Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks

Laurent ‘kabel’ Weber

Motivation

Until now it’s been really hard for security researchers to dig into GSM security topics. This has been slowly changing because of tools like the USRP. However there is no other tool available to perform these kind of security tests. Hence the research.

Structure of a GSM network

Scapy

Scapy is a powerful interactive packet manipulation program, using the Python interpreter as a basis. Scapy allows for new protocols to be simply added.

• Generate Packets
• Manipulate Packets
• Network Scanning
• Network Discovery
• Packet Sniffing

Philosophy

• Create smallest valid messages possible (Optional values are excluded)
• Optional Information Elements (IE)
• Optional fields
• Every possible message can be created
• Add IE’s by setting in code
• Scapy GSM-um allow us to:
• Create Layer 3 messages on a command line
• Send Layer 3 messages from BTS to MS
• And from MS to BTS
• Limited SMS support

Sending the message

Normally Scapy is able to send data directly out on the wire. This is not so easy with GSM.

• We need a method to send raw bytes to a device
• Added different sockets to Scapy:
• UDP socket (i.e USRP)
• TCP socket (i.e nanoBTS)
• Unix Domain Socket (i.e osmocomBB)
• Offers most flexibility and easy to use with your chosen hardware

Example message from testing phase

Performing a call

>>> sendum ( setupMobileOriginated() )
>>> sendum ( connectAcknowledge() )

< LIVE CALL DEMO >

Classical Attacks

Well known and documented attacks.

De-registration Spoofing

IMSI DETACH INDICATION message

Most of the payload is already set in the specification, so there is no need (outside of fuzzing) to set these details. The only bytes needed are the mobile identity.

Sending this will result in the mobile being targeted being de-registered from the network. The mobile will still show as connected, but will not receive calls/texts and any active calls are disconnected.

Authentication reject attack

Disconnects the targeted mobile form the network. The user will receive a “SIM card registration failed” message and will need to restart to connect to a GSM network.

< LIVE AUTHENTICATION REJECT ATTACK DEMO >

Novel Attacks

Attacks never done before on the GSM network. Attacks may be known, but not specifically applied to GSM.

State-machines in GSM

Available in the specification (04.08 sect. 5.1 for MS side)

Test the correct behaviour of the implementation by sending the correct messages but in the incorrect order

Call Clearing (work in progress)

Used to signal that one party on the conversation has hung-up

Idea: Make the remote end believe that you’ve hung-up

Goal: Maintain a connection although the second party things the line is inactive (eavesdropping)

Test cases to achieve this were built from valid packets, but it was not possible to achieve the desired effect

There are more possible novel attacks that look promising

Source code

Now merged into Scapy

hg clone http://hg.secdev.org/scapy my-scap

Links :

• Extending Scapy by a GSM Air Interface –> Overview
• Scapy GSM-um how-to–> Link
• Extending Scapy by a GSM Air Interface Whitepaper –> PDF
• Extending Scapy by a GSM Air Interface Slides –> PDF
• Laurent ‘kabel’ Weber Twitter Feed –> Link