SlideShare a Scribd company logo

Mobile Security Practical Attacks Using Cheap Equipment

β€’
β€’
οΏ½
πŸ“‘ Sebastien Dudek

This document discusses mobile network security and practical attacks. It presents: 1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets. 2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation. 3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.

Technology
1 of 26
Download to read offline
Presented the 07/06/2016 For Business France By SΓ©bastien Dudek Mobile Security Practical attacks using cheap equipment
Content ξ€Š Security measures ξ€Š Recent publications in the hacking community ξ€Š Practical attacks ξ€Š Results of our short researches
GSM and GPRS: confidentiality ξ€Š GPRS β†’ authentication algorithm A3/A8 ξ€Š Communication ciphered with A5/1 algorithm with a Kc key (derived from Ki) ξ€Š Kc is generated with the A8 Algorithm ξ€Š The Ki key is stored in the AuC (Authentication Center) and SIM (Subscriber Identity Module)
GSM and GPRS: architecture ● BTS: Base Transceiver Station ● BSC: Base Station Controller ● MSC: Mobile Switch Center ● VLR: Visitor Location Register ● HLR: Home Location Register ● AuC: Authentication Center
GSM and GPRS: Handover Source: article.sapub.org A stronger signal will likely attract User Equipments β†’ Useful for attackers
GSM and GPRS: few differences ξ€Š GPRS authentication β†’ SGSN ξ€Š Ciphering in GSM is done at Layer 1 on the TCH (Traffic Channel) and DCCH (Dedicated Control CHannel) ξ€Š Ciphering in GPRS is done at Layer 2 LLC (Logical Link Control) with GEA1 algorithm
GSM and GPRS: possible attacks ξ€Š No mutual authentication β†’ Fake rogue BTS ξ€Š Reuse of Authentication triplet RAND, RES, Kc many times ξ€Š Signaling channel not encrypted β†’ open for attacks ξ€Š Attacks on the A5/1 algorithm ξ€Š ... β‡’ Interception is possible on GSM and GPRS
3G/4G: advantages ξ€Š 3G came with the KASUMI encryption algorithm ξ€Š Then SNOW-3G β†’ second encryption algorithm for 3G, also used for 4G (in case KASUMI is broken) ξ€Š Additionally to SNOW-3G, 4G uses AES CBC 128 bits to cipher communications ξ€Š Thank to USIM β†’ 3G and 4G network use mutual authentication ξ€Š But accesses to 3G networks are possible with previous SIM card β†’ possible bypass of mutual authentication ξ€Š In 2011, ZUC algorithm has been introduced with 128 bits key β‡’ Encryption algorithm is strong and mutual authentication make it difficult to intercept communications
Mobile interception: signal attraction ξ€Š A User Equipment connects to the closer Base Station ξ€Š 3G/4G downgrades to 2G via ξ€Š jamming attacks β†’ a simple Gaussian noise in targeted channels ξ€Š protocol attacks β†’ difficult ξ€Š baseband strange behaviors
State Of the Art: publications ξ€Š Many publications exist: ξ€Š Attacks on GSM A5/1 algorithm with rainbow tables (at 26c3, Chris Paget and Karsten Nohl) ξ€Š OsmocomBB (at 2010 at 27c3, Harald Welte and Steve Markgraf) ξ€Š Hacking the Vodaphone femtocell (at BlackHat 2011, Ravishankar Borgaonkar, Nico Golde, and Kevin Redon) ξ€Š An analysis of basebands security (at SSTIC 2014, Benoit Michau) ξ€Š Attacks on privacy and availability of 4G (In October 2015, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert) ξ€Š How to not break LTE crypto (at SSTIC 2016, Christophe Devine and Benoit Michaud)
State Of the Art: tools ξ€Š Hardware ξ€Š USRP from 700 € (without daughter-boards and antennas) ξ€Š SysmoBTS from 2,000 € ξ€Š BladeRF from 370 € (without antennas) ξ€Š Software ξ€Š Setup a mobile network ξ€Š OpenBTS: GSM and GPRS network compatible with USRP and BladeRF ξ€Š OpenUMTS: UMTS network compatible with some USRP ξ€Š OpenLTE: LTE network compatible with BladeRF and USRP ξ€Š OpenAir: LTE network compatible with some USRP ξ€Š YateBTS: GSM and GPRS network compatible with USRP and BladeRF ξ€Š Analyze traffic ξ€Š libmich: Analyze and craft mobile packets captured with GSMTAP ξ€Š Wireshark: Analyze GSMTAP captured packets ξ€Š OsmocomBB: sniff and capture GSM packets
Passive attacks in GSM ξ€Š CCCH (Common Control Channels) give a lot of information ξ€Š Management messages, sometimes SMS in clear, TMSIs,... ξ€Š CCCH β†’ paging request β†’ can be exploited to locate someone ξ€Š Tools ξ€Š OsmocomBB, Airprobe,...
Capture a specific channel (1) ξ€Š List of ARFCN
Capture a specific channel (2) ξ€Š Leaked TMSI β‡’ Use SMS Class-0 messages to track a user
GSM Lab setup: for interception ● 1 BladeRF = 370 € ● 2 Antennas = 15 € each ● YateBTS software = FREE ● Total cost = 400 €
GSM interception: User Equipment behaviors ξ€Š A User Equipment decide to register to another base station if ξ€Š it can register to any MCC/MNC BTS close to it ξ€Š it can register to a test network close to it ξ€Š only the current used network isn’t reachable anymore, even if a rogue base station is closer ξ€Š the signal is strong and the mutual authentication succeeded (not the case in GSM/GPRS) ξ€Š Everything depends on the mobile stack implementations...
Demo... ξ€Š Fake Base Station
Other vulnerable devices ξ€Š Interception of Intercoms
Results on intercoms ξ€Š On a Link iDP GSM intercom ξ€Š leak of user phone numbers ξ€Š send Intercom specific commands ξ€Š send AT commands to interact with the targeted baseband ξ€Š update users with premium rated numbers (e.g: Allopass) ξ€Š Further work ξ€Š Reduce the model replacing the computed with a Raspberry Pi 3, or an ODROID device from about 50 € ξ€Š Semi-automatic channel jamming on 3G ξ€Š Study of protocol attacks on 3G and 4G
3Gβ†’2G downgrade: hardware ξ€Š Downgrade is difficult with traditional jammers ξ€Š an attacker needs to focus to few specific bands β†’ bands of the targeted operators ξ€Š A simple HackRF can be used (340 €)
Jamming video demo...
Alternatives to Jamming attacks ξ€Š Protocol attacks on 4G and 3G ξ€Š using OpenLTE for 4G, or Open-UMTS for 3G ξ€Š a compromized femtocell for 3G, and 4G femtocell β†’ thanks to serial port, or unsecure update
Lab setup: to find bugs ξ€Š 1 USRP: 700€ ξ€Š 2 daughter boards: about 120 € each ξ€Š 2 TX and RX antennas: about 30€ each ξ€Š OpenBTS Software: Free
Fuzzing lab in real
Fuzzing: our results ξ€Š Made a fuzzing test framework MobiDeke (not released publicly) ξ€Š Results found on a HTC Desire Z ξ€Š Found multiple application crashes Mostly Java exception β†’ not exploitable ξ€Š 1 exploitable vulnerability on SETUP CALLS handling β†’ used to compromize the baseband ξ€Š Presented at hack.lu conference in 2012 with Guillaume DelugrΓ©
Conclusion ξ€Š Attacks on GSM and GPRS are affordable: less than 1,000 € ξ€Š Attacks 3G and 4G are difficult, but ξ€Š mutual authentication could be bypassed depending on the baseband implementation ξ€Š Publicly vulnerable femtocell can be found through Ebay (with serial ports, or unsecure download processes) ξ€Š The IoT ecosystem uses a lot GSM and 3G stacks (for example digital intercoms) β†’ vulnerable to the same attacks as traditional mobile devices

Recommended

Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...
Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...
Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...Embarcados
Β 
OpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallOpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallPaloSanto Solutions
Β 
VR and AR are Pushing Connectivity Limits
VR and AR are Pushing Connectivity LimitsVR and AR are Pushing Connectivity Limits
VR and AR are Pushing Connectivity LimitsQualcomm Research
Β 
Beginners: Introduction to NR-Light a.k.a. NR-Lite
Beginners: Introduction to NR-Light a.k.a. NR-LiteBeginners: Introduction to NR-Light a.k.a. NR-Lite
Beginners: Introduction to NR-Light a.k.a. NR-Lite3G4G
Β 
3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3G4G
Β 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
Β 
Intermediate: 5G and Extended Reality (XR)
Intermediate: 5G and Extended Reality (XR)Intermediate: 5G and Extended Reality (XR)
Intermediate: 5G and Extended Reality (XR)3G4G
Β 
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrack
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrackIoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrack
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrackThierry Lestable
Β 

Recommended

Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...
Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...
Webinar Keysight: Soluçáes de Teste para Tecnologias Emergentes 5G-NR e IoT-L...Embarcados
Β 
OpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallOpenBTS - Building Real Mobile Networks, Big or Small
OpenBTS - Building Real Mobile Networks, Big or SmallPaloSanto Solutions
Β 
VR and AR are Pushing Connectivity Limits
VR and AR are Pushing Connectivity LimitsVR and AR are Pushing Connectivity Limits
VR and AR are Pushing Connectivity LimitsQualcomm Research
Β 
Beginners: Introduction to NR-Light a.k.a. NR-Lite
Beginners: Introduction to NR-Light a.k.a. NR-LiteBeginners: Introduction to NR-Light a.k.a. NR-Lite
Beginners: Introduction to NR-Light a.k.a. NR-Lite3G4G
Β 
3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3GPP SON Series: Minimization of Drive Testing (MDT)
3GPP SON Series: Minimization of Drive Testing (MDT)3G4G
Β 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
Β 
Intermediate: 5G and Extended Reality (XR)
Intermediate: 5G and Extended Reality (XR)Intermediate: 5G and Extended Reality (XR)
Intermediate: 5G and Extended Reality (XR)3G4G
Β 
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrack
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrackIoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrack
IoT-LPWAN LoRa Geoloc - sagemcom - m2m-innovationworld_geotrackThierry Lestable
Β 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
Β 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks3G4G
Β 
Amiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRaAmiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRaAMIHO Technology
Β 
NB-IoT vs Lora
NB-IoT vs LoraNB-IoT vs Lora
NB-IoT vs LoraAntenna Manufacturer Coco
Β 
LPWAN technology overview
LPWAN technology overviewLPWAN technology overview
LPWAN technology overviewJisc
Β 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSMark Roemers
Β 
Multi technology geolocation webinar
Multi technology geolocation webinar Multi technology geolocation webinar
Multi technology geolocation webinar Actility
Β 
Presentation 5G high school
Presentation 5G high schoolPresentation 5G high school
Presentation 5G high schoolMarie-Paule Odini
Β 
Hacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys RevealedHacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys Revealedshlominar
Β 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsAPNIC
Β 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
Β 
5G - An Ocean of New Opportunities
5G - An Ocean of New Opportunities5G - An Ocean of New Opportunities
5G - An Ocean of New OpportunitiesMarie-Paule Odini
Β 
What is 5G?
What is 5G?What is 5G?
What is 5G?Rohde & Schwarz North America
Β 
Beginners: 5G Numerology
Beginners: 5G NumerologyBeginners: 5G Numerology
Beginners: 5G Numerology3G4G
Β 
R&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christopheR&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christopheReseauxetservicestpa
Β 
LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M Sirin Software
Β 
Sdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_usSdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_usZTE
Β 
Sdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-usSdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-usZTE
Β 
How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?Qualcomm Research
Β 
Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)3G4G
Β 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingπŸ“‘ Sebastien Dudek
Β 
IoT_standards
IoT_standardsIoT_standards
IoT_standardsJoΓ£o Santos
Β 

More Related Content

What's hot

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
Β 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks3G4G
Β 
Amiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRaAmiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRaAMIHO Technology
Β 
LPWAN technology overview
LPWAN technology overviewLPWAN technology overview
LPWAN technology overviewJisc
Β 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSMark Roemers
Β 
Multi technology geolocation webinar
Multi technology geolocation webinar Multi technology geolocation webinar
Multi technology geolocation webinar Actility
Β 
Presentation 5G high school
Presentation 5G high schoolPresentation 5G high school
Presentation 5G high schoolMarie-Paule Odini
Β 
Hacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys RevealedHacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys Revealedshlominar
Β 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsAPNIC
Β 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
Β 
5G - An Ocean of New Opportunities
5G - An Ocean of New Opportunities5G - An Ocean of New Opportunities
5G - An Ocean of New OpportunitiesMarie-Paule Odini
Β 
Beginners: 5G Numerology
Beginners: 5G NumerologyBeginners: 5G Numerology
Beginners: 5G Numerology3G4G
Β 
R&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christopheR&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christopheReseauxetservicestpa
Β 
LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M Sirin Software
Β 
Sdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_usSdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_usZTE
Β 
Sdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-usSdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-usZTE
Β 
How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?Qualcomm Research
Β 
Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)3G4G
Β 

What's hot (20)

Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
Β 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
Β 
Amiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRaAmiho - Bridging the Gap with LoRa
Amiho - Bridging the Gap with LoRa
Β 
NB-IoT vs Lora
NB-IoT vs LoraNB-IoT vs Lora
NB-IoT vs Lora
Β 
LPWAN technology overview
LPWAN technology overviewLPWAN technology overview
LPWAN technology overview
Β 
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRSAntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
AntTail white paper: Technology scan IoT Datacommunications: LoRa, NB-IoT, GPRS
Β 
Multi technology geolocation webinar
Multi technology geolocation webinar Multi technology geolocation webinar
Multi technology geolocation webinar
Β 
Presentation 5G high school
Presentation 5G high schoolPresentation 5G high school
Presentation 5G high school
Β 
Hacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys RevealedHacking Gsm - Secret Keys Revealed
Hacking Gsm - Secret Keys Revealed
Β 
LPWA – Giving a Voice to Things
LPWA – Giving a Voice to ThingsLPWA – Giving a Voice to Things
LPWA – Giving a Voice to Things
Β 
44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM44Con 2014: GreedyBTS - Hacking Adventures in GSM
44Con 2014: GreedyBTS - Hacking Adventures in GSM
Β 
5G - An Ocean of New Opportunities
5G - An Ocean of New Opportunities5G - An Ocean of New Opportunities
5G - An Ocean of New Opportunities
Β 
What is 5G?
What is 5G?What is 5G?
What is 5G?
Β 
Beginners: 5G Numerology
Beginners: 5G NumerologyBeginners: 5G Numerology
Beginners: 5G Numerology
Β 
R&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christopheR&s 10 juin 2015 sigfox christophe
R&s 10 juin 2015 sigfox christophe
Β 
LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M LoRa vs Sigfox vs LTE-M
LoRa vs Sigfox vs LTE-M
Β 
Sdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_usSdru 10 w-to-20w_9-band_us
Sdru 10 w-to-20w_9-band_us
Β 
Sdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-usSdru 1.25 w-to-2w_9-band-us
Sdru 1.25 w-to-2w_9-band-us
Β 
How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?How does unlicensed spectrum with NR-U transform what 5G can do for you?
How does unlicensed spectrum with NR-U transform what 5G can do for you?
Β 
Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)Intermediate: 5G Network Architecture Options (Updated)
Intermediate: 5G Network Architecture Options (Updated)
Β 

Similar to Mobile Security Practical Attacks Using Cheap Equipment

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingπŸ“‘ Sebastien Dudek
Β 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksπŸ“‘ Sebastien Dudek
Β 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
Β 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)IJERD Editor
Β 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingπŸ“‘ Sebastien Dudek
Β 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksJim Geovedi
Β 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
Β 
Soldani the path_to_5_g_vtc_spring_2017_final
Soldani the path_to_5_g_vtc_spring_2017_finalSoldani the path_to_5_g_vtc_spring_2017_final
Soldani the path_to_5_g_vtc_spring_2017_finalDr. David Soldani
Β 
Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )Karen Gilchrist
Β 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisAurelien Lequertier
Β 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol reviewFabio Pietrosanti
Β 
SatCom Protection in Mission Critical Oil & Gas - Edited
SatCom Protection in Mission Critical Oil & Gas - EditedSatCom Protection in Mission Critical Oil & Gas - Edited
SatCom Protection in Mission Critical Oil & Gas - EditedGuido Baraglia
Β 
Optical and mobile networks: friends or foes?
Optical and mobile networks: friends or foes?Optical and mobile networks: friends or foes?
Optical and mobile networks: friends or foes?ADVA
Β 
4G to 5G Evolution
4G to 5G Evolution4G to 5G Evolution
4G to 5G EvolutionManoj Singh
Β 
FOREST FIRE DETECTION SYSTEM USING XBEE
FOREST FIRE DETECTION SYSTEM USING XBEEFOREST FIRE DETECTION SYSTEM USING XBEE
FOREST FIRE DETECTION SYSTEM USING XBEETalvinder Singh
Β 
Device to Device Communication-5G technology
Device to Device Communication-5G technologyDevice to Device Communication-5G technology
Device to Device Communication-5G technologykaishik gundu
Β 
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networks
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networksBeginners: Bandwidth, Throughput, Latency & Jitter in mobile networks
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networks3G4G
Β 

Similar to Mobile Security Practical Attacks Using Cheap Equipment (20)

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
Β 
IoT_standards
IoT_standardsIoT_standards
IoT_standards
Β 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
Β 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
Β 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
Β 
International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)International Journal of Engineering Research and Development (IJERD)
International Journal of Engineering Research and Development (IJERD)
Β 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
Β 
Beerump 2018 - Modmobmap
Beerump 2018 - ModmobmapBeerump 2018 - Modmobmap
Beerump 2018 - Modmobmap
Β 
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication NetworksHITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
HITB Labs: Practical Attacks Against 3G/4G Telecommunication Networks
Β 
Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...Exploring LTE security and protocol exploits with open source software and lo...
Exploring LTE security and protocol exploits with open source software and lo...
Β 
Soldani the path_to_5_g_vtc_spring_2017_final
Soldani the path_to_5_g_vtc_spring_2017_finalSoldani the path_to_5_g_vtc_spring_2017_final
Soldani the path_to_5_g_vtc_spring_2017_final
Β 
Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )
Β 
SigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParisSigfoxGettingStarted TechshopParis
SigfoxGettingStarted TechshopParis
Β 
Voice securityprotocol review
Voice securityprotocol reviewVoice securityprotocol review
Voice securityprotocol review
Β 
SatCom Protection in Mission Critical Oil & Gas - Edited
SatCom Protection in Mission Critical Oil & Gas - EditedSatCom Protection in Mission Critical Oil & Gas - Edited
SatCom Protection in Mission Critical Oil & Gas - Edited
Β 
Optical and mobile networks: friends or foes?
Optical and mobile networks: friends or foes?Optical and mobile networks: friends or foes?
Optical and mobile networks: friends or foes?
Β 
4G to 5G Evolution
4G to 5G Evolution4G to 5G Evolution
4G to 5G Evolution
Β 
FOREST FIRE DETECTION SYSTEM USING XBEE
FOREST FIRE DETECTION SYSTEM USING XBEEFOREST FIRE DETECTION SYSTEM USING XBEE
FOREST FIRE DETECTION SYSTEM USING XBEE
Β 
Device to Device Communication-5G technology
Device to Device Communication-5G technologyDevice to Device Communication-5G technology
Device to Device Communication-5G technology
Β 
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networks
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networksBeginners: Bandwidth, Throughput, Latency & Jitter in mobile networks
Beginners: Bandwidth, Throughput, Latency & Jitter in mobile networks
Β 

More from πŸ“‘ Sebastien Dudek

Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)πŸ“‘ Sebastien Dudek
Β 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)πŸ“‘ Sebastien Dudek
Β 
Hack.lu 2012 - Fuzzing the GSM protocol stack
Hack.lu 2012 - Fuzzing the GSM protocol stackHack.lu 2012 - Fuzzing the GSM protocol stack
Hack.lu 2012 - Fuzzing the GSM protocol stackπŸ“‘ Sebastien Dudek
Β 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring πŸ“‘ Sebastien Dudek
Β 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsπŸ“‘ Sebastien Dudek
Β 
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...πŸ“‘ Sebastien Dudek
Β 
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...πŸ“‘ Sebastien Dudek
Β 
Troopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internalsTroopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internalsπŸ“‘ Sebastien Dudek
Β 
Usrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyesUsrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyesπŸ“‘ Sebastien Dudek
Β 

More from πŸ“‘ Sebastien Dudek (12)

The current state of LoRaWAN security
The current state of LoRaWAN securityThe current state of LoRaWAN security
The current state of LoRaWAN security
Β 
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Hack.lu 2012 - Fuzzing the GSM protocol stack (paper)
Β 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring (slides)
Β 
Hack.lu 2012 - Fuzzing the GSM protocol stack
Hack.lu 2012 - Fuzzing the GSM protocol stackHack.lu 2012 - Fuzzing the GSM protocol stack
Hack.lu 2012 - Fuzzing the GSM protocol stack
Β 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
Β 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Β 
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...
Β 
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...
Β 
SSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - ModmobjamSSTIC RUMP 2018 - Modmobjam
SSTIC RUMP 2018 - Modmobjam
Β 
Intercom hacks with GSM interception
Intercom hacks with GSM interceptionIntercom hacks with GSM interception
Intercom hacks with GSM interception
Β 
Troopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internalsTroopers TelcoSec day 2019 - Modmobtools internals
Troopers TelcoSec day 2019 - Modmobtools internals
Β 
Usrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyesUsrp episode 1: smoke gets in your eyes
Usrp episode 1: smoke gets in your eyes
Β 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
Β 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
Β 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
Β 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
Β 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
Β 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
Β 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
Β 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
Β 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
Β 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
Β 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
Β 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
Β 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
Β 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
Β 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
Β 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
Β 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
Β 

Recently uploaded (20)

The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
Β 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Β 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Β 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Β 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
Β 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Β 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Β 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
Β 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Β 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Β 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Β 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Β 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Β 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Β 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Β 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Β 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Β 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Β 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Β 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Β 

Mobile Security Practical Attacks Using Cheap Equipment

  • 1. Presented the 07/06/2016 For Business France By SΓ©bastien Dudek Mobile Security Practical attacks using cheap equipment
  • 2. Content ξ€Š Security measures ξ€Š Recent publications in the hacking community ξ€Š Practical attacks ξ€Š Results of our short researches
  • 3. GSM and GPRS: confidentiality ξ€Š GPRS β†’ authentication algorithm A3/A8 ξ€Š Communication ciphered with A5/1 algorithm with a Kc key (derived from Ki) ξ€Š Kc is generated with the A8 Algorithm ξ€Š The Ki key is stored in the AuC (Authentication Center) and SIM (Subscriber Identity Module)
  • 4. GSM and GPRS: architecture ● BTS: Base Transceiver Station ● BSC: Base Station Controller ● MSC: Mobile Switch Center ● VLR: Visitor Location Register ● HLR: Home Location Register ● AuC: Authentication Center
  • 5. GSM and GPRS: Handover Source: article.sapub.org A stronger signal will likely attract User Equipments β†’ Useful for attackers
  • 6. GSM and GPRS: few differences ξ€Š GPRS authentication β†’ SGSN ξ€Š Ciphering in GSM is done at Layer 1 on the TCH (Traffic Channel) and DCCH (Dedicated Control CHannel) ξ€Š Ciphering in GPRS is done at Layer 2 LLC (Logical Link Control) with GEA1 algorithm
  • 7. GSM and GPRS: possible attacks ξ€Š No mutual authentication β†’ Fake rogue BTS ξ€Š Reuse of Authentication triplet RAND, RES, Kc many times ξ€Š Signaling channel not encrypted β†’ open for attacks ξ€Š Attacks on the A5/1 algorithm ξ€Š ... β‡’ Interception is possible on GSM and GPRS
  • 8. 3G/4G: advantages ξ€Š 3G came with the KASUMI encryption algorithm ξ€Š Then SNOW-3G β†’ second encryption algorithm for 3G, also used for 4G (in case KASUMI is broken) ξ€Š Additionally to SNOW-3G, 4G uses AES CBC 128 bits to cipher communications ξ€Š Thank to USIM β†’ 3G and 4G network use mutual authentication ξ€Š But accesses to 3G networks are possible with previous SIM card β†’ possible bypass of mutual authentication ξ€Š In 2011, ZUC algorithm has been introduced with 128 bits key β‡’ Encryption algorithm is strong and mutual authentication make it difficult to intercept communications
  • 9. Mobile interception: signal attraction ξ€Š A User Equipment connects to the closer Base Station ξ€Š 3G/4G downgrades to 2G via ξ€Š jamming attacks β†’ a simple Gaussian noise in targeted channels ξ€Š protocol attacks β†’ difficult ξ€Š baseband strange behaviors
  • 10. State Of the Art: publications ξ€Š Many publications exist: ξ€Š Attacks on GSM A5/1 algorithm with rainbow tables (at 26c3, Chris Paget and Karsten Nohl) ξ€Š OsmocomBB (at 2010 at 27c3, Harald Welte and Steve Markgraf) ξ€Š Hacking the Vodaphone femtocell (at BlackHat 2011, Ravishankar Borgaonkar, Nico Golde, and Kevin Redon) ξ€Š An analysis of basebands security (at SSTIC 2014, Benoit Michau) ξ€Š Attacks on privacy and availability of 4G (In October 2015, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert) ξ€Š How to not break LTE crypto (at SSTIC 2016, Christophe Devine and Benoit Michaud)
  • 11. State Of the Art: tools ξ€Š Hardware ξ€Š USRP from 700 € (without daughter-boards and antennas) ξ€Š SysmoBTS from 2,000 € ξ€Š BladeRF from 370 € (without antennas) ξ€Š Software ξ€Š Setup a mobile network ξ€Š OpenBTS: GSM and GPRS network compatible with USRP and BladeRF ξ€Š OpenUMTS: UMTS network compatible with some USRP ξ€Š OpenLTE: LTE network compatible with BladeRF and USRP ξ€Š OpenAir: LTE network compatible with some USRP ξ€Š YateBTS: GSM and GPRS network compatible with USRP and BladeRF ξ€Š Analyze traffic ξ€Š libmich: Analyze and craft mobile packets captured with GSMTAP ξ€Š Wireshark: Analyze GSMTAP captured packets ξ€Š OsmocomBB: sniff and capture GSM packets
  • 12. Passive attacks in GSM ξ€Š CCCH (Common Control Channels) give a lot of information ξ€Š Management messages, sometimes SMS in clear, TMSIs,... ξ€Š CCCH β†’ paging request β†’ can be exploited to locate someone ξ€Š Tools ξ€Š OsmocomBB, Airprobe,...
  • 13. Capture a specific channel (1) ξ€Š List of ARFCN
  • 14. Capture a specific channel (2) ξ€Š Leaked TMSI β‡’ Use SMS Class-0 messages to track a user
  • 15. GSM Lab setup: for interception ● 1 BladeRF = 370 € ● 2 Antennas = 15 € each ● YateBTS software = FREE ● Total cost = 400 €
  • 16. GSM interception: User Equipment behaviors ξ€Š A User Equipment decide to register to another base station if ξ€Š it can register to any MCC/MNC BTS close to it ξ€Š it can register to a test network close to it ξ€Š only the current used network isn’t reachable anymore, even if a rogue base station is closer ξ€Š the signal is strong and the mutual authentication succeeded (not the case in GSM/GPRS) ξ€Š Everything depends on the mobile stack implementations...
  • 18. Other vulnerable devices ξ€Š Interception of Intercoms
  • 19. Results on intercoms ξ€Š On a Link iDP GSM intercom ξ€Š leak of user phone numbers ξ€Š send Intercom specific commands ξ€Š send AT commands to interact with the targeted baseband ξ€Š update users with premium rated numbers (e.g: Allopass) ξ€Š Further work ξ€Š Reduce the model replacing the computed with a Raspberry Pi 3, or an ODROID device from about 50 € ξ€Š Semi-automatic channel jamming on 3G ξ€Š Study of protocol attacks on 3G and 4G
  • 20. 3Gβ†’2G downgrade: hardware ξ€Š Downgrade is difficult with traditional jammers ξ€Š an attacker needs to focus to few specific bands β†’ bands of the targeted operators ξ€Š A simple HackRF can be used (340 €)
  • 22. Alternatives to Jamming attacks ξ€Š Protocol attacks on 4G and 3G ξ€Š using OpenLTE for 4G, or Open-UMTS for 3G ξ€Š a compromized femtocell for 3G, and 4G femtocell β†’ thanks to serial port, or unsecure update
  • 23. Lab setup: to find bugs ξ€Š 1 USRP: 700€ ξ€Š 2 daughter boards: about 120 € each ξ€Š 2 TX and RX antennas: about 30€ each ξ€Š OpenBTS Software: Free
  • 25. Fuzzing: our results ξ€Š Made a fuzzing test framework MobiDeke (not released publicly) ξ€Š Results found on a HTC Desire Z ξ€Š Found multiple application crashes Mostly Java exception β†’ not exploitable ξ€Š 1 exploitable vulnerability on SETUP CALLS handling β†’ used to compromize the baseband ξ€Š Presented at hack.lu conference in 2012 with Guillaume DelugrΓ©
  • 26. Conclusion ξ€Š Attacks on GSM and GPRS are affordable: less than 1,000 € ξ€Š Attacks 3G and 4G are difficult, but ξ€Š mutual authentication could be bypassed depending on the baseband implementation ξ€Š Publicly vulnerable femtocell can be found through Ebay (with serial ports, or unsecure download processes) ξ€Š The IoT ecosystem uses a lot GSM and 3G stacks (for example digital intercoms) β†’ vulnerable to the same attacks as traditional mobile devices