Base Jumping. Attacking the GSM baseband and base station

Size: px

Start display at page:

Download "Base Jumping. Attacking the GSM baseband and base station"

Alexandrina Todd
7 years ago
Views:

1 Base Jumping Attacking the GSM baseband and base station

2 Overview GSM Base Station Base Band Conclusion 2

3 GSM: The Protocol 3

4 Documents Dozens of docs Thousands of pages Important one (defines L3) GSM

5 5

6 6

7 Logical Channels Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) 7

8 Logical Channels, cont. Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH) 8

9 Logical Channels, cont. Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH) 9

10 GSM Channels Opening a channel is slow Can take seconds Specific channels for specific uses 10

11 Opening a channel 11

12 12

13 RACH 12

14 RACH AGCH 12

15 RACH AGCH LCH 12

16 13

17 PCH 13

18 PCH RACH 13

19 PCH RACH AGCH 13

20 PCH RACH AGCH LCH 13

21 ARFCN MSC BSC BTS MS BTS 14

22 Mobile Station MS Mobile Station Controller MSC Base Station Controller BSC Base Transceiver Station BTS Base Station Sub-System BSS 15

23 VLR HLR MSC BSS MS 16

24 Mobile Identifiers 17

25 18

26 IMSI 18

27 IMSI IMEI 18

28 IMSI IMEI 18

29 IMSI IMEI 18

30 IMSI IMEI 18

31 IMSI IMEI 18

32 IMSI IMEI 18

33 GSM Attacks 19

34 20

35 RACHell Request channel allocation Flood the BSS with requests First announced by Dieter Spaar at DeepSec Prevent everyone from using that cell 21

36 RACHell 22

37 RACHell 22

38 RACHell 22

39 RACHell 22

40 RACHell 22

41 RACHell 22

42 RACHell? 22

43 23

44 Our Target 23

45 Demo - RACHell 24

46 IMSI Flood Send IMSI ATTACH messages pre-authentication Overload the HLR/VLR infrastructure Prevent everyone using the network 25

47 IMSI Flood 26

48 IMSI Flood 26

49 IMSI Flood 26

50 IMSI Flood 26

51 IMSI Flood 26

52 IMSI Flood 26

53 IMSI Flood 26

54 IMSI DETACH Send multiple Location Update Requests including a spoofed IMSI Unauthenticated Prevent SIM from receiving calls and SMS Discovered by Sylvain Munaut 27

55 IMSI DETACH 28

56 IMSI DETACH 28

57 IMSI DETACH 28

58 IMSI DETACH 28

59 IMSI DETACH 28

60 IMSI DETACH 28

61 IMSI DETACH 28

62 How hard to get an IMSI? 29

63 Baseband Fuzzing 30

64 How to make a smartphone + = 31

65 Two separate computers 32

66 Two separate computers 32

67 Baseband Controls the radio Separate CPU and code base RTOS Written in C Typically legacy code base (decades) 33

68 GSM Frame Delivery OpenBTS + XML-RPC lch_open(char * IMSI) lch_send(int fd, char *buf, size_t len) lch_recv(int fd, char *buf, size_t len) lch_close(int fd) 34

69 GSM Fuzzing Framework USRP + OpenBTS for delivery GSM900 band BugMine case generation & mutation No Instrumentation Very bad visibility on bugs 35

70 Coseinc GSM FuzzFarm Targetting iphone HTC (Android) Palm Pre Blackberry Nokia 36

71 37

72 38

73 Conclusion 39

74 GSM Trouble GSM is no longer a walled garden GSM spec has security problems Expect many more issues as OSS reduces costs for entry 40

75 Future work More GSM stack fuzzing Next gen protocol stacks 41

76 Thanks to Harald Welte, Osmocom-bb & OpenBTS 42

77 Questions? 43

GSM LOGICAL CHANNELS

GSM LOGICAL CHANNELS There are two types of GSM logical channels 1. Traffic Channels (TCHs) 2. Control Channels (CCHs) Traffic channels carry digitally encoded user speech or user data and have identical