Attacking Mobile-Terminated Services in GSM

Similar documents
10 Call Set-up. Objectives After this chapter the student will: be able to describe the activities in the network during a call set-up.

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

Privacy through Pseudonymity in Mobile Telephony Systems

Understanding IMSI Privacy!

GSM. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides) GPRS

Femtocells: a Poisonous Needle in the Operator's Hay Stack

UNIT-5. GSM System Operations (Traffic Cases) Registration, call setup, and location updating. Call setup. Interrogation phase

GSM System Overview. Ph.D. Phone Lin.

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Mobile network security report: Ukraine

GSM Sniffing with OsmocomBB. Joshua Pereyda

Femtocells: a Poisonous Needle in the Operator's Hay Stack

GSM System Protocol Architecture

Mobile Security Fall 2013

WIRELESS SYSTEM AND NETWORKING

Abusing Calypso phones

Mobility and Security Management in the GSM System

GSM security country report: Estonia

Mobile Security Fall 2012

Mobile Security / /

Communication Networks 2 Signaling 2 (Mobile)

Ghost Telephonist. Link Hijack Exploitations in 4G LTE CS Fallback. Yuwei ZHENG, Lin HUANG, Qing YANG, Haoqi SHAN, Jun LI

Mobile Communications

Cellular Communication

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

GSM security country report: Thailand

Basics of GSM in depth

GPRS System Architecture

Femtocells: a Poisonous Needle in the Operator's Hay Stack

Chapter 3 GSM and Similar Architectures

Pertemuan 7 GSM Network. DAHLAN ABDULLAH

General Packet Radio Service (GPRS) 13 年 5 月 17 日星期五

Section 4 GSM Signaling BSSMAP

CHAPTER 4 SYSTEM IMPLEMENTATION 4.1 INTRODUCTION

GSM Open-source intelligence

Analysis of privacy in mobile telephony systems

GPRS security. Helsinki University of Technology S Security of Communication Protocols

Shadow Phone and Ghost SIM: A Step Toward Geolocation Anonymous Calling. Gerard Lawrence Pinto

Network Security: Cellular Security. Tuomas Aura T Network security Aalto University, Nov-Dec 2013

UNIK4230: Mobile Communications Spring Semester, Per Hj. Lehne

GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

Mobile Security Fall 2014

3GPP TR V8.0.0 ( )

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

Security of Cellular Networks: Man-in-the Middle Attacks

Cellular Mobile Systems and Services (TCOM1010) GSM Architecture

FROM GSM TO LTE-ADVANCED: AN INTRODUCTION TO MOBILE NETWORKS AND MOBILE BROADBAND 2. GENERAL PACKET RADIO SERVICE (GPRS) AND EDGE

Femtocell: Femtostep to the Holy Grail

Femtocells : Inexpensive devices to test UMTS security

Advanced Security for Systems Engineering VO 10: Mobile Applications

Dimensioning, configuration and deployment of Radio Access Networks. part 1: General considerations. Mobile Telephony Networks

Security functions in mobile communication systems

Advanced Computer Networks Exercise Session 4. Qin Yin Spring Semester 2013

Part IV: GPRS Interfaces

Taking Over Telecom Networks

Securing SMS of a GSM Network Message Center Using Asymmetric Encryption Technique Algorithm.

Design of a Routing Mechanism to Provide Multiple Mobile Network Service on a Single SIM Card Boobalan. P, Krishna. P, Udhayakumar. P, Santhosh.

Wireless Communications

Mobile Security Fall 2015

GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier

3GPP TS V6.6.0 ( )

UMTS Addresses and Identities Mobility and Session Management

End-to-end IP Service Quality and Mobility - Lecture #5 -

Contents. GSM and UMTS Security. Cellular Radio Network Architecture. Introduction to Mobile Telecommunications

Designing Authentication for Wireless Communication Security Protocol

GSM Security Overview

3GPP TS V9.4.0 ( )

3GPP TS V ( )

Osmocom Callular Infrastructure Roadmap. Harald Welte

Eavesdropping on and decrypting of GSM communication using readily available low-cost hardware and free open-source software in practice

TELE4652 Mobile and Satellite Communication Systems

Wireless and Mobile Network Architecture

E3-E4 (CM MODULE) CDMA x & EV-DO. For internal circulation of BSNL only

Mobile Security Fall 2013

EUROPEAN ETS TELECOMMUNICATION November 1996 STANDARD

Practical Operator Considerations Cellular Analog Cellular Rogue Base Station Tumbling Cloning

UMTS System Architecture and Protocol Architecture

ETSI TS V4.0.1 ( )

LTE Network Automation under Threat

Information Technology Mobile Computing Module: GSM Handovers

Efficient GSM Authentication and Key Agreement Protocols with Robust User Privacy Protection

ETSI TS V5.0.0 ( )

Telephony Fraud and Abuse. Merve Sahin

Telecoms: Generational Evolution of Attack Surfaces. HITB Beijing 2018

ETSI TS V6.3.0 ( )

ETSI TS V7.1.0 ( )

ETSI TS V7.0.0 ( )

Semi-Active GSM Monitoring System SCL-5020SE

Understanding Carrier Wireless Systems

E2-E3: CONSUMER MOBILITY. CHAPTER-5 CDMA x OVERVIEW (Date of Creation: )

WELCOME Mobile Applications Testing. Copyright

Chapter 3: GSM Mobility Management

How to hack your way out of home detention!

GSM Mobility Management

Questioning the Feasibility of UMTS GSM Interworking Attacks

Virtual Coverage In Rural Environments

Interworking Internet Telephony and Wireless

United States Patent (19) Boltz et al.

COMP327 Mobile Computing Session: Lecture Set 5 - Wireless Communication Part 2

Security Philosophy. Humans have difficulty understanding risk

Transcription:

Berlin Institute of Technology FG Security in Telecommunications Weiss Attacking Mobile-Terminated Services in GSM TelcoSecDay 2013 Nico Golde, Kevin Redon, Heidelberg, March 12th 2013 nico@sec.t-labs.tu-berlin.de

Agenda GSM architecture introduction Introduction to mobile paging Attacking paging Attacking large areas Conclusions 2

GSM wut?! protocol necrophilia? GSM has been beaten almost to death ;) Still one of the most relevant mobile telephony standards! Problems may affect other protocols: 3G, LTE, It's fun to play with radio! 3

GSM network infrastructure (simplified) 4

Introduction to paging Paging Channel (PCH) broadcast downlink channel on the CCCH PCH used by network for service notification Paging message carries Mobile Identity (TMSI/IMSI) Each phone compares its identity and reacts Again, this information is broadcast! Can we abuse this knowledge? ;D CC by 2.0 Denis Apel 5

Mobile Terminated (MT) service delivery Mobile phones idle most of the time not in constant contact with the network saves battery So which BTS should transmit the signal? Mobile networks needs to determine the phone's location Visitor Location Register (VLR) handles subscribers that are within a specific geographical area 6

Mobile Terminated service delivery cont. What happens when you call or text someone? Query last known responsible VLR/MSC HLR phone BSC BTS MSC VLR 7

Mobile Terminated service delivery cont. What happens when you call or text someone? Contact MSC/VLR HLR phone BSC BTS MSC VLR 8

Mobile Terminated service delivery cont. What happens when you call or text someone? Query location area HLR phone BSC BTS MSC VLR 9

Mobile Terminated service delivery cont. What happens when you call or text someone? Paging message HLR phone BSC BTS MSC VLR 10

Mobile Terminated service delivery cont. What happens when you call or text someone? Paging command to all BTSs in the area HLR phone BSC BTS MSC VLR 11

Mobile Terminated service delivery cont. What happens when you call or text someone? Paging request from all BTSs in the area HLR phone BSC BTS MSC VLR 12

Mobile Terminated service delivery cont. Paging request on the PCH phones BTS 13

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones BTS 14

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones Initial channel request (RACH) BTS 15

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones Initial channel request (RACH) BTS Immediate Assignment (AGCH) 16

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones Initial channel request (RACH) BTS Immediate Assignment (AGCH) Tune to allocated channel 17

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones Initial channel request (RACH) BTS Immediate Assignment (AGCH) Tune to allocated channel Paging response message (SDCCH) 18

Mobile Terminated service delivery cont. Paging request on the PCH DEADBEEF == identity? phones Initial channel request (RACH) BTS Immediate Assignment (AGCH) Tune to allocated channel Paging response message (SDCCH) Authentication, Ciphering, Service Delivery 19

Hijacking the service? Evil hackers can't just impersonate subscribers here Well more on that later... Authentication and cipher information stored on the SIM card But what happens if we respond with wrong information or not at all? channels are dropped, no service delivered (call, SMS) :( 20

Paging Attack We have a race condition! GSM protocols are driven by complex state machines State changes after: Receiving paging response Channel dropping Can we respond to other peoples paging messages? Can we do that faster? Will the network expect a 2nd paging response? We could do that from any BTS in the same area! 21

Paging Attack - What exactly is fast? Speed influences by many things Weather Radio signal quality Network saturation. But mostly the baseband implementation! Layer{1,2,3} queuing and scheduling 22

Paging Attack implementing a fast baseband Free Software/Open Source mobile baseband firmware: OsmocomBB Runs on cheap hardware (e.g. cheap Motorola C123) Mobile phone application exists (but runs on PC!) not fast at all :/ Completely implemented as Layer1 firmware Ported Layer2/Layer3 to Layer1 Runs solely on the phone very fast Listens to messages on the PCH Can react to IMSIs/TMSIs or TMSI ranges Sends paging response messages Performs invalid ciphering/auth 23

Paging Attack - Measuring paging response speed Relevant baseband stacks: Qualcomm, Intel (Infineon), Texas Instruments, ST-Ericsson, Renesas (Nokia), Marvell, Mediatek USRP + Modified OpenBTS version logs: Time for Paging Request Channel request Time for Paging Request Paging response Hookup phones to test BTS Send 200 SMS to each phone Measure 24

Paging Attack - How fast is the average phone? Time measurements for each baseband 25

Paging Attack - Practice results OsmocomBB layer23 (modified mobile application) is too slow Small layer1 only implementation can win the race! DoS against Mobile Terminated services Tested all German operators: Vodafone O2 (Telefonica) E-Plus T-Mobile all vulnerable to this attack E-Plus MVNO 26

DEMO DoS 27

Getting victim mobile identities You don't necessarily have to (why not just react to every paging?) Network paging with IMSIs: 3rd party HLR lookups provide number IMSI mapping For TMSIs: Monitor PCH with OsmocomBB phone Call victim, drop call early (3.7 seconds on O2) phone will not ring, but being paged! Or use silent SMS Rinse and repeat Evaluate monitored data Location leaks over the GSM air interface, Kune et al., NDSS 2012 Wideband GSM Sniffing, Munaut & Nohl, 2010 28

Hijacking delivery Encryption We need Kc for encrypted communication! Some networks use A5/0 No encryption Some networks use A5/2 Broken (1999) Most use A5/1 Broken (e.g. 26C3/27C3) Kraken + OsmocomBB phones/airprobe can crack session key (Kc) in seconds Not many A5/3 networks due to phone implementations 29

Paging Attack cont. Authentication 50% of networks authenticate MT (SMS/call) 10% of the time (referring to Security Research Labs) Operators care about MO because of billing! However, MT indirectly affects billing Most MT service deliveries not authenticated Incomplete authentication allows MT hijacking Our code can handle a known session key/encryption Julien Tromeur 30

DEMO Hijacking SMS 31

Broken Authentication - O2 When receiving authentication request, attacker does not respond When victim does, attacker channel also authenticated next step is ciphering Network seems to only know about authenticated subscriber Not authenticated channel! Phone's can easily be forced to authenticate by causing paging ;) 32

Attacking large areas VLRs handle larger geographical areas (Location Area) Paging broadcasted on all BTSs for that area we don't need to camp on the same BTS Respond to all paging requests faster for Location Area DoS to all subscribers in that area 33

How large is a Location Area? Location Area Code broadcast on the BCCH 2 people + GPS loggers + OsmocomBB cell_log phones + car :) 34

Location Areas Berlin/Vodafone 35

Attacking Location Areas cont. Non-city LAs larger (and fewer) than for cities Seen 1000 km^2 Location Areas are huge even in cities! 100 500 km^2 in Berlin Cover whole city districts For Mobile Terminated: Paging DoS way more effective than jamming Feasibility depends on paging activity 36

Attacking Location Areas - Activity We can camp on location areas and log paging Measured all 4 operators over 24 hours, same time and location 37

DoS + Paging activity reduction Paging attack stops initial service delivery We don't want to answer every time in the future IMSI DETACH attack by Sylvain Munaut Phone detach signal to network Mobile Terminated services not delivered until re-attach Detach message contains mobile identity send paging response, send detach message watch paging reducing over time 38

Attacking Location Areas cont. For a small operator (E-Plus) 415 TMSIs in paging / minute Vodafone even 1200! (But paging twice) We are not that fast! Resynchronization takes time Paging response is on a dedicated channel PCH not visible during attack Definitely not feasible with one phone 39

Attacking Location Areas cont. These phones are cheap though (5-20 ) 40

Conclusions Attacking single subscribers and Location Areas is practical! MT services need 100% authentication Active attackers (malicious phones) need to be considered by standardization bodies 41

Conclusions Attacking single subscribers and Location Areas is practical! MT services need 100% authentication Active attackers (malicious phones) need to be considered by standardization bodies 42

Thank you for your attention! Also thanks to these people: Dmitry Nedospasov Dieter Spaar Holger Freyther Harald Welte Tobias Engel Osmocom community! Disclaimer: Don't do this at home... or only with your own SIM cards! 43

Questions? (Uncleaned) source code available: http://tinyurl.com/fun-with-paging Apply on osmocom changeset 4f0acac4c1fa538082f54cb14bef0841aa9c8abb Mail: nico@sec.t-labs.tu-berlin.de Twitter: @iamnion 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback