GSM Open-source intelligence

Similar documents
E2-E3: CONSUMER MOBILITY. CHAPTER-5 CDMA x OVERVIEW (Date of Creation: )

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

Security of Cellular Networks: Man-in-the Middle Attacks

Cellular Communication

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

How to hack your way out of home detention!

COMP327 Mobile Computing Session: Lecture Set 5 - Wireless Communication Part 2

E3-E4 (CM MODULE) CDMA x & EV-DO. For internal circulation of BSNL only

Mobile Security Fall 2013

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

GSM Security Overview

Wireless systems overview

Chapter 3 GSM and Similar Architectures

Basics of GSM in depth

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

Wireless and Mobile Network Investigation

Cellular Networks and Mobility

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

Chapter 2 The 3G Mobile Communications

Nexus8610 Traffic Simulation System. Intersystem Handover Simulation. White Paper

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

Telecommunication Services Engineering Lab

CSC 401 Data and Computer Communications Networks

Telecommunication Services Engineering Lab

GSM Interception IMSI Catcher and Voice Interception

RNV Vehicular Communications Part II Radio Networks for Vehicular Communications Roberto Verdone

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

GSM- R and CDMA Network System for the Railway Industry

E1-E2 UPGRADATION COURSE CONSUMER MOBILITY. 3G Concept

Communication Networks 2 Signaling 2 (Mobile)

PCS. Reference. Wireless and Mobile Network Architectures Y-Bing Lin and Imrich Chlamtac Wiley Computer Publishing

Semi-Active GSM Monitoring System SCL-5020SE

Data and Voice Signal Intelligence Interception Over The GSM Um Interface

Chapter 10: Wireless Networking. School of information science and Engineering, SDU

GPRS and UMTS T

Wireless Network Introduction

Mobility: vocabulary

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

Mobile Security / /


Mobile Communications Chapter 11 : Outlook

Wireless Networking: An Introduction. Hongwei Zhang

Security functions in mobile communication systems

Mobile and Sensor Systems

Last time?! Block 3: Lecture 1! Wireless networks! Ingredients 2: Antennas! Ingredients 1: Mobile Phones, PDAs & Co.! 20/05/14. Part 3: lecture 3!

Femtocell: Femtostep to the Holy Grail

CSC 4900 Computer Networks: Wireless Networks

Hands-On Modern Mobile and Long Term Evolution LTE

Advanced Security for Systems Engineering VO 10: Mobile Applications

Internal. GSM Fundamentals.

Mobile Communications Chapter 11 : Outlook

Evolution from 2G To 4G Mobile Telecommunication systems

Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

International Journal of Scientific & Engineering Research, Volume 4, Issue 11, November-2013 ISSN

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Mobile Security Fall 2014

Advanced Computer Networks Exercise Session 4. Qin Yin Spring Semester 2013

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Rab Nawaz Jadoon. Cellular Systems - II DCS. Assistant Professor. Department of Computer Science. COMSATS Institute of Information Technology

Big Picture. ~10 years between generations

GSM System Overview. Ph.D. Phone Lin.

Mobile Communications

GSM and Similar Architectures Lesson 13 GPRS

3G Mobile UMTS. Raghavendra J 1, Anji Reddy Y 2, Deepak Kumar R 2, Ravi T 3

Communication Systems for the Mobile Information Society

LTE Security How Good Is It?

COMP327 Mobile Computing Session:

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

Glossary. xii. Marina Yue Zhang and Mark Dodgson Downloaded from Elgar Online at 02/04/ :16:01PM via free access

Diminishing Signaling Traffic for Authentication in Mobile Communication System

COPYRIGHTED MATERIAL. Introduction. Harri Holma and Antti Toskala. 1.1 WCDMA in Third-Generation Systems

Mobile systems: an overview

Secure and Authentication Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography.

EKT 450 Mobile Communication System

Välkomna till Avancerad Telekommunikation. Welcome to Advanced Telecommunication. Ulf Körner

GOPALAN COLLEGE OF ENGINEERING AND MANAGEMENT Electronics and communication Department

Implementing CDMA in TDMA Networks Leveraging the success of CDMA

Optical Fiber 6 Days ( 1 Day Theoretical & 5 Days Practical ) Fiber Optic Cables Preparing & Splicing. Fiber Optic Cables Measurements

Mobile Security Fall 2013

Understanding Carrier Wireless Systems

A COMPREHENSIVE SURVEY OF THE WIRELESS GENERATIONS

Convergence of IP and Mobile Communications. Albert Coronel RedLink Communications Co., Ltd. MMNOG, November 21, 2015

Seamless integration of heterogeneous wireless network technologies -?/!

RF OPTIMIZATION FOR QUALITY IMPROVEMENT IN GSM NETWORK

GSM and Mobile Telephony Trends

REPORT ON GUEST LECTURER (INDUSTRY) BTS, GSM ARCHITECTURE & CALL FLOW IN GSM

Connecting Mobile Phones to the Internet Simply (CoMPIS) IETF London DISPATCH WG Jim Forster, Mike Iedema, Harvind Samra - Range Networks Tim Panton

Network Node for IMT-2000

Evolution from GSM to UMTS (IMT-2000)*

Beyond 3G Wireless. K.Raghunandan (RAGHU) Construction Administrator (Wireless) Communication Engineering New York City Transit (MTA)

Performance Challenge of 3G over Satellite Methods for Increasing Revenue & Quality of Experience. February 2018

EC Wireless Networks VIII - Semester Questions Bank

COMP327 Mobile Computing Session: Lecture Set 7 - Wireless Communication

CS 332 Computer Networks Wireless Networks

GSM security country report: Thailand

INTRODUCTION TO GSM DATA SERVICES. ETI25111 Monday, April 3, 2017

G 364: Mobile and Wireless Networking. CLASS 19, Mon. Mar Stefano Basagni Spring 2004 M-W, 11:40am-1:20pm, 109 Rob

Transcription:

GSM Open-source intelligence Kenneth van Rijsbergen 1 1 MSc System and Network Engineering Faculty of Science University of Amsterdam 30 June 2016 Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 1 / 18

Table of Contents 1 Introduction 2 Background 3 Results 4 Conclusion Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 2 / 18

Research question How may GSM be used for gathering OSINT by a red team? How can a Software Defined Radio (SDR) be used to passively capture GSM traffic? How can a Software Defined Radio (SDR) be used to actively capture GSM traffic? What OSINT may be extracted from this GSM data? Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 3 / 18

Software Defined Radio HackRF One 1 MHz to 6 GHz half-duplex transceiver $299.- BladeRF x40 300MHz to 3.8GHz full-duplex transceiver $420.- FIGURE HackRF One FIGURE BladeRF x40 Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 4 / 18

FIGURE Waterfall (jamming test inside faraday cage) FIGURE GSM sniffing with HackRF Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 5 / 18

Overview of mobile generations First generation (1G) 1980 s Analogue Voice only Technologies : AMPS, NMT, TACS, C-450, Radiocom 2000, RTMI, JTACS, TZ-801, TZ-802, and TZ-803 Second generation (2G) 1990 s Digital signalling, SMS, MMS, voice mail, call forwarding Encryption (A5/1 and A5/2) technologies : GSM, IS-95 (a.k.a. cdmaone), PDC, iden and IS-136 (a.k.a. D-AMPS) 2.5G : GPRS 2.75G : EDGE Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 6 / 18

Overview of mobile generations Third generation (3G) 2000 s Improved crypto (A5/3) and two-way authentication between MS and BS. Faster data transfer Technologies : W-CDMA (UMTS), TD-SCDMA (only in China), HSPA, and HSPA+, CDMA2000, LTE Recently allowed to use the 900 and 1800 Mhz band (same as GSM). Fourth generation (4G) IP based, no more circuit-switched telephone Technologies : LTE Advanced and Mobile WiMAX Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 7 / 18

GSM Architecture + Lingo MS MS BSC BS HLR + AUC BS BS BSC BSC MSC + VLR MSC + VLR ISDN + PSTN MS Mobile station BS Base Station BSC Base Station Controller MSC Mobile Switching Center VLR Visitor Location Register HLR Home Location Register AUC Authentication Center EIR Equipment Identity Register MSC + VLR FIGURE GSM Architecture Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 8 / 18

GSM authentication sequence FIGURE GSM authentication sequence Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 9 / 18

IMSI catcher FIGURE IMSI catcher Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 10 / 18

GSM Authentication A5 used to encrypt the data transmission between the MS and BS. A5/1 - Developed in 1987. Workings kept secret. - Reverse engineered in 1999 and published. - Can be cracked in seconds using rainbow tables. A5/2 - Extremely weak, developed for export markets - Can be cracked in real-time. - Discontinued by the GSM association since 2006. A5/3 - In use today. - Designed for 3G but also used for GSM. - Based on the MISTY block cypher which was later simplified into the KASUMI block cypher. - A faster than an exhaustive search attack has been found but nothing practical. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 11 / 18

IMSI catcher IMSI International Mobile Subscriber Identity Can be used to identify a mobile subscriber. The IMSI is send by GSM unencrypted over the air during authentication. This enables tracking. Full IMSI catchers (full MITM) Half IMSI catchers (outgoing only) Both require a spoofed basestation. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 12 / 18

IMSI catcher FIGURE Stingray I (http://arstechnica.co.uk/) FIGURE NSA GSM Tripwire (NSA s ANT Division Catalog) FIGURE IMSI catcher on planes (Brian McGill The Wall Street Journal) Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 13 / 18

Passive Capturing Possible but all is encrypted Some IMSI s may (in theory) be captured when in initial authentication. But nothing that can be practically used. FIGURE GSM Decoding FIGURE GSM data in Wireshark Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 14 / 18

Demo Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 15 / 18

Spoof limitation YateBTS only supports 2.5G GPRS OpenBTS-UMTS offers 3G UMTS but requires more expensive hardware (a recent USRP) The phone will always prefer a higher standard, even if the signal is weak 1 4G LTE-Advanced 2 3G UMTS 3 2.75G EDGE 4 2.5G GPRS <- YateBTS 5 2G GSM Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 16 / 18

Jamming The HackRF is not suitable for jamming Test was conducted inside a Faraday cage. Jamming a specific 900Mhz GSM channel was possible, but only for the old 2G Nokia. 3G HTC phone disconnects, then recovers when setting up a new call. Higher bands (like 1800) are too wide for the HackRF to cover. Transmitting at a higher frequency requires more power ; HackRF did not have enough to disrupt 2G 1800. 3G jamming is even more hopeless due to spread spectrum. Would be nice to test with a real 3G jammer. The hypothesis would be that the phone drops down to EDGE instead of GPRS. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 17 / 18

Conclusion and Future work Conclusion Passive attacks are not effective due to encryption. Active attacks can only be effective versus 2G phones or when using jamming attacks (illegal). If, however a phone connects, everything outgoing can be intercepted (Internet, Voice, SMS). Future Work Full IMSI Catcher (still relies on a successful spoof) Selective jamming* (jam all but one channel) Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 18 / 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback