Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks
Laurent ‘kabel’ Weber
Motivation
Until now it’s been really hard for security researchers to dig into GSM security topics. This has been slowly changing because of tools like the USRP. However there is no other tool available to perform these kind of security tests. Hence the research.
Structure of a GSM network
Scapy
Scapy is a powerful interactive packet manipulation program, using the Python interpreter as a basis. Scapy allows for new protocols to be simply added.
- Generate Packets
- Manipulate Packets
- Network Scanning
- Network Discovery
- Packet Sniffing
Philosophy
- Create smallest valid messages possible (Optional values are excluded)
- Optional Information Elements (IE)
- Optional fields
- Every possible message can be created
- Add IE’s by setting in code
- Scapy GSM-um allow us to:
- Create Layer 3 messages on a command line
- Send Layer 3 messages from BTS to MS
- And from MS to BTS
- Limited SMS support
Sending the message
Normally Scapy is able to send data directly out on the wire. This is not so easy with GSM.
- We need a method to send raw bytes to a device
- Added different sockets to Scapy:
- UDP socket (i.e USRP)
- TCP socket (i.e nanoBTS)
- Unix Domain Socket (i.e osmocomBB)
- Offers most flexibility and easy to use with your chosen hardware
Example message from testing phase
Performing a call
After testing messages using Scapy GSM-um and Wireshark, it was time to make a call.
>>> sendum ( setupMobileOriginated() )
>>> sendum ( connectAcknowledge() )
< LIVE CALL DEMO >
Classical Attacks
Well known and documented attacks.
De-registration Spoofing
IMSI DETACH INDICATION message
Most of the payload is already set in the specification, so there is no need (outside of fuzzing) to set these details. The only bytes needed are the mobile identity.
Sending this will result in the mobile being targeted being de-registered from the network. The mobile will still show as connected, but will not receive calls/texts and any active calls are disconnected.
Authentication reject attack
Disconnects the targeted mobile form the network. The user will receive a “SIM card registration failed” message and will need to restart to connect to a GSM network.
< LIVE AUTHENTICATION REJECT ATTACK DEMO >
Novel Attacks
Attacks never done before on the GSM network. Attacks may be known, but not specifically applied to GSM.
State-machines in GSM
Available in the specification (04.08 sect. 5.1 for MS side)
Test the correct behaviour of the implementation by sending the correct messages but in the incorrect order
Call Clearing (work in progress)
Used to signal that one party on the conversation has hung-up
Idea: Make the remote end believe that you’ve hung-up
Goal: Maintain a connection although the second party things the line is inactive (eavesdropping)
Test cases to achieve this were built from valid packets, but it was not possible to achieve the desired effect
There are more possible novel attacks that look promising
Source code
Now merged into Scapy
hg clone http://hg.secdev.org/scapy my-scap
Links :
- Extending Scapy by a GSM Air Interface –> Overview
- Scapy GSM-um how-to–> Link
- Extending Scapy by a GSM Air Interface Whitepaper –> PDF
- Extending Scapy by a GSM Air Interface Slides –> PDF
- Laurent ‘kabel’ Weber Twitter Feed –> Link
Thx for this nice article 🙂
Thanks for the good talk!
Pingback: First Press Coverage of DeepSec 2011 –
Pingback: Week 46 In Review | 安全业界观察