inside and outside enclosure (use a second SDR!) © 2014 MDSec ConsulAng Ltd. All rights reserved.
2.5G SimulaAon EMC & Shielding © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS – E100 firmware • Spent a lot of Ame trying to build Angstrom for USRP E-­‐1xx from scratch with limited success. • Used EOus E1xx_3 firmware, cross-­‐compiled new Kernel (no ne}ilter support or IP forwarding) and built packages from source with addiAonal opAons such as ODBC and SQLite support. • OpenBTS 5.0 and OpenBTS 2.8 (with mini-­‐SGSN GPRS support) both installed. • OpenBTS transceiver applicaAon has been broken for E1xx, modified for 5.0. • I made minor patches to OpenBTS for more stealth operaAon (i.e. no welcome messages), increased logging in L3 Mobility Management events and disable SGSN firewalling for GPRS aOacks. • Asterisk configured with real-­‐Ame SQLite support and automaAc logging via monitor(). • Console interface script for interacAng with components and BTS. • Integrated DB for IMEI fingerprinAng (50000+ devices) & MCC/MNC search. © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS – E100 firmware © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS -­‐ Features • Useful events are sent to “greedyBTS.log” for logging and use by console app. • Can dynamically provision a phone based on regex of IMSI or IMEI. • Use’s real-­‐Ame configuraAon, can be leq to run “headless” in target area. • Useful uAliAes (airprobe, osmo-­‐arfcn, tshark, tcpdump, libpcap) built. • CDR records keep detail of subscriber communicaAon aOempts. • Call content is automaAcally recorded to “call-­‐recordings” directory. • Can use Asterisk for connecAng users to PSTN or amusement. • GPRS is auto-­‐configured, if the BTS has an internet connecAon so does phone. • Example background exploit iPwn aOacks MS over GPRS. • Designed to be used against a specific target (1 or 2 users) in a small geographical area. • Clone the BTS environment of CEO office, enter RegEx of CEO IMEI and wait ;-­‐) • It’s Linux! You can roll your own aOacks / backdoors on-­‐top. © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS -­‐ Features © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon GreedyBTS + iPwn • GPRS can be very slow to launch an exploit or extract data! © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon Download • You will need an 8GB MicroSD card to install in E100. • Change default root password on login and change SSH keys. • hOps://mega.co.nz/#!hAU2iJyB! GK54dtAxUVXavcZUGPJPDl7X3_OjpnPqs_qSZfc9iwE • 726f9d810aca42ed5ba3034efe6b6a2a © 2014 MDSec ConsulAng Ltd. All rights reserved. greedyBTS-­‐44CON-­‐v1.img.enc • openssl aes-­‐256-­‐cbc -­‐d -­‐in greedyBTS-­‐44CON-­‐v1.img.enc -­‐out greedyBTS-­‐44CON-­‐v1.img (Contact me for password.) • 4667f83fdc4a30245fdcc49946833e5d greedyBTS-­‐44CON-­‐v1.img • dd if=./greedyBTS-­‐44CON-­‐v1.img of=/dev/sdc bs=1024 • Discussed in Feb on OpenBTS / USRP mailing lists, 7:1 GSM researchers mailed in favor of image sharing in a controlled way.
ImplementaAon Example traffic • Interested in GSM? • Here is a PCAP trace of 2.5G environment showing uplink/downlink, two MS devices, SIM APDU informaAon! • Recommend reading a good book and review in wireshark! • hOps://github.com/HackerFantasAc/Public/blob/master/misc/44CON-­‐gsm-­‐ uplink-­‐downlink-­‐sim-­‐example.pcap • BeagleBone Black and NanoBTS/USRP B200/BladeRF could be used in future for cheaper alternaAve! © 2014 MDSec ConsulAng Ltd. All rights reserved.
ImplementaAon Demo © 2014 MDSec ConsulAng Ltd. All rights reserved. Demo.
GreedyBTS – Hacking Adventures in GSM Conclusions • InformaAon sent over your mobile phone may not be as secure as you think. • DetecAon of GSM aOacks is sAll in it’s infancy, some tools are beginning to surface which detect greedyBTS but they will require “acAve” use and aimed at power users. • If you are transmiung sensiAve informaAon such as usernames or passwords consider using a non-­‐wireless technology. • An aOacker can launch aOacks against your mobile device without you being aware using 2.5G, we need baseband security enhancements and access to cell data. © 2014 MDSec ConsulAng Ltd. All rights reserved. E-­‐mail: hackerfantasAc@riseup.net TwiOer: @HackerFantasAc hOps://github.com/hackerfantasAc/public
QuesAons? Thank you for all the hard work done by members of the open-­‐source and security research communiAes in making 2.5G networks more © 2014 MDSec ConsulAng Ltd. All rights reserved. accessible for analysis. TwiOer: @MDSecLabs Blog: hOp://blog.mdsec.co.uk

