femtocells: a poisonous needle in the operator's hay stack - ravi … · femtocells: a...

.

......

Femtocells: a Poisonous Needle in theOperator's Hay Stack

Ravishankar Borgaonkar, Nico Golde, Kévin Redon

Technische Universität Berlin, Security in [email protected]

HITB 2011, Kuala Lampur, 13th October 2011

✆ mobile telecommunication ⚔ end-user attacks ☠ network attacks

Agenda

mobile telecommunicationend-user attacksnetwork attacks

SecT / TU-Berlin 2 / 45

✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksUMTS architecture

UMTS architecture (complex)


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksUMTS architecture

UMTS architecture (simplified)


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell definition

technology - femtocell context?!

What is a femtocell?a small access pointconnects the mobile phone to the 3G/UMTS networkcompatible with every UMTS enabled mobile phonesmall cell, with a coverage of less than 50mlow power deviceeasy to install: you only have to provide power andInternet accesstechnical name in 3G: Home Node B (HNB)


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages

customer advantages

advantages provided to users:can be installed at home to improve 3G coveragehigh bandwidth, and high voice qualitylocation based services



operator advantages

advantages for mobile operators:traffic offload from public operator infrastructure ⇒reduce expenditurecheap hardware compared to expensive 3Gequipmentno installation and maintenance costIP connectivity



Home Node B Subsystem (HNS)



small cells



femtocell threats (as defined by 3GPP)

HNB threats listed by the 3GPPgroup # threat impact group # threat impact

1 harmful 11 harmful

2 harmful 12 Software simulation of H(e)NB very harmful

4 very harmful 13 very harmful

3 harmful 14 annoying

6 Booting H(e)NB with fraudulent software (“re-flashing”) 16 Denial of service attacks against core network annoying

8 Physical tampering with H(e)NB harmful 24 harmful

26 Environmental/side channel attacks against H(e)NB harmful 9 very harmful

21 Radio resource management tampering harmful 10 Masquerade as other users very harmful

5 very harmful 18

15 Denial of service attacks against H(e)NB annoying 22 Masquerade as a valid H(e)NB very harmful

17 23 Provide radio access service over a CSG very harmful

25 Manipulation of external time source harmful 7

27 Attack on OAM and its traffic very harmful 19 Mis-configuration of H(e)NB

28 Threat of H(e)NB network access harmful 20

Compromise of H(e)NBCredentials

Compromise of H(e)NB authentication token by a bruteforce attack via a weak authentication algorithm

Attacks on the core network,including H(e)NB location-

based attacks

Changing of the H(e)NB location withoutreporting

Compromise of H(e)NB authentication token by localphysical intrusionUser cloning the H(e)NB authentication Token. Usercloning the H(e)NB authentication Token Traffic tunnelling between H(e)NBs

Physical attacks on aH(e)NB

Inserting valid authentication token into a manipulatedH(e)NB

Misconfiguration of the firewall in themodem/router

up todisastrous

H(e)NB announcing incorrect location to thenetwork

User Data and identityprivacy attacks

Eavesdropping of the other user’s UTRAN or E-UTRAN user data

Attacks on Radio resourcesand management

Protocol attacks on aH(e)NB

Man-in-the-middle attacks on H(e)NB first networkaccess

User’s network ID revealed to Home (e)NodeBowner

breakingusers privacy

Compromise of an H(e)NB by exploiting weaknesses ofactive network services

extremelyharmful

Configuration attacks on aH(e)NB

Fraudulent software update / configurationchanges

extremelyharmfulirritating toharmful

Mis-configuration of access control list (ACL)or compromise of the access control list

irritating toharmful


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrogue femtocell

SFR femtocell

sold by SFR (2nd biggest operator in France)cost: 99€ + mobile phone subscriptionhardware: ARM9 + FPGA for signal processingOS: embedded Linux kernel + proprietary servicesbuilt by external vendors (in our case Ubiquisys),configured by operator



recovery procedure

femtocells provide arecovery proceduresimilar to a factoryresetnew firmware isflashed, and settingsare clearedused to "repair" thedevice without anymanual intervention



recovery to fail

firmware server is notauthenticated

public key is inparameter andfirmware list, which isnot signed

recovery procedure flaws


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacks

any attacks hmm?

