This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
2. Content
ξ Security measures
ξ Recent publications in the hacking
community
ξ Practical attacks
ξ Results of our short researches
3. GSM and GPRS: confidentiality
ξ GPRS β authentication algorithm A3/A8
ξ Communication ciphered with A5/1
algorithm with a Kc key (derived from Ki)
ξ Kc is generated with the A8 Algorithm
ξ The Ki key is stored in the AuC
(Authentication Center) and SIM
(Subscriber Identity Module)
4. GSM and GPRS: architecture
β BTS: Base
Transceiver Station
β BSC: Base Station
Controller
β MSC: Mobile
Switch Center
β VLR: Visitor
Location Register
β HLR: Home
Location Register
β AuC:
Authentication
Center
5. GSM and GPRS: Handover
Source: article.sapub.org
A stronger signal will likely attract User Equipments
β Useful for attackers
6. GSM and GPRS: few differences
ξ GPRS authentication β SGSN
ξ Ciphering in GSM is done at Layer 1 on the
TCH (Traffic Channel) and DCCH
(Dedicated Control CHannel)
ξ Ciphering in GPRS is done at Layer 2 LLC
(Logical Link Control) with GEA1 algorithm
7. GSM and GPRS: possible attacks
ξ No mutual authentication β Fake rogue BTS
ξ Reuse of Authentication triplet RAND, RES,
Kc many times
ξ Signaling channel not encrypted β open for
attacks
ξ Attacks on the A5/1 algorithm
ξ ...
β Interception is possible on GSM and GPRS
8. 3G/4G: advantages
ξ 3G came with the KASUMI encryption algorithm
ξ Then SNOW-3G β second encryption algorithm for 3G, also used for
4G (in case KASUMI is broken)
ξ Additionally to SNOW-3G, 4G uses AES CBC 128 bits to cipher
communications
ξ Thank to USIM β 3G and 4G network use mutual authentication
ξ But accesses to 3G networks are possible with previous SIM card β
possible bypass of mutual authentication
ξ In 2011, ZUC algorithm has been introduced with 128 bits key
β Encryption algorithm is strong and mutual authentication make
it difficult to intercept communications
9. Mobile interception: signal attraction
ξ A User Equipment connects to the closer
Base Station
ξ 3G/4G downgrades to 2G via
ξ jamming attacks β a simple Gaussian noise in
targeted channels
ξ protocol attacks β difficult
ξ baseband strange behaviors
10. State Of the Art: publications
ξ Many publications exist:
ξ Attacks on GSM A5/1 algorithm with rainbow tables
(at 26c3, Chris Paget and Karsten Nohl)
ξ OsmocomBB
(at 2010 at 27c3, Harald Welte and Steve Markgraf)
ξ Hacking the Vodaphone femtocell
(at BlackHat 2011, Ravishankar Borgaonkar, Nico Golde, and Kevin Redon)
ξ An analysis of basebands security
(at SSTIC 2014, Benoit Michau)
ξ Attacks on privacy and availability of 4G
(In October 2015, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri
Niemi and Jean-Pierre Seifert)
ξ How to not break LTE crypto
(at SSTIC 2016, Christophe Devine and Benoit Michaud)
11. State Of the Art: tools
ξ Hardware
ξ USRP from 700 β¬ (without daughter-boards and antennas)
ξ SysmoBTS from 2,000 β¬
ξ BladeRF from 370 β¬ (without antennas)
ξ Software
ξ Setup a mobile network
ξ
OpenBTS: GSM and GPRS network compatible with USRP and BladeRF
ξ
OpenUMTS: UMTS network compatible with some USRP
ξ
OpenLTE: LTE network compatible with BladeRF and USRP
ξ
OpenAir: LTE network compatible with some USRP
ξ
YateBTS: GSM and GPRS network compatible with USRP and BladeRF
ξ Analyze traffic
ξ
libmich: Analyze and craft mobile packets captured with GSMTAP
ξ Wireshark: Analyze GSMTAP captured packets
ξ OsmocomBB: sniff and capture GSM packets
12. Passive attacks in GSM
ξ CCCH (Common Control Channels) give a
lot of information
ξ Management messages, sometimes SMS in clear,
TMSIs,...
ξ CCCH β paging request β can be
exploited to locate someone
ξ Tools
ξ OsmocomBB, Airprobe,...
14. Capture a specific channel (2)
ξ Leaked TMSI
β Use SMS Class-0 messages to track a user
15. GSM Lab setup: for interception
β 1 BladeRF = 370 β¬
β 2 Antennas = 15 β¬ each
β YateBTS software = FREE
β Total cost = 400 β¬
16. GSM interception: User
Equipment behaviors
ξ A User Equipment decide to register to another
base station if
ξ it can register to any MCC/MNC BTS close to it
ξ it can register to a test network close to it
ξ only the current used network isnβt reachable anymore,
even if a rogue base station is closer
ξ the signal is strong and the mutual authentication
succeeded (not the case in GSM/GPRS)
ξ Everything depends on the mobile stack
implementations...
19. Results on intercoms
ξ On a Link iDP GSM intercom
ξ leak of user phone numbers
ξ send Intercom specific commands
ξ send AT commands to interact with the targeted baseband
ξ update users with premium rated numbers (e.g: Allopass)
ξ Further work
ξ Reduce the model replacing the computed with a Raspberry Pi
3, or an ODROID device from about 50 β¬
ξ Semi-automatic channel jamming on 3G
ξ Study of protocol attacks on 3G and 4G
20. 3Gβ2G downgrade: hardware
ξ Downgrade is difficult with traditional
jammers
ξ an attacker needs to focus to few specific
bands β bands of the targeted operators
ξ A simple HackRF can
be used (340 β¬)
22. Alternatives to Jamming attacks
ξ Protocol attacks on 4G and 3G
ξ using OpenLTE for 4G, or Open-UMTS for 3G
ξ a compromized femtocell for 3G, and 4G femtocell
β thanks to serial port, or unsecure update
23. Lab setup: to find bugs
ξ 1 USRP: 700β¬
ξ 2 daughter boards: about 120 β¬ each
ξ 2 TX and RX antennas: about 30β¬ each
ξ OpenBTS Software: Free
26. Conclusion
ξ Attacks on GSM and GPRS are affordable: less
than 1,000 β¬
ξ Attacks 3G and 4G are difficult, but
ξ mutual authentication could be bypassed depending on
the baseband implementation
ξ Publicly vulnerable femtocell can be found through Ebay
(with serial ports, or unsecure download processes)
ξ The IoT ecosystem uses a lot GSM and 3G
stacks (for example digital intercoms) β
vulnerable to the same attacks as traditional
mobile devices