More Related Content

PPTX
Contention based MAC protocols
byDarwin Nesakumar
 
PPTX
Schedule and Contention based MAC protocols
byDarwin Nesakumar
 
PPS
Ch7
byRonak Patel
 
PPTX
Mobile transport layer .
byjunnubabu
 
PDF
Ns2
byvarsha mohite
 
PDF
Routing Protocols for Wireless Sensor Networks
byDarpan Dekivadiya
 
PDF
MQTT - A practical protocol for the Internet of Things
byBryan Boyd
 
PPTX
Classification of routing protocols
byMenaga Selvaraj
 
Contention based MAC protocols
byDarwin Nesakumar
 
Schedule and Contention based MAC protocols
byDarwin Nesakumar
 
Ch7
byRonak Patel
 
Mobile transport layer .
byjunnubabu
 
Ns2
byvarsha mohite
 
Routing Protocols for Wireless Sensor Networks
byDarpan Dekivadiya
 
MQTT - A practical protocol for the Internet of Things
byBryan Boyd
 
Classification of routing protocols
byMenaga Selvaraj
 

What's hot

PPT
Wireless networking
byMETHODIST COLLEGE OF ENGG & TECH
 
PPTX
SDH presentation
byZohreh Sadeghabadi
 
PPT
Mac adhoc (1)
byhinalala
 
PPT
Wireless Sensor Networks
bySRAVANIP22
 
PPTX
Gsm Protocoles & ProcéDures
byAnouar Loukili
 
PPT
Adhoc and Sensor Networks - Chapter 08
byAli Habeeb
 
PPTX
Energy consumption of wsn
byDeepaDasarathan
 
PPS
Ch6
byRonak Patel
 
PDF
Iot based livestock herd movement tracking system
byAnkhbileg Luvsan
 
PPTX
Computer networks
byTej Kiran
 
PPT
Adhoc and Sensor Networks - Chapter 07
byAli Habeeb
 
PPTX
LEACH Cluster-based Routing Protocol for Wireless Sensor Networks
byUrvashi Khandelwal
 
PPT
RTP.ppt
byVideoguy
 
PPTX
Computer networks - Channelization
byElambaruthi Elambaruthi
 
PPTX
Canbus
bySURYAPRAKASH S
 
PPT
Fisheye State Routing (FSR) - Protocol Overview
byYoav Francis
 
PPTX
Topology control protocols for WSNs challenges and research opportunities, 14...
byMohamed Mostafa
 
PDF
Lecture 05 cmos logic gates
byManipal Institute of Technology
 
PPTX
Zone Routing Protocol
bynitss007
 
PDF
clustering protocol in WSN:LEACH
byJimit Rupani
 
Wireless networking
byMETHODIST COLLEGE OF ENGG & TECH
 
SDH presentation
byZohreh Sadeghabadi
 
Mac adhoc (1)
byhinalala
 
Wireless Sensor Networks
bySRAVANIP22
 
Gsm Protocoles & ProcéDures
byAnouar Loukili
 
Adhoc and Sensor Networks - Chapter 08
byAli Habeeb
 
Energy consumption of wsn
byDeepaDasarathan
 
Ch6
byRonak Patel
 
Iot based livestock herd movement tracking system
byAnkhbileg Luvsan
 
Computer networks
byTej Kiran
 
Adhoc and Sensor Networks - Chapter 07
byAli Habeeb
 
LEACH Cluster-based Routing Protocol for Wireless Sensor Networks
byUrvashi Khandelwal
 
RTP.ppt
byVideoguy
 
Computer networks - Channelization
byElambaruthi Elambaruthi
 
Canbus
bySURYAPRAKASH S
 
Fisheye State Routing (FSR) - Protocol Overview
byYoav Francis
 
Topology control protocols for WSNs challenges and research opportunities, 14...
byMohamed Mostafa
 
Lecture 05 cmos logic gates
byManipal Institute of Technology
 
Zone Routing Protocol
bynitss007
 
clustering protocol in WSN:LEACH
byJimit Rupani
 

Viewers also liked

PPTX
44Con 2014: GreedyBTS - Hacking Adventures in GSM
byiphonepentest
 
PDF
Osmocom
by0xDEADC0DE
 
PDF
Mobile Network Attack Evolution
byPositive Hack Days
 
PDF
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
by44CON
 
PDF
Abusing Calypso Phones
byPositive Hack Days
 
PDF
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
by44CON
 
PDF
GNU Radio for space research
byRustam Akhtyamov
 
PDF
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
by44CON
 
PDF
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
by44CON
 
PPTX
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
by44CON
 
PDF
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
by44CON
 
PDF
44CON London 2015 - reverse reverse engineering
by44CON
 
PPTX
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
by44CON
 
PPTX
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
by44CON
 
PDF
44CON London 2015 - Hunting Asynchronous Vulnerabilities
by44CON
 
PDF
44CON 2014 - Breaking AV Software
by44CON
 
PDF
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
PPTX
44CON @ IPexpo - You're fighting an APT with what exactly?
by44CON
 
PDF
44CON 2014 - Advanced Excel Hacking, Didier Stevens
by44CON
 
PDF
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
by44CON
 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
byiphonepentest
 
Osmocom
by0xDEADC0DE
 
Mobile Network Attack Evolution
byPositive Hack Days
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
by44CON
 
Abusing Calypso Phones
byPositive Hack Days
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
by44CON
 
GNU Radio for space research
byRustam Akhtyamov
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
by44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
by44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
by44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
by44CON
 
44CON London 2015 - reverse reverse engineering
by44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
by44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
by44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
by44CON
 
44CON 2014 - Breaking AV Software
by44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
by44CON
 
44CON @ IPexpo - You're fighting an APT with what exactly?
by44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
by44CON
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
by44CON
 

Similar to 44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic

PPTX
GSM. Global System for Mobile Communication.
byStudent
 
PPTX
GSM CDMA and GPRS
bysuraj1536
 
PPT
Full gsm overview (modified)
byAdvanced group of Institutions
 
PDF
GSM Module
byMohsen Sarakbi
 
PPTX
Mobile phone generations (Protocols, Terminology,interfaces)
byAliVahedifar
 
PPTX
gsm
byAbhilasha Jain
 
PDF
Wandel goltermann gsm
byKamil Koc
 
PDF
Gsm pocket guide (acterna)
byRida098
 
PPTX
wireless cellular network
byMaulik Patel
 
PPT
Modern trends in mobile communication
byLalitha Balasubramanian
 
PPTX
Fourth Generation Technology
bySITHARTH MURUGAIYAN
 
PDF
IT6601 Mobile Computing Unit III
bypkaviya
 
PDF
IT6601 MOBILE COMPUTING
byKathirvel Ayyaswamy
 
PPTX
Gsm
bySaumya Ranjan Behura
 
PPTX
Generations of Telecommunication
byMahmood Showrav
 
PPTX
3G Network architecture and channel.pptx
byMugabo4
 
PPTX
The GSM Technology
byWajahatHussain68
 
PPT
105093_633617613676087500 GSM technology.ppt
byAkbarpashaShaik3
 
PPTX
Mob. comp . prst
byBhanu Pratap
 
PPT
1 g 2g_3g_4g_tutorial
byPreeti Lamba
 
GSM. Global System for Mobile Communication.
byStudent
 
GSM CDMA and GPRS
bysuraj1536
 
Full gsm overview (modified)
byAdvanced group of Institutions
 
GSM Module
byMohsen Sarakbi
 
Mobile phone generations (Protocols, Terminology,interfaces)
byAliVahedifar
 
gsm
byAbhilasha Jain
 
Wandel goltermann gsm
byKamil Koc
 
Gsm pocket guide (acterna)
byRida098
 
wireless cellular network
byMaulik Patel
 
Modern trends in mobile communication
byLalitha Balasubramanian
 
Fourth Generation Technology
bySITHARTH MURUGAIYAN
 
IT6601 Mobile Computing Unit III
bypkaviya
 
IT6601 MOBILE COMPUTING
byKathirvel Ayyaswamy
 
Gsm
bySaumya Ranjan Behura
 
Generations of Telecommunication
byMahmood Showrav
 
3G Network architecture and channel.pptx
byMugabo4
 
The GSM Technology
byWajahatHussain68
 
105093_633617613676087500 GSM technology.ppt
byAkbarpashaShaik3
 
Mob. comp . prst
byBhanu Pratap
 
1 g 2g_3g_4g_tutorial
byPreeti Lamba
 

More from 44CON

PDF
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
by44CON
 
PDF
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
by44CON
 
PDF
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
by44CON
 
PDF
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
by44CON
 
PPTX
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
by44CON
 
PPTX
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
by44CON
 
PPTX
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
by44CON
 
PDF
44CON London 2015 - Software Defined Networking (SDN) Security
by44CON
 
PDF
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
by44CON
 
PDF
44CON London 2015 - Going AUTH the Rails on a Crazy Train
by44CON
 
PDF
Pwning the 44CON Nerf Tank
by44CON
 
PDF
44CON London 2015 - DDoS mitigation EPIC FAIL collection
by44CON
 
PDF
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
by44CON
 
PPTX
44CON London 2015 - How to drive a malware analyst crazy
by44CON
 
PDF
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
PDF
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
by44CON
 
PDF
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
PPTX
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
by44CON
 
PDF
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
by44CON
 
ODP
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
by44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
by44CON
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
by44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
by44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
by44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
by44CON
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
by44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
by44CON
 
44CON London 2015 - Software Defined Networking (SDN) Security
by44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
by44CON
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
by44CON
 
Pwning the 44CON Nerf Tank
by44CON
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
by44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
by44CON
 
44CON London 2015 - How to drive a malware analyst crazy
by44CON
 
44CON London 2015 - Is there an EFI monster inside your apple?
by44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
by44CON
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
by44CON
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
by44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
by44CON
 
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
by44CON
 

Recently uploaded

PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Workshop on Sustaining & Growing Open Source Communities - GAS2025
bySammy Fung
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
API-First Architecture in Financial Systems
bycyy111112
 
Emancipatory Information Retrieval: Radically Reorienting Information Retriev...
byBhaskar Mitra
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic

  • 1.
    GreedyBTS – Hacking Adventures in GSM
  • 2.
    GreedyBTS – Hacking Adventures in GSM Agenda • Who am I? • Technical overview of 2.5G environments • Cellular environment diagnosAcs and tools • Security vulnerabiliAes in GSM • CreaAng an open-­‐source 2.5G simulaAon environment for analysis. • ImplementaAons of GSM aOacks • Demo © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 3.
    2.5G Technical Overview IntroducAon to GSM • June 2008 – 2.9 BILLION © 2014 MDSec ConsulAng Ltd. All rights reserved. subscribers use GSM. • Replaced Analogue “Total Access CommunicaAon System” in the UK. (TACS) • GSM is a European Wide Standard started in 1982 by Groupe Spécial Mobile. • Digital standard with new Security aOempAng to address losses due to Fraud. • GPRS created to work with GSM and address data needs, 2.5G. • UMTS and LTE, 3rd and 4th generaAon networks have arrived – 2.5G sAll here. • How vulnerable are 2.5G networks & GSM communicaAons today?
  • 4.
    2.5G Technical Overview GSM Architecture • Mobile StaAon is your phone. • BSS provides the air interface between network & phone. • Network Switching subsystem provides authenAcaAon, idenAty, billing and more. • The architecture shown is a typical 2G GSM environment. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 5.
    2.5G Technical Overview Mobile StaAon (MS). • InternaAonal mobile staAon equipment idenAty (IMEI) • Contains uniquely idenAfiable informaAon on device. • SIM card contains subscriber informaAon. • InternaAonal mobile subscriber idenAty (IMSI). • Mobile Country Code – MCC -­‐ 3 digits. • Mobile Network Code – MNC – 2 digits. • Mobile Subscriber IdenAficaAon Number – MSIN – (max 10). • SIM card also holds encrypAon keys. • Your phone contains a baseband processor and RTOS used by GSM. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 6.
    2.5G Technical Overview What is a SIM card? • Described in GSM 11.14. • Subscriber IdenAty Module. • Stores the IMSI and Ki key. • Ki key needed for network authenAcaAon & Air encrypAon. • Programmable card can be used which has a writeable Ki key. • GSM test cards with a writeable Ki key can be bought online. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 7.
    2.5G Technical Overview ISO7816 & SIM Toolkit • ISO7816 defines a physical smart card standard. • SIM ApplicaAon Toolkit (STK) is implemented by GSM smart cards. • GSM applicaAon provides authenAcaAon APDU's. • COMP128v1 is an encrypAon algorithm that was found to be flawed. • A “stop” condiAon was found that allows Ki to be brute forced. • COMP128v1 aOack takes 12-­‐24 hours and requires physical card. • COMP128v3 is used more widely today and COMP128v1 is rare. • Chinese vendors sell cheap COMP128v1 mulA-­‐SIM cards & cloner. • SIM Trace hOp://bb.osmocom.org/trac/wiki/SIMtrace • For more informaAon on SIM aOacks THC have a SIM Toolkit Research Group project that contains a lot more informaAon! © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 8.
    2.5G Technical Overview What’s a Base Transceiver System (BTS)? • TransmiOer and receiver equipment, such as antennas and amplifiers. • Has components for doing digital signal processing (DSP). • Contains funcAons for Radio Resource management. • Provides the air (UM) interface to a MS. • This is part of a typical “cell tower” that is used by GSM. • BTS provides the radio signalling between a network and phone. • Base StaAon Subsystem (BSS) has addiAonal component Base StaAon Controller that provides logic & intelligence. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 9.
    2.5G Technical Overview Radio & Cellular? • The spectrum is divided into uplink/downlink “channels”. • GSM uses Absolute Radio Frequency Channel Number (ARFCN). • Cellular Network means channels can be re-­‐used within different spaAal areas. • This is how a small number of frequencies can provide a naAonal network! © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 10.
    2.5G Technical Overview Physical Interface • Waterfall views of GSM ARFCN downlink (leq) and uplink (right). • ARFCN is 200kHz channel and this is divided into TDMA slots. • Five different types of “bursts” are modulated within. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 11.
    2.5G Technical Overview Radio & Cellular? • GSM communicates using Time Division MulAple Access / Frequency Division MulAple Access (TDMA/ FDMA) principles. • Space Division MulAple Access gives the cellular concept. • Traffic transmiOed as “bursts”. • Radio modulaAon is using Gaussian Minimum Shiq Keying (GMSK). • GMSK is variant of frequency shiq keying (FSK) designed to reduce bandwidth, minimum shiq keying (MSK) with further Gaussian bandpass (GMSK). © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 12.
    2.5G Technical Overview Network Switching Subsystem • The GSM core network components usually not visible to aOacker. • Mobile Switching Centre (MSC). • Home Locality Registrar (HLR). • Visitor Locality Registrar (VLR). • Equipment IdenAty Registrar (EIR). • These are components or databases that handle subscribers informaAon, IMSI/ encrypAon keys and perform processes like billing. • Also where the call switching and rouAng takes place and connecAng to other networks e.g. PSTN. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 13.
    2.5G Technical Overview GSM Logical Channels • GSM implements logical channels to allow for signalling between handset and network. • There is a defined Traffic Channel (TCH) – Full-­‐rate and Half-­‐rate channels are available as TCH/F (Bm), TCH/H (Lm). • There are Signalling channels (Dm). • Many exploitable weaknesses in GSM are due to “in-­‐band” signalling. • This same class of vulnerability is what allows phreaker “blue boxes” to funcAon and responsible for “format string aOacks.” – where management capability is accessible it has potenAal for subverAng. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 14.
    2.5G Technical Overview Broadcast Channel (BCH) • The BCH is used by a MS to synchronize it’s oscillator and frequency with the BTS. • The BCH consists of sub-­‐channels that assist with this process. • Broadcast Control -­‐ BCCH • Frequency CorrecAon -­‐ FCCH • SynchronizaAon – SCH • The channels are used during the preliminary stages of a MS being powered on and are integral part of “geung a signal”. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 15.
    2.5G Technical Overview Common Control Channel -­‐ CCCH • The CCCH is used by MS and BTS for communicaAng requests for resources with network and handset such as when a call aOempt is placed. • Random Access Channel -­‐ RACH • Access Grant Channel -­‐ AGCH • Paging Channel -­‐ PCH • NoAficaAon Channel – NCH • Temporary Mobile Subscriber IdenAty (TMSI) is used to help prevent tracking of a GSM user, can be frequently changed and has a lifeAme limit. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 16.
    2.5G Technical Overview Dedicated Control Channels -­‐ DCCH • The DCCH and it’s associated sub-­‐channels perform authenAcaAon requests, cipher selecAon & signalling of call compleAon. • Standalone dedicated control -­‐ SDCCH • Slow associated control -­‐ SACCH • Fast associated control – FACCH • Summary of the three control channels and purpose of each. • AOacker could exploit GSM signalling weaknesses to access subscriber mobile usage. We will look at this in more detail. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 17.
    2.5G Technical Overview What about Over-­‐the-­‐Air EncrypAon? • Several over-­‐the-­‐air (OTA) encrypAon algorithms exist. These are used to encrypt *some* of the GSM logical channels data (such as TCH). • A5/1 – publicly broken, rainbow tables exist. • A5/2 – offers no real security. • A5/3 – KASUMI Cipher, although some man-­‐in-­‐the-­‐middle aOacks are known – it has not yet been publicly broken in GSM. • A3/A8 -­‐ used during the authenAcaAon process. • AOacker can aOempt to “passively” analyse traffic looking for weak encrypAon or perform man-­‐in-­‐the-­‐middle aOacks against subscriber MS and BTS. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 18.
    2.5G Technical Overview General Packet Radio Service • Uses exisAng GSM concepts, e.g. Ameslots. • Introduces “Subscriber GPRS Service Node” (SGSN) and “Gateway GPRS Service Node” (GGSN). • Adds Packet Control Unit to BSS. • Data is sent in PCU frames. • Introduces a new Radio Resource (RR) protocol. • Radio Link Control (RLC) / Media Access Control (MAC) © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 19.
    Cell DiagnosAcs & Tools Nokia NetMonitor • Nokia shipped diagnosAc tool in early phones. • Can be enabled on phone such as 3310 using cable • Provides a cellular diagnosAc tool! • ARFCN idenAficaAon! • Signalling channel display! • Uplink Traffic capture! • Very cool “feature” of Nokia ;) © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 20.
    Cell DiagnosAcs & Tools Dedicated Test Hardware • eBay is your friend. • GSM tesAng hardware prices vary wildly. • Open-­‐source tools are now more flexible. • GSM tesAng hardware is oqen not very featured. • The price of dedicated hardware can be very high. • Vendors oqen not forthcoming with help. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 21.
    Cell DiagnosAcs & Tools Osmocom-­‐bb & GNU/Plot • Osmocom-­‐bb allows you to write tools for MS baseband. • Lots of useful diagnosAcs already available in the public repository. • You can extend the code to visually represent the GSM spectrum or perform more detailed analysis of a GSM cell tower. • Requires a <£30 phone to use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 22.
    Cell DiagnosAcs & Tools GSMTAP • Useful to debug the radio interface. • GSMTAP encapsulates RF informaAon and transmits it in a UDP encapsulated packet. • This allows us to see the Um interface traffic from a BTS or MS of downlink and uplink. • Extremely useful capability when analysing GSM. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 23.
    Cell DiagnosAcs & Tools AirProbe & Sniffing • GNU/Radio is used to capture the RF of a GSM ARFCN. • GSM receiver and toolkit exists for doing capture of GSM bursts & decoding of the data. • £20< RTLSDR dongles can be used to capture GSM traffic. • Purely passive analysis allows for idenAficaAon of call requests. TCH channel should use encrypAon. • Kraken tool can decrypt A5/1 on TCH, requires 1.6TB rainbow tables. • Wireshark can parse the GSMTAP output and sniff the air interface. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 24.
    GSM Security MS Power-­‐On Process • MS starts a search for BCCH carriers performing RSSI measurements. • Aqer idenAfying the BCCH, the phone probes for presence of FCCH. • The phone “syncs” and obtains informaAon about the BTS it has idenAfied. • The phone now knows to monitor “neighbour cells” it has decoded from the transmission. • This process is what is exploited by IMSI capture devices and fake BTS aOack tools. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 25.
    GSM Security IMSI Capture & DetecAon • During a Public Land Network Mobile (PLNM) Search(PLNMS) this is trivial. Only performed during MS Power-­‐on & if no service can be found. • MS has path loss criterion C1 and reselecAon criterion C2. These are dynamic variables used by the phone to determine if a “neighbour cell” has beOer radio condiAons. These variables are taken dynamically and frequently. • ManipulaAng C1 and C2 can force an MS to join our BTS without requiring the phone to perform a PLMNS. • The network can also request an IMEI during this update locaAon request. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 26.
    GSM Security IMEI & Device Fingerprint IMEI TAC TAC (FAC) Serial (Luhn Checksum) IMEI 013035 00 561434 0 • IMEI AA BB BB BB CC CC CC D or EE contains Type AllocaAon Code (TAC), serial number and checksum. • TAC starts with two digit ReporAng Body IdenAfier (RBI), determines country. • Remaining six digits of TAC idenAfy vendor who produced the device. • RBI: 01 Org: PTCRB Country: United States • TAC: 01303500 Manufacturer: Apple Model: iPhone 4S model MD239B/A © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 27.
    GSM Security LocaAon Update Request © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 28.
    GSM Security Clone a BTS • AOacker needs to simulate condiAon to enAce MS to fake BTS. • Locates the MCC / MNC of target phone provider or roaming agreement. • IdenAfies the Neighbor ARFCN for target MS by performing PLMN locally. • Creates a BTS using the MCC, MNC, ARFCN, LAC and any other parameters to match a weak signal ARFCN BTS to reduce interference. • This will create an environment where target in close physical proximity to the BTS will trigger cell re-­‐selecAon as MS sees a beOer RF environment. • Cell diagnosAcs tools need to be used to obtain this data for aOacker to use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 29.
    GSM Security Clone a BTS • Osmocom-­‐BB is very versaAle, GNU/Radio or gsm-­‐receiver tool could also be used. Osmocom-­‐BB mobile includes “monitor” command that provides RSSI monitoring of current and Neighbor ARFCN. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 30.
    GSM Security RACH & TMSI Paging AOacks • Random Access requests have a finite resource. • AOacker can conAnually request resources via RACH prevenAng users being able to place new calls once all available resources are consumed. • TMSI is vulnerable to a race condiAon when the BTS is paging, aOacker can answer all pages prevenAng legiAmate communicaAon. • An aOacker responds to pages made by the BTS to idenAfy a parAcular phone causing the original request to be unanswered. • Both aOacks can be implemented in osmocom-­‐bb. • Both aOacks could be used to perform a “DoS” of a BTS. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 31.
    GSM Security Downgrade & Jamming • LTE, UMTS and GSM can be “jammed” to downgrade/force connecAons. • Overpower the analogue components of a radio with a stronger signal. • Asian devices are oqen mulA-­‐band 1-­‐10WaO radios and go against EMC. • Protocols aOempt to address “noise” or “sawtooth” jamming. • None suitable for researchers or tesAng. • Effect can be simulated by disabling 4G/3G. • Wireless & Telegraphy Act in UK forbids use. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 32.
    2.5G SimulaAon OpenBTS -­‐ Architecture © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 33.
    ImplementaAon GreedyBTS – USRP E100 • GumsAx Overo (computer-­‐on-­‐module) • TI OMAP-­‐3 SoC ARM Cortex-­‐A8 • C64 DSP • Xilinx Spartan 3A-­‐DSP 1800 FPGA • SBX (400Mhz – 4.4Ghz) 100 mW • GPSDO Kit –or-­‐ Clock Tamer • EOus provide Angstrom Linux Image (e1xx-­‐003) with GNU/Radio 3.6.4.1 © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 34.