WHAT NOW?


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication

requirements

classical approach in GSM: IMSI-Catcherfake operator BTS (MCC/MNC)acts as MitM between operator and victimphone usually can't detectusually used to track and intercept communication

UMTS standard requires mutual authentication⇒ GSM approach not working 1

no devices acting as UMTS base station + code isavailable

1some attacks by using protocol downgrades are knownSecT / TU-Berlin 15 / 45


mutual authentication in the femtocell ecosystem

in case of femtocell: mutual authentication alsoprovided⇒ but it's useless ☺mutual authentication is done with the homeoperatorNOT with the actual cell⇒ the femtocell forwards the authentication tokens⇒ mutual authentication is performed even with arogue device



getting the fish into the octopus' tentacles

Howto build a 3G IMSI-Catcher:cell configuration is kindly provided as a feature offemtocellslocal cell settings stored in a proprietary databaseformatsome comfort provided ⇒ web interface

we can catch any phone user of any operator intousing our boxroaming subscribers are allowed by SFR

⇒ the femtocell is turned into a full 3G IMSI-CatcherSecT / TU-Berlin 17 / 45


intercepting traffic

proprietary IPsec client + kernel module(xpressVPN)multiple ways to decrypt IPsec traffic: NETLINK, ipxfrm state (not available on SFR box)we decided to hijack/parse ISAKMP messagespassed via sendto(2) glibc wrappervoice data encapsulated in unencrypted RTP stream(AMR codec, stream format)



extracting voice

LD_PRELOAD ipsec user-space program to hijacksendto() and extract keyspass key material to host running tcpdumpdecrypt ESP packetsextract RTP stream (rtpbreak)opencore-based (nb) utility to extract AMR anddump to WAV



demo time

DEMONSTRATION

interception



but what about over-the-air encryption?

only the phone ⇔ femtocell OTA traffic is encrypted⇒ encryption/decryption happens on the box

femtocell acts as a combination of RNC andNode-B: receives cipher key and integrity key fromthe operator for OTA encryption

reversing tells us: message is SECURITY MODECOMMAND (unspecified RANAP derivate), whichincludes the keys



SECURITY MODE COMMAND

derived from RANAP, but spec unknown


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic

femtocell operator communication: the GAN protocol

device is communicating with operator via GANprotocol (UMA)

TCP/IP mapped radio signalingencapsulates radio Layer3 messages (MM/CC) inGAN protocolone TCP connection per subscriberradio signaling maps to GAN messages are sentover this connection

GAN usage is transparent for the phone



GAN proxy/client

proxies all GAN connections/messagesreconfigure femtocell to connect to our proxyinstead of real GANCproxy differs between GAN message typesattack client controls GAN proxy over extendedGAN protocol



more mitm pls? sms...

SMS message filtered by GAN proxymodified by clienttransfered to real GANC



demo time

DEMONSTRATION

SMS modification



how about impersonating subscribers?

lets use services forfree, billed to a victimclient requiressubscriber informationproxy additionallycaches subscriber info(TMSI/IMSI) for eachMS-GANC connectionphone needed forauthenticationapplies to any traffic(SMS,voice,data)victim isimpersonated

example: SMS inject



demo time

DEMONSTRATION

SMS injection


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksdos'ing non-local subscribers

return of the IMSI detach

IMSI detach DoS discovered by Sylvaint Munaut in2010 2

⇒ results in discontinued delivery of MT services(call, sms,...)⇒ network assumes subscriber went offlinedetach message is unauthenticatedhowever, this is limited to a geographical area(served by a specific VLR)user can not receive calls

2http://security.osmocom.org/trac/ticket/2SecT / TU-Berlin 29 / 45


imsi detach in femtocell ecosystem

proximity constraint not existent in femtocellnetworkdevices reside in various geographical areasbut all subscribers meet in one back-end system ⇒and they are all handled by one femtocell VLR (atleast for SFR) ☺

we can send IMSI detach payloads via L3 msg inGAN⇒ we can detach any femtocell subscriber, noproximity needed!



demo time

DEMONSTRATION

IMSI detach


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell attack surface

attacking other femtocells

attack surface limited:network protocols: NTP, DNS spoofing (not tested)services: webserver, TR-069 provisioning (feasible)

both HTTP. TR-069 is additionally powered by SOAPand XMLlots of potential parsing failall services run as root



femtocell remote root (CVE-2011-2900)

we went for the web service (wsal)based on shttpd 3/mongoose 4/yassl embeddedwebserverwe found a stack-based buffer overflow in theprocessing of HTTP PUT requestsdirect communication between femtocells is notfiltered by SFRexploit allows us to root any femtocell within thenetworkhttp://www.sec.t-labs.tu-berlin.de/~nico/wsal_root.pyfixed in V2.0.24.1 firmware

3http://docs.huihoo.com/shttpd/4http://code.google.com/p/mongoose/


http://www.sec.t-labs.tu-berlin.de/~nico/wsal_root.py

http://www.sec.t-labs.tu-berlin.de/~nico/wsal_root.py


demo time

DEMONSTRATION

remote root


✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode

collecting subscribers

other femtocell are accessible within the networkwebsite is also accessibleleaks phone number and IMSI of registeredsubscriberwink IMSI detach ⇒ detach whole network



locating subscribers

location verification performed by OAMfemtocell scan for neighbour cells



global control

web-site/database is not read-onlyOAMP, image and GAN server can also be setor using root exploittraffic can be redirected to our femtocell (eithersettings or iptables)

⇒ any femtocell can be flashed⇒ any femtocell subscriber communication can beintercepted, modified and impersonated



meeting the usual suspects

HNS servers run typical Open Source software, notespecially secured, e.g:

MySQL, SSH, NFS, Apache (with directory indexing),... availableFTP used to submit performance measurementreports, including femtocell identity and activityall devices share the same FTP accountvsftpd users are system users, SSH is open :D



advanced access

SeGW is required to access the networkauthentication is performed via the SIM (removable)how about configuring an IPsec client with this SIM?

⇒ no hardware and software limitation⇒ no femtocell required anymore⇒ femtocells don't act as a great wall to protect theoperator network anymore :D



stairways to heaven

attacks on operatornetworksignaling attacks (notblocked)free HLR queriesleveraging access to:

other AccessNetworksCore Network

...



other femtocell research

THC vodafone http://wiki.thc.org/vodafone, rootedin 2009, unfortunately bug fixed since 2 yearsSamsung femtocellhttp://code.google.com/p/samsung-femtocell/clearly shows that this is no single operatorproblem and might cause some painfemtocell architecture is defective by design,security wise


http://wiki.thc.org/vodafone

http://code.google.com/p/samsung-femtocell/


thanks (in no particular order)

Jean-Pierre SeifertCollin MullinerBenjamin MichéleDieter SpaarK2



the end

thank you for your attention

questions?



contact us

Nico Golde <[email protected]>@iamnionKévin Redon <[email protected]>Ravi Borgaonkar <[email protected]>@raviborgaonkaror just [email protected] all material from this talk (including tools)will be available one week after the HITB KL at:http://tinyurl.com/sectfemtocellhacks


http://tinyurl.com/sectfemtocellhacks


extended coverage

femtocells have a small coverage (by definition,25-50m)signal range can be increased using amplifier andexternal antenna


femtocells: a poisonous needle in the operator's hay stack - ravi … · femtocells: a...

Documents