Base Jumping. Attacking the GSM baseband and base station



Similar documents
GSM LOGICAL CHANNELS

9.1 Introduction. 9.2 Roaming

GSM: PHYSICAL & LOGICAL CHANNELS

GSM - Global System for Mobile Communications

GSM System. Global System for Mobile Communications

Global System for Mobile Communication (GSM)

GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

GSM BASICS GSM HISTORY:

Integration of Open-Source GSM Networks

How To Test Gsm Cell Phone Network On A Cell Phone

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

CS Cellular and Mobile Network Security: GSM - In Detail

GSM GSM TECHNICAL May 1996 SPECIFICATION Version 5.0.0

MRN 6 GSM part 1. Politecnico di Milano Facoltà di Ingegneria dell Informazione. Mobile Radio Networks Prof. Antonio Capone

GSM Architecture and Interfaces

Frequency [MHz] ! " # $ %& &'( " Use top & bottom as additional guard. guard band. Giuseppe Bianchi DOWNLINK BS MS UPLINK MS BS

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

GSM Radio Part 1: Physical Channel Structure

How To Make A Cell Phone Network More Efficient

Global System for Mobile Communications (GSM)

GSM Network Architecture, Channelisation, Signalling and Call Processing

Wireless Phone GSM tracking. Denis Foo Kune, John Koelndorfer, Nick Hopper, Yongdae Kim

The Global System for Mobile communications (GSM) Overview

Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks

Global System for Mobile (GSM) Global System for Mobile (GSM)

Using TEMS Pocket. Johan Montelius

Mobile Communications Chapter 4: Wireless Telecommunication Systems

CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

GSM GSM TECHNICAL May 1996 SPECIFICATION Version 5.0.0

The GSM and GPRS network T /301

MAP/C SEND ROUTING INFO FOR SM. Destination Mobile Number. Obtain the SS7 address of the MSC VLR currently serving the specified Mobile Number

Wireless systems GSM Simon Sörman

Dimensioning and Deployment of GSM Networks

The Network Layer Layer 3

GSM GSM TECHNICAL July 1996 SPECIFICATION Version 5.1.0

GSM Air Interface & Network Planning

Wireless Cellular Networks: 1G and 2G

GLOSARIO. Authentication key, se usa en sistemas basados en TIA/EIA-41. Estándar de comunicación celular basado en TDMA.

RELEASE NOTE. Recc)mmendation GSM Previously distributed version :3.7.0 ( Updated Release 1/90

Support for Cell Broadcast as Global Emergency Alert System

NAVAL POSTGRADUATE SCHOOL THESIS

Mobile Communications

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

GSM Network and Services

MicroNet dual band IMSI and IMEI catcher

Implementation of Mobile Measurement-based Frequency Planning in GSM

Chapter 10 ( PART-1) Existing Wireless Systems

House intercoms attacks

TSG-RAN Meeting #7 Madrid, Spain, March 2000 RP Title: Agreed CRs to TS Agenda item: 6.3.3

Evaluating GSM A5/1 security on hopping channels

NETWORK AND RF PLANNING

Cellular mobile communication is based on the. The Cellular Concept. GSM and PCNs. Moe Rahnema

Telecommunication Systems (GSM) Mobile Communications (Ch 4) John Schiller, Addison-Wesley

Report of OpenBSC GSM field test August 2009, HAR2009 Vierhouten, The Netherlands

OsmocomBB. A Free Software GSM baseband firmware. Harald Welte. gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.

Handoff in GSM/GPRS Cellular Systems. Avi Freedman Hexagon System Engineering

Wireless and Mobile Network Architecture

General Packet Radio Service (GPRS)

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

2G/3G Mobile Communication Systems

How To Understand The Gsm And Mts Mobile Network Evolution

Index. Common Packet Channel (CPCH) 25 Compression 265, , 288 header compression 284

Karsten Nohl, Breaking GSM phone privacy

LTE security and protocol exploits

Forensic Identification of GSM Mobile Phones

Pocket Guide for Fundamentals and GSM Testing

International Journal of Computing and Business Research (IJCBR)

Theory and Practice. IT-Security: GSM Location System Syslog XP 3.7. Mobile Communication. December 18, GSM Location System Syslog XP 3.

1 Introduction. 2 Assumptions. Implementing roaming for OpenBTS

Handover management in GSM cellular system

Security in cellular-radio access networks

GSM Architecture Training Document

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

An investigation into the claims of IMSI catchers use in Oslo in late Centre for Resilient Networks and Applications Simula Research Laboratory

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

Cellular Technology Sections 6.4 & 6.7

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( ' 3 ' Giuseppe Bianchi

Analysis of Methods for Mobile Device Tracking. David Nix Chief Scientific Advisor

Mobile network security report: Poland

Yu.M. Tulyakov, D.Ye. Shakarov, A.A. Kalashnikov. Keywords: Data broadcasting, cellular mobile systems, WCDMA, GSM.

Mobile Wireless Overview

Optimization. Log File Analysis GSM

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications ABSTRACT

Attacking GSM Networks as a Script Kiddie Using Commodity Hardware and Software

Karsten Nohl, Chris Paget 26C3, Berlin GSM SRSLY?

Worldwide attacks on SS7 network

Provides a communication link between MS and MSC; Manages DB for MS location. Controls user connection. Transmission.

Wireless Telecommunication Systems GSM, GPRS, UMTS. GSM as basis of current systems Satellites and

Cellular Telephone Systems

Mobile network security report: Greece

Authentication and Secure Communication in GSM, GPRS, and UMTS Using Asymmetric Cryptography

Role and Evolution of Radio Network Controllers

OsmocomBB. A tool for GSM protocol level security. Harald Welte. gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

3GPP LTE Channels and MAC Layer

Transcription:

Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com

Overview GSM Base Station Base Band Conclusion 2

GSM: The Protocol 3

Documents Dozens of docs Thousands of pages Important one (defines L3) GSM 04 08 4

5

6

Logical Channels Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) 7

Logical Channels, cont. Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH) 8

Logical Channels, cont. Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH) 9

GSM Channels Opening a channel is slow Can take seconds Specific channels for specific uses 10

Opening a channel 11

12

RACH 12

RACH AGCH 12

RACH AGCH LCH 12

13

PCH 13

PCH RACH 13

PCH RACH AGCH 13

PCH RACH AGCH LCH 13

ARFCN MSC BSC BTS MS BTS 14

Mobile Station MS Mobile Station Controller MSC Base Station Controller BSC Base Transceiver Station BTS Base Station Sub-System BSS 15

VLR HLR MSC BSS MS 16

Mobile Identifiers 17

18

IMSI 18

IMSI IMEI 18

IMSI IMEI 18

IMSI IMEI 18

IMSI IMEI 18

IMSI IMEI 18

IMSI IMEI 18

GSM Attacks 19

20

RACHell Request channel allocation Flood the BSS with requests First announced by Dieter Spaar at DeepSec Prevent everyone from using that cell 21

RACHell 22

RACHell 22

RACHell 22

RACHell 22

RACHell 22

RACHell 22

RACHell? 22

23

Our Target 23

Demo - RACHell 24

IMSI Flood Send IMSI ATTACH messages pre-authentication Overload the HLR/VLR infrastructure Prevent everyone using the network 25

IMSI Flood 26

IMSI Flood 26

IMSI Flood 26

IMSI Flood 26

IMSI Flood 26

IMSI Flood 26

IMSI Flood 26

IMSI DETACH Send multiple Location Update Requests including a spoofed IMSI Unauthenticated Prevent SIM from receiving calls and SMS Discovered by Sylvain Munaut 27

IMSI DETACH 28

IMSI DETACH 28

IMSI DETACH 28

IMSI DETACH 28

IMSI DETACH 28

IMSI DETACH 28

IMSI DETACH 28

How hard to get an IMSI? 29

Baseband Fuzzing 30

How to make a smartphone + = 31

Two separate computers 32

Two separate computers 32

Baseband Controls the radio Separate CPU and code base RTOS Written in C Typically legacy code base (decades) 33

GSM Frame Delivery OpenBTS + XML-RPC lch_open(char * IMSI) lch_send(int fd, char *buf, size_t len) lch_recv(int fd, char *buf, size_t len) lch_close(int fd) 34

GSM Fuzzing Framework USRP + OpenBTS for delivery GSM900 band BugMine case generation & mutation No Instrumentation Very bad visibility on bugs 35

Coseinc GSM FuzzFarm Targetting iphone HTC (Android) Palm Pre Blackberry Nokia 36

37

38

Conclusion 39

GSM Trouble GSM is no longer a walled garden GSM spec has security problems Expect many more issues as OSS reduces costs for entry 40

Future work More GSM stack fuzzing Next gen protocol stacks 41

Thanks to Harald Welte, Osmocom-bb & OpenBTS 42

Questions? 43