    2.5G SimulaAon EMC & Shielding TX 50 Ω (ohm) load & RX 900Mhz omnidirecAonal antenna. Spectrum Analyser inside and outside enclosure (use a second SDR!) © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 35.
    2.5G SimulaAon EMC & Shielding © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 36.
    ImplementaAon GreedyBTS – E100 firmware • Spent a lot of Ame trying to build Angstrom for USRP E-­‐1xx from scratch with limited success. • Used EOus E1xx_3 firmware, cross-­‐compiled new Kernel (no ne}ilter support or IP forwarding) and built packages from source with addiAonal opAons such as ODBC and SQLite support. • OpenBTS 5.0 and OpenBTS 2.8 (with mini-­‐SGSN GPRS support) both installed. • OpenBTS transceiver applicaAon has been broken for E1xx, modified for 5.0. • I made minor patches to OpenBTS for more stealth operaAon (i.e. no welcome messages), increased logging in L3 Mobility Management events and disable SGSN firewalling for GPRS aOacks. • Asterisk configured with real-­‐Ame SQLite support and automaAc logging via monitor(). • Console interface script for interacAng with components and BTS. • Integrated DB for IMEI fingerprinAng (50000+ devices) & MCC/MNC search. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 37.
    ImplementaAon GreedyBTS – E100 firmware © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 38.
    ImplementaAon GreedyBTS -­‐ Features • Useful events are sent to “greedyBTS.log” for logging and use by console app. • Can dynamically provision a phone based on regex of IMSI or IMEI. • Use’s real-­‐Ame configuraAon, can be leq to run “headless” in target area. • Useful uAliAes (airprobe, osmo-­‐arfcn, tshark, tcpdump, libpcap) built. • CDR records keep detail of subscriber communicaAon aOempts. • Call content is automaAcally recorded to “call-­‐recordings” directory. • Can use Asterisk for connecAng users to PSTN or amusement. • GPRS is auto-­‐configured, if the BTS has an internet connecAon so does phone. • Example background exploit iPwn aOacks MS over GPRS. • Designed to be used against a specific target (1 or 2 users) in a small geographical area. • Clone the BTS environment of CEO office, enter RegEx of CEO IMEI and wait ;-­‐) • It’s Linux! You can roll your own aOacks / backdoors on-­‐top. © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 39.
    ImplementaAon GreedyBTS -­‐ Features © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 40.
    ImplementaAon GreedyBTS + iPwn • GPRS can be very slow to launch an exploit or extract data! © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 41.
    ImplementaAon Download •You will need an 8GB MicroSD card to install in E100. • Change default root password on login and change SSH keys. • hOps://mega.co.nz/#!hAU2iJyB! GK54dtAxUVXavcZUGPJPDl7X3_OjpnPqs_qSZfc9iwE • 726f9d810aca42ed5ba3034efe6b6a2a © 2014 MDSec ConsulAng Ltd. All rights reserved. greedyBTS-­‐44CON-­‐v1.img.enc • openssl aes-­‐256-­‐cbc -­‐d -­‐in greedyBTS-­‐44CON-­‐v1.img.enc -­‐out greedyBTS-­‐44CON-­‐v1.img (Contact me for password.) • 4667f83fdc4a30245fdcc49946833e5d greedyBTS-­‐44CON-­‐v1.img • dd if=./greedyBTS-­‐44CON-­‐v1.img of=/dev/sdc bs=1024 • Discussed in Feb on OpenBTS / USRP mailing lists, 7:1 GSM researchers mailed in favor of image sharing in a controlled way.
  • 42.
    ImplementaAon Example traffic • Interested in GSM? • Here is a PCAP trace of 2.5G environment showing uplink/downlink, two MS devices, SIM APDU informaAon! • Recommend reading a good book and review in wireshark! • hOps://github.com/HackerFantasAc/Public/blob/master/misc/44CON-­‐gsm-­‐ uplink-­‐downlink-­‐sim-­‐example.pcap • BeagleBone Black and NanoBTS/USRP B200/BladeRF could be used in future for cheaper alternaAve! © 2014 MDSec ConsulAng Ltd. All rights reserved.
  • 43.
    ImplementaAon Demo © 2014 MDSec ConsulAng Ltd. All rights reserved. Demo.
  • 44.
    GreedyBTS – Hacking Adventures in GSM Conclusions • InformaAon sent over your mobile phone may not be as secure as you think. • DetecAon of GSM aOacks is sAll in it’s infancy, some tools are beginning to surface which detect greedyBTS but they will require “acAve” use and aimed at power users. • If you are transmiung sensiAve informaAon such as usernames or passwords consider using a non-­‐wireless technology. • An aOacker can launch aOacks against your mobile device without you being aware using 2.5G, we need baseband security enhancements and access to cell data. © 2014 MDSec ConsulAng Ltd. All rights reserved. E-­‐mail: hackerfantasAc@riseup.net TwiOer: @HackerFantasAc hOps://github.com/hackerfantasAc/public
  • 45.
    QuesAons? Thank you for all the hard work done by members of the open-­‐source and security research communiAes in making 2.5G networks more © 2014 MDSec ConsulAng Ltd. All rights reserved. accessible for analysis. TwiOer: @MDSecLabs Blog: hOp://blog.mdsec.co.uk