blackhat dc 2011 perez-pico mobile attacks-slides
TRANSCRIPT
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 1/44
www.taddong.com
A practical attack against
GPRS/EDGE/UMTS/HSPAmobile data communications
David Perez
Jose Pico
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 2/44
Introduction
• It has been proved that GSM is vulnerableto multiple attacks (rogue base station,cryptographic, SMS, OTA, etc.)
• Rogue Base Station attacks have beendemonstrated before against GSM, e.g.:
– PRACTICAL CELLPHONE SPYING. Chris
Paget. DEF CON 18 (July 2010)http://www.defcon.org/html/defcon-18/dc-18-
speakers.html
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 3/44
Introduction
• Is it possible to extend these attacks toGPRS/EDGE, i.e., to mobile datatransmissions?
• If YES, what is the impact of such attack?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 4/44
Introduction
• In this presentations we will show thatGPRS/EDGE is also vulnerable to roguebase station attacks, just like GSM
• We will describe:
– The vulnerabilities that make this attack possible
– The tools that can be used to perform the attack
– How to perform the attack
– How to extend this attack to UMTS
– What an attacker can gain from it
Objectives
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 5/44
GPRS/EDGE ARQUITECTURE
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 6/44
The vulnerabilities
• Lack of mutual authentication
• GEA0 support
• UMTSGPRS/EDGE fallback
Just like GSM
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 7/44
The threats
• How many people, organizations, or, ingeneral, entities, might be interested ineavesdropping and/or manipulating the
mobile data communications of otherentities, like competitors, nation enemies,etc?
• And how many of those potential attackingentities could dedicate a budget of$10,000 to this purpose?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 8/44
The tools
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 9/44
The tools
We run all our testsinside a faraday
cage, to avoidemissions into thepublic air interface
(Um)
A real attacker won’t need this, but...
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 10/44
The tools
•Commercial BTS
•GSM/GPRS/EDGE capable
•Manufactured by ip.acccess(www.ipaccess.com)
• IP-over-Ethernet Abis
interface
ip.access nanoBTS
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 11/44
The tools
• GNU/Linux OS
• Uplink to the Internet
• Small netbook is enough
PC
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 12/44
The tools
• Awesome work from Harald Welte, DieterSpaar, Andreas Evesberg and Holger Freyther
• http://openbsc.osmocom.org/trac/
OpenBSC
“[OpenBSC] is a project aiming to create a Free Software,GPL-licensed Abis (plus BSC/MSC/HLR) implementation for
experimentation and research purpose. What this means:OpenBSC is a GSM network in a box software, implementingthe minimal necessary parts to build a small, self-containedGSM network.”
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 13/44
The tools
• Included in OpenBSC
• http://openbsc.osmocom.org/trac/wiki/osmo-sgsn
OsmoSGSN
“OsmoSGSN (also spelled osmo-sgsn when referring to theprogram name) is a Free Software implementation of the GPRSServing GPRS Support Node (SGSN). As such it implementsthe GPRS Mobility Management (GMM) and SM (SessionManagement). The SGSN connects via the Gb-Interface to the
BSS (e.g. the ip.access nanoBTS), and it connects via the GTPprotocol to a Gateway GPRS Support Node (GGSN) likeOpenGGSN”
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 14/44
The tools
• Started by: Jens Jakobsen
• Currently maintained by: Harald Welte
• http://sourceforge.net/projects/ggsn/
OpenGGSN
“OpenGGSN is a Gateway GPRS Support Node (GGSN). It isused by mobile operators as the interface between the Internet
and the rest of the mobile network infrastructure.”
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 15/44
The tools
• Capable of jamming the frequencybands assigned to UMTS/HSPA in aparticular location, while leaving theGSM/GPRS/EDGE bands undisturbed
Cell-phone jammer
“A mobile phone jammer is an instrumentused to prevent cellular phones from fromreceiving signals from base stations.When used, the jammer effectively
disables cellular phones.”[Source: Wikipedia]
Please note: even owning a jammer is illegal in some countries
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 16/44
The attack: initial setup
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 17/44
The attack: step 1
1 Cell characterization
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 18/44
The attack: step 2
2 Attacker starts emitting
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 19/44
The attack: step 3
3 Victim camps to rogue cell
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 20/44
The attack: step 4
Attacker gets full
MitM control of
victim’s data
communications
4
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 21/44
The attack in action
iPhone falls in the rogue base station trap
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 22/44
What happened?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 23/44
Extending the attack to UMTS
How can we extend this attack to UMTS
devices?
Extending the attack to UMTS:
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 24/44
Extending the attack to UMTS:Simply add step 0
0 Jam UMTS band
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 25/44
The impact
Let us see what an attacker could gain
from the attack...
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 26/44
Leveraging the attack: example 1
Attacker sniffs a google search from an iPhone
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 27/44
What happened?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 28/44
Leveraging the attack: example 2
Phising attack against an iPad (http version)
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 29/44
What happened?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 30/44
Leveraging the attack: example 3
Phising attack against an iPad (https version)
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 31/44
What happened?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 32/44
Leveraging the attack: example 4
Attacker takes over a Windows PC via GPRS/EDGE
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 33/44
What happened?
remote desktop
user / password
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 34/44
Leveraging the attack: example 5
Attacking a 3G Router in order to control the IP traffic of
all devices behind it
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 35/44
What happened?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 36/44
Leveraging the attack: example 6
Attacking other GPRS/EDGE devices
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 37/44
What happened?
FTP
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 38/44
Defending ourselves
So, what can we do to protect our mobiledata communications?
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 39/44
Countermeasures
• Configure our mobile devices to only
accept 3G service, rejecting GPRS/EDGE
• Encrypt our data communications athigher layers (https, ssh, IPsec, etc.)
• Install and configure firewall software in
our mobile devices
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 40/44
Summing up (I)
A rogue base station attack against
GPRS/EDGE devices is totally feasible, just as it is against GSM devices
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 41/44
Summing up (II)
This kind of attack gives an attacker a
privileged position to launch IP-based attacks
against a GPRS/EDGE device...
...or even to attack the GPRS/EDGE stack itself
S i (III)
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 42/44
Summing up (III)
The attack can be extended to UMTS by
simply using a jammer
Effective against any 3G device configured to
fall back to GPRS/EDGE when UMTS is not
available
C l i
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 43/44
Conclusion
We must protect our GPRS/EDGE
mobile data communications:
• Know the vulnerabilities
• Evaluate the risks
• Take appropriate countermeasures
Th k !
8/11/2019 BlackHat DC 2011 Perez-Pico Mobile Attacks-Slides
http://slidepdf.com/reader/full/blackhat-dc-2011-perez-pico-mobile-attacks-slides 44/44
Thank you!
Jose Pico
David Perez