Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

DEEPSEC: Extending Scapy by a GSM Air Interface

Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks

Laurent ‘kabel’ Weber

Motivation

Until now it’s been really hard for security researchers to dig into GSM security topics. This has been slowly changing because of tools like the USRP. However there is no other tool available to perform these kind of security tests. Hence the research.

Structure of a GSM network

Scapy

Scapy is a powerful interactive packet manipulation program, using the Python interpreter as a basis. Scapy allows for new protocols to be simply added.

  • Generate Packets
  • Manipulate Packets
  • Network Scanning
  • Network Discovery
  • Packet Sniffing

Philosophy

  • Create smallest valid messages possible (Optional values are excluded)
    • Optional Information Elements (IE)
    • Optional fields
  • Every possible message can be created
  • Add IE’s by setting in code
  • Scapy GSM-um allow us to:
    • Create Layer 3 messages on a command line
    • Send Layer 3 messages from BTS to MS
    • And from MS to BTS
  • Limited SMS support

Sending the message

Normally Scapy is able to send data directly out on the wire. This is not so easy with GSM.

  • We need a method to send raw bytes to a device
  • Added different sockets to Scapy:
    • UDP socket (i.e USRP)
    • TCP socket (i.e nanoBTS)
    • Unix Domain Socket (i.e osmocomBB)
  • Offers most flexibility and easy to use with your chosen hardware

Example message from testing phase

Performing a call

After testing messages using Scapy GSM-um and Wireshark, it was time to make a call.
>>> sendum ( setupMobileOriginated() )
>>> sendum ( connectAcknowledge() )

< LIVE CALL DEMO >

Classical Attacks

Well known and documented attacks.

De-registration Spoofing

IMSI DETACH INDICATION message

Most of the payload is already set in the specification, so there is no need (outside of fuzzing) to set these details. The only bytes needed are the mobile identity.

Sending this will result in the mobile being targeted being de-registered from the network. The mobile will still show as connected, but will not receive calls/texts and any active calls are disconnected.

Authentication reject attack

Disconnects the targeted mobile form the network. The user will receive a “SIM card registration failed” message and will need to restart to connect to a GSM network.

< LIVE AUTHENTICATION REJECT ATTACK DEMO >

Novel Attacks

Attacks never done before on the GSM network. Attacks may be known, but not specifically applied to GSM.

State-machines in GSM

Available in the specification (04.08 sect. 5.1 for MS side)

Test the correct behaviour of the implementation by sending the correct messages but in the incorrect order

Call Clearing (work in progress)

Used to signal that one party on the conversation has hung-up

Idea: Make the remote end believe that you’ve hung-up

Goal: Maintain a connection although the second party things the line is inactive (eavesdropping)

Test cases to achieve this were built from valid packets, but it was not possible to achieve the desired effect

There are more possible novel attacks that look promising

Source code

Now merged into Scapy

hg clone http://hg.secdev.org/scapy my-scap

Links :

  • Extending Scapy by a GSM Air Interface –> Overview
  • Scapy GSM-um how-to–> Link
  • Extending Scapy by a GSM Air Interface Whitepaper –> PDF
  • Extending Scapy by a GSM Air Interface Slides –> PDF
  • Laurent ‘kabel’ Weber Twitter Feed –> Link
Advertisements

4 responses to “DEEPSEC: Extending Scapy by a GSM Air Interface

  1. kabel November 18, 2011 at 11:58

    Thx for this nice article 🙂

  2. ChrisJohnRiley November 18, 2011 at 12:45

    Thanks for the good talk!

  3. Pingback: First Press Coverage of DeepSec 2011 –

  4. Pingback: Week 46 In Review | 安全业界观察

%d bloggers like this: