Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: GSM

DEEPSEC: Extending Scapy by a GSM Air Interface

Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks

Laurent ‘kabel’ Weber

Motivation

Until now it’s been really hard for security researchers to dig into GSM security topics. This has been slowly changing because of tools like the USRP. However there is no other tool available to perform these kind of security tests. Hence the research.

Structure of a GSM network

Scapy

Scapy is a powerful interactive packet manipulation program, using the Python interpreter as a basis. Scapy allows for new protocols to be simply added.

  • Generate Packets
  • Manipulate Packets
  • Network Scanning
  • Network Discovery
  • Packet Sniffing

Philosophy

  • Create smallest valid messages possible (Optional values are excluded)
    • Optional Information Elements (IE)
    • Optional fields
  • Every possible message can be created
  • Add IE’s by setting in code
  • Scapy GSM-um allow us to:
    • Create Layer 3 messages on a command line
    • Send Layer 3 messages from BTS to MS
    • And from MS to BTS
  • Limited SMS support

Sending the message

Normally Scapy is able to send data directly out on the wire. This is not so easy with GSM.

  • We need a method to send raw bytes to a device
  • Added different sockets to Scapy:
    • UDP socket (i.e USRP)
    • TCP socket (i.e nanoBTS)
    • Unix Domain Socket (i.e osmocomBB)
  • Offers most flexibility and easy to use with your chosen hardware

Example message from testing phase

Performing a call

After testing messages using Scapy GSM-um and Wireshark, it was time to make a call.
>>> sendum ( setupMobileOriginated() )
>>> sendum ( connectAcknowledge() )

< LIVE CALL DEMO >

Classical Attacks

Well known and documented attacks.

De-registration Spoofing

IMSI DETACH INDICATION message

Most of the payload is already set in the specification, so there is no need (outside of fuzzing) to set these details. The only bytes needed are the mobile identity.

Sending this will result in the mobile being targeted being de-registered from the network. The mobile will still show as connected, but will not receive calls/texts and any active calls are disconnected.

Authentication reject attack

Disconnects the targeted mobile form the network. The user will receive a “SIM card registration failed” message and will need to restart to connect to a GSM network.

< LIVE AUTHENTICATION REJECT ATTACK DEMO >

Novel Attacks

Attacks never done before on the GSM network. Attacks may be known, but not specifically applied to GSM.

State-machines in GSM

Available in the specification (04.08 sect. 5.1 for MS side)

Test the correct behaviour of the implementation by sending the correct messages but in the incorrect order

Call Clearing (work in progress)

Used to signal that one party on the conversation has hung-up

Idea: Make the remote end believe that you’ve hung-up

Goal: Maintain a connection although the second party things the line is inactive (eavesdropping)

Test cases to achieve this were built from valid packets, but it was not possible to achieve the desired effect

There are more possible novel attacks that look promising

Source code

Now merged into Scapy

hg clone http://hg.secdev.org/scapy my-scap

Links :

  • Extending Scapy by a GSM Air Interface –> Overview
  • Scapy GSM-um how-to–> Link
  • Extending Scapy by a GSM Air Interface Whitepaper –> PDF
  • Extending Scapy by a GSM Air Interface Slides –> PDF
  • Laurent ‘kabel’ Weber Twitter Feed –> Link
Advertisements

DEEPSEC: SMS Fuzzing – SIM Toolkit Attack

SMS Fuzzing – SIM Toolkit Attack

Bogdan Alecu

SMS is a unique mobile attack vector as it is an always on service. Regardless of wether or not you’re using another application, an SMS can be received by the phone. As SMS is enabled by default on all phones it provides many interesting possibilities.

Tools Used

  • PDUSpy
    • Used to decode the binary message
  • Nokia 3300
    • Used for capturing
    • F-BUS cable
  • dct3tap
  • Wireshark
    • GSMTAP and SIMCARD patches
  • Gemalto GemPC SIM Card reader

SIM Application Toolkit

Provides value added services for the mobile operators.
Basically a set of commands written on the SIM card which helps the card to communicate with the mobile device.
We are particularly interested in the following data on the SIM Card
  • Data download via SMS Point to Point

When this service is enabled, it instructs the mobile device to respond to short message with varying protocol identifiers. This allows an attacker to send a message that goes straight to the SIM and is not shown to the user (the screen may light up on set phones).

By setting the second byte it is possible to trigger a delivery report. Setting the acknowledgement receipt via DELIVERY REPORT can result in any further messages being queued up until after the initial message expires (time out dependent on provider).

The person receiving the call is charged for the Acknowledgement at the standard rate of the provider. This is involuntary as the person receiving the message receives no warning.

Problem reported as cve-2010-3612 (currently reserved)

Vulnerability tested on multiple phones incl Nokia, Samsung Galaxy S, ….

Impact

  • Works independently of the phone or GSM network
  • When sending the message between different networks or the same network it doesn’t have such a great financial impact
  • There are providers that allow you to spoof source numbers –> Think premium rate numbers

By spoofing the source address you can set a premium rate source (attacker owned) and have the credit stolen from a victims phone without notification.

Protection

  • Most protects require operator assistance.
  • Some mobile devices have the ability to ask the user about SIM actions (other than Nokia ?)
  • Use a SIM Card that has the service “data download via SMS Point to Point” deactivated or one without any Toolkit Application

Links :

  • SMS Fuzzing – SIM Toolkit Attack –> Overview
  • SMS Fuzzing – SIM Toolkit Attack Slides –> Link

Shmoocon 2011: Attacking 3G and 4G mobile telecommunications networks

Attacking 3G and 4G mobile telecommunications networks

Enno Rey, Rene Graf & Daniel Mende

 

No demos today due to shipping materials and the like. TSA don’t like big electronic devices being shipped after all.

Still, that doesn’t mean there was no practical research.

Fundamentals

Standards

In mobile telco world everything is standardized by 3GPP

  • 3GPP: collaboration between groups of telco standards orgs
  • 3GPP: standard structured as/bundled in releases
    • 1992: Phase 1
    • 2000: Release 99 (incl first spec of 3G UMTS)
    • 2008: Release 8

2 Elements. 1 facing the internet and the other facing the mobile network

4G Network

4G networks change the names and functions of some devices.

Transport Layer: UDP or SCTP (mostly)

There could be some TCP elements, but none that have been seen in this research.

Generic Packed Tunneling: GTP

All types of signaling:

  • S1AP
  • X2AP
  • GTP-C

Authentication: DIAMETER

Others:

  • L2TP
  • DSMIPv6

SCTP Overview

Stream Control Transmission Protocol

General purpose layer 4 protocol

Specified by the IETF

Uses elements from TCP and UDP to cover all required functionality of both.

SCTP – 4 way handshake

INIT – INIT ACK – COOKIE ECHO – COOKIE ACK

Several different RFCs covering SCTP (starting with RFC2960).

Current tools don’t work very well due to SCTP rewrites in RFC5206 and RFC4960

  • NMAP SCTP doesn’t work “in a satisfactory manner”
  • SCTPscan no long work

Attacks from within the mobile telco networks

  • Attacks from the backhaul networks
  • Attacks from the Core network
  • Attacks from Management networks

Backhaul networks

Mobile backhaul

Carries data from the RAN to the management network and back

4G specific requirement laid out by 3GPP

Includes

  • eNodeB
  • MME
  • SGW

Can be implemented with different technologies

Originally ATM (in the early years of GSM), PDH/SDH, IP/MPLS, “Hybrid Approach” offloading to DSL, Carrier Ethernet

4G Assumes gigabit connections between elements to give sufficient bandwidth (mainly ethernet based)

How to get into backhaul

Physical intrusion to some cage located “in the somewhere”

Get Access to the network segment

  • Microwave
  • DSL
  • Carrier Ethernet

4G Aggregates “dumb” BTS and BSC/RNC functions on the one device –> eNB is not dumb anymore!

Once your in, what to do!

Attacking components

  • 3G: SGSNm RNC, NodeB
  • 4G: MME, eNB, SAE.GW
  • Routers/Switches

Eavesdropping

  • Pretty much everything is unencrypted
  • 3GPP insists on using IPsec Gateways
    • Which operators implement this?
  • Some countries argue against this standard

ARP spoofing still works smoothly

  • Apparently not on the security radar!

4G ALL-IP approach comes in handy

Let’s get practical

These notes are from in lab testing (i.e no firewalls, IPsec, etc…)

Real world attacks may be different due to this!

“Standard attack approach” did not yield anything interesting

SCTP Scanning via nmap or SCTPscan showed nothing

Using custom SCTP scanning tool showed some open ports

  • some of those “obscure signaling protocols”

Fuzzing the protocols

After starting the fuzzing, things got really slow.

When checking the server was sending SCTP ABORT leading us to believe something had crashed!

The main function of the device was no longer available

It recovered after a few minutes

Changed scripts and continued to fuzz

Final result…. system went down!

Business impact?

 

The first field of the protocol was causing the device crash!

Targeted code was running in the kernel

All that glitters is not gold however!

This isn’t old code! It’s newly developed for 4G! Make your own conclusions…

<NDA>

Continued testing is planned to really find the impact of this and other issues.

</NDA>

Attacks from the internet

Public space might mean the terminal (not covered) or the internet

Some interfaces must be made available to entities outside the network

  • e.g. S8 on PDN-GW for roaming
  • 3G: SGSNs must be able to connect to GGSNs of other countries
  • Standards say: Use NDS (IPsec of equiv. security) for these cases
  • So GTP should never be visible from the internet

Reality check!

GTP

Used to carry IP-based data traffic between network elements. There is also some other elements

Variants: GTP-C, GTP-U, and GTP’

TEID

Tunnel Endpoint IDentifier

Not very random

Not protected

Reality is that scanning for GTP in the wild does find results.

GTP Echo mechanism (port 2123) can be used to discover real GTP speakers in the internet waiting for communications

GTP-scan.py will be released soon to show this!

Many of the systems listening on GTP ports are also listening on other ports (21, 22, 23, 80) !

Various countries, many in Europe.

Whois information points to major mobile operators in these countries.

So why would they do this?

Sometimes having a working network is more important than following the standards to the letter!

Conclusions

From what the research shows, it looks like many attacks are coming against these networks.

Walled telco gardens are disappearing

All IP in the future

Terminals are getting more and more powerful

Misconception that people don’t understand these complex IP landscapes

Links:

[BruCON] GSM security: fact and fiction

GSM security: fact and fiction (Fabian van den Broek)

  • $600 Billion dollar a year industry
  • SMS is the biggest cash cow of GSM providers
  • 90% of the population has coverage (more than has access to clean water)
  • 4.1 billion mobile users

BTS –> BSC –> MSC –> GMSC

Even if 2 cellphones are on the same BTS, calls are routed all the way up to the MSC and back down. This is due to billing and legal wiretaps.

Authentication

Providers are obviously more interested in strong authentication than strong encryption.

  • A3
  • A8
  • COMP128

Initial version of COMP128 was leaked and has been found to be vulnerable and is used on a majority of SIM cards. Newer versions of COMP128 haven’t yet been tested/broken. Many providers are now implementing their own authentication.

Encryption

  • A5/0 (unencrypted)
  • A5/1 (export grade)
  • A5/2
  • A5/3

A5/1 and A5/2 are stream ciphers with information only released under NDA. Information has been leaked about the ciphers and are thought to be totally broken.

A5/3 is a block cipher with information publicly released. A few theoretical attacks have been proposed, but most require large amounts of known text making them unrealistic.

Process

When a handset joins the providers network it sends it’s IMSI through to the GMSC which creates a number of keys and other random values (RAND, SRES, Kc) and sends them to the MSC to authenticate the handset using challenge response. Once the authentication is complete the MSC uses Kc to create an encrypted tunnel. At no point is anything other than the handset authenticated.

From that point forward calls are encrypted between the BTS and the handset using a session key.

Attacks

1) Eavesdropping

  • Capture Bursts
  • Decrypt captured bursts
  • Interpret

Capture

  • Capture a burst
  • “Guess contents”
  • Compute keystream
  • Look-up corresponding session key

Capturing the GSM communications has always been the hard part. Equipment to achieve this was always very costly. Software defined radio (USRP) has changed this however.

USRP + GNU Radio +Air Probe

Frequency hopping was implemented not as a security feature, but to ensure quality of calls (prevent users from being stuck on a single frequency with a bad signal). Depending on when encryption takes place, it could be that the frequency hoping is exposed in the clear. Mostly, frequency hoping information is agreed after encryption however.

Decrypt

A5/1 was reverse engineered in 1994 and a few theoretical attacks were discussed in academic circles. Since then more time/memory trade-offs have been discussed. Tables were announced at the CCC conference in 2008. These tables were abandoned mid-way through.

Current: Berlin set & Kraken

Interpret

  • GSMDecode (Airprobe)
  • Wreshark
  • OpenBTS / OpenBSC

2) MITM Attack

Attacker sits in the middle claiming to be the BTS of a specific provider. The numbers required for this advertising are openly known. As soon as a handset detects a stronger signal it will shift to the attacks GSM.

An attack can then sit in the middle of the Start Ciphering process to gather the required information to crack the keys.

Ingredients

  • BTS: OpenBTS / OpenBSC
  • Phone: OsmocomBB

Problems

  • Hopping problem
  • Time window
  • Detectable (if people are looking!)

Other possible ways to MITM!

OpenBTS to Asterisk (as demoed in Las Vegas at Defcon)

This cuts out the need to forward on communications to the real provider. However, only useful for outgoing calls. No way for the attacker to track incoming calls as the user is no longer on the real GSM network.

Plus points: It already works and has been proven

Hybrid attack between MITM and Eavesdropping

  • Capture challenge
  • Capture conversation
  • Fake BTS attack with challenge

Issue of hopping is still a problem.

3) Other Attacks

  • IMSI Catcher
  • Attack on other parts of the network
  • Nokia 1100 (fake?)
  • Locations revealed (GPS, needs more research)
  • DoS Attacks

IMSI catching is often used by police to track phones used by drug dealers. By doing this they can detect the IMSI of every phone used for interception.

Improvements

GSM will still be around for the next 20 years. 3G is still not broken, however research is still ongoing. However 4G is already rumored to be based on an AES based encryption.

Conclusion

GSM is broken, many attack possibilities. However attackers aren’t normally going after these problems. The weakest link is probably your phone

LINK: