Telecommunication Security

Telecommunication Security
Telecommunication Security
Introduction
Bhargava Shastry
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
1/8
General Information (1/2)
Area: BKS – Hauptstudium Vertiefer
Belongs to the Module system of SECT and INET
Time: Thursdays, 12:00 – 14:00
Room: TEL Auditorium 1, 20th floor
Language: English
Web site: http://fgsect.de
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
2/8
General Information (2/2)
Exam: For those that need it
Oral or written test after semester end → Depends on no. of
participants
Prerequisites:
Some knowledge of smartphone security
Some knowledge of cellular phones/networks
Little bit of undergrad math for crypto
Contact persons
Main contact → Bhargava Shastry (Smartphone security)
Shinjo Park (Telecommunication security)
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
3/8
What is the course about?
Smartphone OS and software security (50%)
Overview of Smartphone security landscape
OS Security
Policy enforcement
Who is who? → Provenance problem
Integrity problem
Static and Dynamic Analyses
Case Studies: Android, iOS (if time permits!)
Telecommunication security (50%)
Overview of cellular network
Femtocell security
SIM card security
Known cellular network attacks
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
4/8
Course style
Research + Practice minded course
Before class: Read research papers
In class: Lecture on topic + Implications on real-world issues
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
5/8
Disclaimer
This course is going to talk of real-world attacks on telecom
infrastructure
This, in no way, encourages you to try them out!
This class is not an excuse for hacking!
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
6/8
Reading
Mostly research papers
At the end of each class, paper for next week will be announced
Today: General introduction to Smartphone and telecom security
Books
Computer Security: Art and Science, Matt Bishop, Addison-Wesley
Professional 2002
GSM - Architecture, Protocols and Services, Jorg Eberspacher,
Christian Bettstetter, and Christian Hartmann, Wiley & Sons 2009
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
7/8
Self-Assesment
Self-Assesment
Interests / Expectations
high
low
low
high
Prior Knowledge
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
810
/8
Security in
Telecommunications
Prof. Dr. Jean-Pierre Seifert
[email protected]
http://www.sec.t-labs.tu-berlin.de/
1
Security: Mobile Vs. Desktop
 More hardware
 Modem, GPS, NFC etc.
 Modem connected to security critical infrastructure
 Usage and form factor different
 Resource constraints
 Battery,
CPU, Memory
 More at stake?
 Things that cost money e.g., calls/sms/data
 Personal information e.g., contacts/location/credentials
(1/2) Threat Model
Who is the adversary?
Who do you trust?
Source: http://www.pocketables.com
(2/2) Threat Model
What do you seek to protect?
Control access to [objects]:
• User data e.g., credentials, contacts etc.
• Devices e.g., modem, GPS, NFC etc.
Case Study: Android
Android OS
Applications
Middleware
Kernel
Credit: source.android.com
Design Principles
• Third-party applications are untrusted
• Each app is sandboxed in an OS process
• Access to devices/data mediated by OS
Credit: source.android.com
Android Security
• Applications as security principals
•
•
•
Separate process -> UID, GID [Linux]
Separate storage -> Discretionary access [Linux]
Permissions -> Install-time [Android]
• Code signing as a means for identification only
• Compromise of Process A (App 1) is localized
• No permission = No access to APIs/data
Implementation
App
B
App
A
App
C
Android Reference Monitor
Contacts
SMS
NFC
Camera
Linux API
Files
NFC
Camera
Android
permission
checks
Corner Cases
• Native code execution
•
•
Linux reference monitor didn’t exist (for a long time)
SE Linux Policies enforced >= 4.3
• Permission enforcement delegation
•
•
Who checks if an app has permission to do something
e.g., send an SMS?
Pre-loaded apps can -> Remember, we don’t trust
apps!
• What you see != What you get
•
Remote code execution
Exploid Walk-through
• Exploid is the name of an old Android exploit
•
Actors involved
•
•
Android app with the native payload
udevd (user device daemon) [For hot plugging devices]
Credit:https://intrepidusgroup.com
No permission SMS App
• Summary
•
•
•
Vendor phones come with insecure pre-loaded apps
That expose security critical services
And don’t check the caller’s permissions
Systematic detection of capability leaks in stock Android
smartphones, Grace M. et. al., NDSS 2012
Device Fragmentation
• OpenSignal is an app
that provides signal
localization info
• Collects device data
and compiles report
•
2012 and 2013 for
Android and iPhone
Let’s have a look at their reports
Source: http://opensignal.com/reports/fragmentation-2013/
Summary
•
•
•
•
Gaps in security policy enforcement
Absence of code signing and runtime checks
Native code is still a problem
Device fragmentation complicates software
updates
Case Study: iOS
• Closed ecosystem
•
Hardware + Software
iOS Security
• iOS security has been a notch ahead of Android
•
•
•
Early ASLR, NX adoption
Code review and signing mandatory
Stripped down OS [Reduced TCB!]
For a detailed study, check out ``iOS Security Internals’’,
RSA Conf. 2012
OR
``iOS Hacker’s Handbook’’
iOS Jailbreaks
Buffer overflow
Exploit mem
corruption
ROP
Bypass code
signing
Persist
changes
Exploit
kernel vuln
id=root
Credit: D. Zovi and C. Miller, iOS Security
internals
Questions?
Bhargava Shastry
References:
1. Systematic detection of capability leaks in stock
Android smartphones, Grace M. et. al., NDSS
2012
2. Dino and Miller, iOS Security Internals’’, RSA Conf.
2012
3. Execute This! Analyzing unsafe and malicious
dynamic code loading in Android applications,
Poeplau S. et. al., NDSS 2014
Telecommunication Security
iOS Security Primer
Bhargava Shastry
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
1 / 21
Announcements
Slides will be up on the course website by end of today
Paper/topic for next class will also be put up
http://fgsect.de
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
2 / 21
Overview
Unvieled January 2007 → 8 years old
Propreitary aka closed-source OS → iOS
In numbers:
Roughly one in four Smartphones is an iPhone
Between 50-60 % of all tablets is an iPad
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
3 / 21
Software Running on Apple Smartphones
iOS
XNU kernel
Middleware → System libraries, and Services
Applications
Bootloader
Firmware = Boot ROM containing Apple Root CA Public Key plus
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
4 / 21
Boot Process
On Power ON
Code from Boot ROM executed by Application processor
Boot ROM == Trust Anchor
Root public key checks signature on primary bootloader
Primary bootloader checks signature on secondary bootloader
... and so on...
This forms a Chain of Trust
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
5 / 21
Reduced Attack Surface
“Code that processes attacker-supplied input” - Charlie Miller
Minimize code exposed to attacker
Cases in point: Java, Flash, stripped-down PDF reader etc.
No “shell”
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
6 / 21
Privilege Separation
Unix security principals → Users, groups etc.
Apps → User == mobile
System Services → User == root
WiFi Driver → User == wireless
... and so on...
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
7 / 21
Code Signing
Binaries + libraries must be signed by a trusted authority
Pages in memory must also be signed by a trusted authority
But, doesn’t Data Execution Prevention (DEP) do exactly this?
Question: Is Code Signing Stronger than DEP/NX?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
8 / 21
Return Oriented Programming (ROP)
Re-use “trusted” code snippets to create a gadget
Gadget is the malicious payload
Uses return statements in existing code effectively
Question: Does code signing prevent ROP?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
9 / 21
Address Space Layout Randomization (ASLR)
ROP needs to know address of code segments
Solution: Randomize address space of systems code
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
10 / 21
Sandboxing (1/2)
Sandboxing means restricting an entity within a confine
Normally, you can only do as much as the sandbox policy permits
What does a Sandboxing policy for iOS apps look like?
(deny default)
...
(allow file-read-data
(literal "/dev/pf")
(literal "/dev/random")
(literal "/private/etc/master.passwd"))
Code Courtesy: iOS Hacker’s Handbook
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
11 / 21
Sandboxing (2/2)
Sandboxing is implemented in user-space and kernel-space
components
TrustedBSD extension is the kernel-space implementation
Platform apps (e.g., Safari) and App store apps (e.g., Angry Birds)
have different Sandboxing profiles.
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
12 / 21
Summary
iOS security features
Secure boot process
Code signing
ASLR
App Sandboxing
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
13 / 21
Understanding iOS Attacks (1/5)
iOS security features
Secure boot process → Jailbreaking
redsn0w exploits a vulnerability in Boot ROM. Recall Boot ROM being
trust anchor?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
14 / 21
Understanding iOS Attacks (2/5)
iOS security features
Secure boot process
Code signing → Just-In-Time compilation
if (cur_protection & VM_PROT_WRITE){
if ((cur_protection & VM_PROT_EXECUTE) && !(flags &
VM_FLAGS_MAP_JIT)){
printf("EMBEDDED: %s curprot cannot be
write+execute. turning off execute\n",
_PRETTY_FUNCTION_);
cur_protection &= ∼VM_PROT_EXECUTE;
}
}
Code Courtesy: iOS Hacker’s Handbook
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
15 / 21
Understanding iOS Attacks (3/5)
iOS Security features
Secure boot process
Code signing
ASLR → ??
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
16 / 21
Understanding iOS Attacks (4/5)
iOS Security features
Secure boot process
Code signing
ASLR
App Sandboxing → A week-old CVE!
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
17 / 21
Understanding iOS Attacks (5/5)
Baseband attacks. Why attack baseband?
iPhones with a locked SIM!
Remote vs. Local attacks
Image Courtesy : iOS Hacker’s Handbook
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
18 / 21
Attack Techniques
Return Oriented Programming
Fuzzing
Question: What impact does Programming language have on
systems software security?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
19 / 21
Summary
Pay attention to corner cases
Attacks inevitable
Defense-in-depth is necessary
Discussion: What would you do differently about iOS security?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
20 / 21
Acknowledgements
Generously borrowed content from iOS Hacker’s Handbook
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
21 / 21
Telecommunication Security
BlackBerry Security Primer
Bhargava Shastry
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
1/6
Announcements
Slides are online!
How many don’t have access to ISIS?
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
2/6
Let’s Talk About BlackBerries
How many of them? Should we care?
The Guardian [Article]
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
3/6
Introduction
BlackBerry as a phone
BlackBerry as a service
This lecture: BlackBerry as a phone
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
4/6
Some History
Not much known in the open → Propreitary OS
Used to be Java based
BlackBerry 10 onwards, based on QNX RTOS (Microkernel)
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
5/6
BH 2013 Talk
Let’s hear from someone who has “pwned” a BlackBerry phone
BH13 - BlackBerryOS 10 from a security perspective: [Video]
SecT (TU Berlin)
Telecommunication Security
SoSe 2015
6/6
Dissecting Android Malware:
Characterization and Evolution
1
Problems to solve
18
Requirement 1: Sufficient Malware data
set
Anti Virus Communities or Researchers are
hampered by the lack of malware data set.
Requires a sufficient Android malware dataset.
19
Requirement 2: Current Malware Detection
Rate
How good are top anti-virus software against latest
Android malware?
Evaluating effectiveness of current Anti-virus
software
20
Related work
• Felt et al. “A survey of mobile malware
in the wild”
– Survey 46 malware samples on iOS,
Android and Symbian
– Choice of breadth over depth
– No mention of advanced trojans in the
wild
21
Related work
What was missing?
• In-depth look at Android malware
– A technical analysis of advanced attacks
• Large pool of malware
– Perhaps A/V companies missed stuff? E.g.
Malware in third-party markets
• Evolution of malware and evaluation of
defense
22
Contribution
• Large malware dataset presented
– 1260 different samples in all
– 49 different families each with many
variants
– More info:
http://www.malgenomeproject.org/
23
Malware dataset
How was it collected?
24
Malware dataset
Q. How was it collected?
A. Crawl app stores!
Search for android marketplace crawler
25
Contribution
• Large malware dataset presented
• Analysis of malware samples
– Provenance, Design, Harm
Installation Activation Characterisation
26
Malware: Provenance
• Official Android market
• Alternate android markets
‡
– Eoemarket
– Gfan
‡ http://thedroidguy.com/2012/04/androidmarket-share-doubles-in-china-even-symbianis-ahead-of-ios/
27
Malware: Provenance
Month of the year
Third-party
store only
Official store
only
Number of new malware
families discovered
28
Malware: Installation
How to lure users into installing malware
you have written?
OR
How do bad things happen to good
people?
29
Repackaging
Monkey
Bowl
Third-party
market
App
developer
(Good guy)
End-user
•Steal info
•Hijack phone
•Defraud
Repackage Meister
(bad guy)
Official Android
market
30
Repackaging
86% of malware samples repackage!
31
Repackaging
⁺
⁼
32
Update attack
FinanceAccount.apk
Google SSearch
Payload
DroidKungFu
Source:
https://www.mylookout.com/mobilethreat-report
33
Update attack
Encrypted blog entry: blog.sina.com.cn
Original Benign app
Payload
AnserverBot
34
Drive-by download
• “Benign” game with a malvertisement
In-app ad pop-up
Source:
https://www.mylookout.com/mobilethreat-report
35
Malware: Activation
When do bad things happen?
• Standard Android event notifications
– Phone boots up
• BOOT_COMPLETED (83.3%)
– SMS is received
• SMS_RECEIVED
– Host app is started
• ACTION_MAIN
36
Malware: Purpose
What do they do?
Source: http://www.textspyware.com/android/android-spyware-software/
37
Malware: Purpose
• Harvesting user information (51.1%)
SndApp
• What is sent?
– Device ID
– Phone number/operator
– User’s email addresses
http://www.fortiguard.com/av/VID3148366
38
Malware: Purpose
• SMS to premium numbers (45.3%)
FakeRegSMS.B
http://www.f-secure.com/weblog/archives/00002305.html
39
Malware: Design
• Social engineering
• Phones as bots controlled from C&C
server (93%)
• Privilege escalation (36.7%)
– Exploit security flaws in kernel code
40
Malware: Permission use
Frequency of top 20 permissions
Malware
Benign app
688=5.02x
553=12.8x
398=11.7x
43
34
333=10.1x
33
457=6.43x
71
424=3.72x
137
114
41
Malware: Permission use
• Summary
– Avg. no. of permissions per app
• Malware: 11 | Benign apps: 4
– Avg. no. of top 20 permissions per app
• Malware: 9 | Benign apps: 3
42
Contribution
• Large malware dataset presented
• Analysis of malware samples
• Evolution of malware
– Advanced techniques to beat defense
• How good is defense?
43
Malware: Evolution
How are malware writers trying to
evade detection?
• Encryption
– Payload and internal data
• Running without install
– DexClassLoader, Reflection
• Thwart reverse engineering
– Class name obfuscation
44
Malware: Detection Rate
100
A few malware samples went undetected!
90
79.6%
80
76.7%
70
60
54.7%
50
40
30
20.2%
20
10
0
AVG
Lookout
Norton
Trend
Micro
45
Malware: Detection
Q. Any clue why some samples were
NOT detected by any?
A. They most likely employ signaturebased detection!
46
Takeaways
Malware
• Mostly in third-party markets/forums
(~90%)
• Requests more permissions on average
• Is evolving and Anti-virus software
needs to catch up
47
Future Work
How does one reduce the impact of
malware?
Google’s “Bouncer”
48
Future work
Well, Google has a kill switch at least...
...But, what about third-party markets?
49
Making xkcd slightly worse: www.xkcdsw.com
50
Telecommunication Security
Introduction to Mobile Network
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 12
Previous Lecture Summary
Security of various smartphone platforms
Security policy, implementation
Known exploits so far
iOS, BlackBerry, Firefox OS, Android
So, what will happen when we go online via mobile network?
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
2 / 12
Cellular Networks
Made up of many components and defined by thousands of pages of
standards – where alphabet soup comes
Feel free to stop me if you do not understand
Non-security concerns, sometimes linked to security
Maximizing number of active subscribers
Minimizing handset power consumption
Interconnectivity with other network
Low latency call-setup and in-call
Efficient radio spectrum usage
Mobility and roaming
Accurate accounting
and many more · · ·
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 12
Cellular Network Insecurity
Classical cellular network vulnerabilities: Weak crypto in GSM,
eavesdropping, jamming, identity cloning, . . .
Transition from voice-only → voice and data → data-only opened
interfaces resulted in:
Vulnerabilities with SMS [Enck, Mulliner, et al.]
Exploiting setup/teardown mechanisms [Traynor, et al., 2007]
CSFB voice calls on LTE [Tu, et al., 2013/2014]
...
We will spend some time during the class looking at the design
problems
Shinjo (sect)
Telecommunication Security
SoSe 2015
4 / 12
Network Provider’s Point of View
!
No
P?
Mal
iciou
¿¿¿¿
o ck
y=L
Security?
Subsid
I
Vo
s Pa
cket
s
No Tethering
...
Shinjo (sect)
Telecommunication Security
st
Co
a
r
nf
I
SoSe 2015
5 / 12
End User’s Point of View
d?
tion
is U
se
d?
¿¿¿¿
rust?
ld I T
Shou
Price?
e
ck
Who
Am
ra
IT
How
My
Info
rma
Always Connected
...
Shinjo (sect)
Telecommunication Security
ice
Vo
Pr
cy
iva
SoSe 2015
6 / 12
Baseband
We will skip overall smartphone OS part, as it was covered previously
Integrated into SoC (System on Chip) or discrete chip
Qualcomm Snapdragon (SoC integrated)
Qualcomm Snapdragon LTE modem (aka Gobi, discrete chip)
Samsung Exynos Modem (usually discrete, integrated model exist)
Intel XMM series (formerly Infineon, usually discrete)
HiSilicon (Huawei subsidary) Balong
Mediatek, and others
Separate firmwares and execution environments
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
7 / 12
Baseband OS
Responsible for cellular capability: registration, authentication,
mobility, in-call voice, ...
Based mostly on RTOS, sometimes including custom DSP (especially
Qualcomm with their Hexagon DSP)
Communicates with application processor using various IPC
(Inter-Procedure Calls)
AT commands
Shared memory
Custom protocol, e.g. QMI
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
8 / 12
Baseband Exploit
Baseband OS is more closed than mobile OS, but exploits possible
iPhone with Infineon (now Intel) baseband
Earlier iPhones were often country-locked and lacked features
Various exploits to jailbreak or unlock: mostly for overflow
Apple reacts by firmware update, migration to Qualcomm baseband
Further reading: https:
//www.theiphonewiki.com/wiki/Category:Baseband_Exploits
Catchy video: http://commons.wikimedia.org/w/index.php?
title=File%3AIPhone_Baseband_Erasing.webm
Anecdotal reports on Qualcomm baseband modification
Further reading: http://yifan.lu/tag/hexagon/
Other cases will be covered in later lecture
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 12
SIM Card
Mandatory in 3GPP standards, optional in CDMA
Device in your phone with “computing capability” and secure storage
Subscriber’s data, sometimes linked to physical person
Authentication algorithm runs here!
Text-based applications using SIM Application Toolkit
Mobile payment in some region
Communicates with baseband using dedicated interface
Interaction with AP is limited by operating system and API
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
10 / 12
Airside
Control and data plane protocols
Are they securely designed?
If encryption is employed, are they correctly used?
Can Mallory eavesdrop my mobile communication?
Physical security of mobile network equipments
Physical access control on cell tower sites
Femtocells – carrier-grade device at home!
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
11 / 12
Summary and Following Lectures
Data Plane Security
Control Plane Security
Baseband Security
SIM Security
Femtocell Security
Reading list for next lecture:
Gaining Control of Cellular Traffic Accounting by Spurious TCP
Retransmission, Younghwan Go et. al., NDSS 2014
Shinjo (sect)
Telecommunication Security
SoSe 2015
12 / 12
Telecommunication Security
Mobile Data Plane Security
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 23
Mobile Network Architecture
Centralized: Outgoing voice/data traffic is aggregated in one point
Multiple entities: functionalities are distributed
Mixture of protocols: each entities are talking in various IP and
non-IP protocols
Operational concepts: idle capacity is not “idle”, additional capacity
for worst case
Legacy: GSM-only mobile phones are still released!
Dismantling of older generation network is not easy
Some M2M devices are still GSM-only
Shinjo (sect)
Telecommunication Security
SoSe 2015
2 / 23
GSM Network Structure1
CS-MGW
MT/TE
MSC server
GMSC
PSTN
SGSN
BTS
GGSN
BSC
SIM
Internet
1
http://commons.wikimedia.org/wiki/File:Gsm_structures.svg, edited
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 23
UMTS Network Structure2
CS-MGW
MT/TE
MSC server
GMSC
PSTN
SGSN
Node B
GGSN
RNC
USIM
Internet
2
http://commons.wikimedia.org/wiki/File:UMTS_structures.svg, edited
Shinjo (sect)
Telecommunication Security
SoSe 2015
4 / 23
LTE Network Structure3
MT/TE
MME
eNodeB
Internet
USIM
SGW
3
PGW
Based on above two images
Shinjo (sect)
Telecommunication Security
SoSe 2015
5 / 23
Radio Access Network
Section between mobile phone to cell tower and core network
BTS (Base Transceiver Station) on GSM
Node B on WCDMA, eNodeB (Evolved Node B) on LTE
Multiple access on air interface
TDMA (Time Division) on GSM
CDMA (Code Division) on WCDMA, CDMA2000
OFDMA (Orthogonal Frequency Division) on LTE
Air spectrums for mobile networks are licensed by the government
Spectrum auction in many countries
Projekt 2016 of German Bundesnetzagentur: almost all 900/1800 MHz
spectrums are in auction
Shinjo (sect)
Telecommunication Security
SoSe 2015
6 / 23
Core Network
Where the mobility management, data exchange, ... happens
Base station controlling and mobililty management
BSC (Base Station Controller) on GSM
RNC (Radio Network Controller) on 3G
LTE: roles are split into MME (Mobility Management Entity) and
S-GW
Circuit switched (CS) network for voice
Early mobile networks up to GSM only supported CS network
3G contains both CS and PS network from the beginning
LTE dropped CS network:
Fall back to 2G/3G network for voice (CSFB, Circuit Switched
Fallback)
Newer packet-based voice calls (VoLTE, Voice over LTE)
Shinjo (sect)
Telecommunication Security
SoSe 2015
7 / 23
Core Network
Packet switched (PS) network for data
GPRS is addition on GSM, to support PS data services
3G contains both CS and PS network from the beginning
LTE is designed as data-only network: towards All-IP
Your data passes through these before the Internet:
SGSN (Serving GPRS Support Node)/S-GW (Serving Gateway)
Routing packet data into the mobile network
GGSN (Gateway GPRS Support Node)/P-GW (PDN Gateway)
Interconnecting core network and the Internet
SGSN and GGSN are mapped m:n
Shinjo (sect)
Telecommunication Security
SoSe 2015
8 / 23
Core Network Protocols
Each entities are speaking in multiple protocols
We will not cover all of them - too many!
Data plane protocols
Transmission of mobile data
GTP (GPRS Tunneling Protocol): IP packet inside core network,
contains versions for both control and data plane
SIP/RTP (Session Initiation Protocol, Realtime Transport Protocol):
Voice call control and data
Control plane protocols
Transmission of signaling, mobility, and other non-data messages
Series of SS7 (Signaling System No. 7) protocols
Radio access protocols: RANAP, S1AP, X2AP, ...
Logically separate, physically interwoven
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 23
Summary
Mobile networks are evolving for higher speed and lower latency
Two types of networks: circuit switched and packet switched
Two types of planes: control and data
Shinjo (sect)
Telecommunication Security
SoSe 2015
10 / 23
Mobile Data Traffic
2012 3G mobile data statics from South Korea:4
HTTP takes about 75% of total data by volume, 78% by number of
flows
HTTPS takes 3% by volume, 10% by number of flows
Among HTTP, videos, images, and apps takes about 74% by volume
Malware, botnet, ... also uses data plane
Concerns
How they are accounted?
Are we on the secure/legitimate connection?
Can we access control plane from data plane?
4
S. Woo, et. al., Comparison of Caching Strategies in Modern Cellular Backhaul
Networks, MobiSys 2013
Shinjo (sect)
Telecommunication Security
SoSe 2015
11 / 23
Mobile Accounting System Architecture5
Charging Data Record (CDR)
Billing information (e.g., user identity, session elements, etc.)
Record traffic volume in IP packet-level
Question: Should we account for TCP retransmissions?
For: still consume radio resources
Against: not visible to user
BS
NodeB
RNC
3G UMTS
SGSN
NodeB
GGSN
CGF
UE
Internet
eNodeB
4G LTE
Server
P-GW
S-GW
MME
RAN
CN
5
Materials borrowed from original slides: Y. Go, et al. Gaining Control of Cellular
Traffic Accounting by Spurious TCP Retransmission, NDSS 2014
Shinjo (sect)
Telecommunication Security
SoSe 2015
12 / 23
Experiment Setup
Test setup
wget
Mobile ISP
Raw socket
Test process
Client: download a file via wget
Server: retransmit packets via raw socket
Compare captured volume with charged volume provided by ISP
Shinjo (sect)
Telecommunication Security
SoSe 2015
13 / 23
Retransmission Accounting Policy by Operator
Operator (Country)
Policy
China Telecom, China Mobile (CN)
Blind
O2 (DE)
Blind
Movistar (ES)
Blind
T-Mobile (UK)
Blind
AT&T, Sprint, T-Mobile, Verizon (US)
Blind
SK Telecom, KT, LG U+ (KR)
Selective
Blind accounting: usage-inflation attack
Selective accounting: free-riding attack
Shinjo (sect)
Telecommunication Security
SoSe 2015
14 / 23
Usage Inflation Attack: Retransmit after FIN
Ignore client’s FIN/RST to prevent TCP teardown
Utilize full bandwidth to overcharge the usage
Packet 1
Packet 2
Overcharging
Cellular Core Network
Packet 3
FIN
Packet 3
Internet, Malicious Server
Shinjo (sect)
Victim Client
Packet 3
Telecommunication Security
SoSe 2015
15 / 23
Free-riding Attack
Tunnel payload in a packet masquerading as a retransmission
ISPs with selective accounting policy inspects TCP header only
Cellular Network
Internet
Pkt 3
Destination Server
Shinjo (sect)
Free Internet
Fake Hdr
Pkt 3
Tunneling Proxy
Fake Hdr
Pkt 1
Fake Hdr
Pkt 3
Core Network
Telecommunication Security
Pkt 3
Malicious UE
SoSe 2015
16 / 23
Optimizing Free-riding Attack
Packet encryption: evade tunnel header detection
Packet compression: increase transfer speed
Shinjo (sect)
Telecommunication Security
SoSe 2015
17 / 23
Free-riding Attack Demo
Shinjo (sect)
Telecommunication Security
SoSe 2015
18 / 23
Mitigation
Accurate accounting of TCP retransmission
Full packet inspection: higher system load, privacy issues
Proposed random sampling showed lower system load than full
inspection, along with high accuracy
Policy problems: what if you are the operator?
Shinjo (sect)
Telecommunication Security
SoSe 2015
19 / 23
GTP-in-GTP Attack
GTP: GPRS Tunneling Protocol, used for PS messages
User plane data is encapsulated in GTP inside core network, mobile
phone is not aware of it
SGSN/GGSN, S-GW/P-GW can understand GTP
Normally dropped by core network, Huawei USG9000 manual shows:
Shinjo (sect)
Telecommunication Security
SoSe 2015
20 / 23
GTP-in-GTP Attack
SGSN/GGSN processes payload to route the packet
Attacker must be aware of IP range of GTP-speaking entities
If they are not aware of GTP-in-GTP:
Packets are routed to internal entities
If requested, responses are generated (e.g. Echo)
Internal network entities are exposed!
Easily mitigated by proper configuration
Try yourself: http://www.c0decafe.de/, Tools section
Shinjo (sect)
Telecommunication Security
SoSe 2015
21 / 23
Mobile Botnets
Smartphone applications have no access to the control plane
Data and control plane are normally orthogonal
Mobile botnets are more focusing on harvesting user data, rather than
paralyzing the network
Virus Bulletin’s summary shows the trend6
Highly depends on smartphone OS architecture
Symbian, Windows Mobile had lax control over what could be installed
iOS has tight control on apps, malwares are targetting jailbroken ones
Android has lax control and wide userbase, sweet spot for malware
6
https:
//www.virusbtn.com/virusbulletin/archive/2015/03/vb201503-mobile-botnets
Shinjo (sect)
Telecommunication Security
SoSe 2015
22 / 23
Summary
Data accounting policy on TCP retransmission
GTP-in-GTP, where both plane meets
Mobile botnets are mostly user data harvester
Max will give demonstration on control plane DDoS
Shinjo (sect)
Telecommunication Security
SoSe 2015
23 / 23
Telecommunication Security
Mobile Control Plane Security
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 21
GSM Security: Defective by Design
Security through obscurity:
Known as a completely retarded idea for decades
Kerckhoffs’s principle (19th century)1
Shannon’s maxima (20th century)2
Chosen as a guiding principle by GSM authors
Partially mitigated in later generation networks
1
Auguste Kerckhoffs, “La cryptographie militaire”, vol. IX, pp. 5–83, January 1883,
pp. 161–191, February 1883
2
C.E. Shannon, Communication theory of secrecy systems, Bell System Technical
Journal 28 (1949), page 662
Shinjo (sect)
Telecommunication Security
SoSe 2015
2 / 21
GSM Weakness Examples3
Usage of plain IMSI over the air
COMP128 on SIM card: authentication algorithm
A5/1, 2: streaming cipher on GSM air interface
No user-visible ciphering indicator
CS-MGW
MT/TE
MSC server
GMSC
PSTN
SGSN
BTS
GGSN
BSC
SIM
Internet
3
http://commons.wikimedia.org/wiki/File:Gsm_structures.svg, edited
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 21
IMSI Catcher
Faked base station (or other device) to collect IMSI of users
Knowing IMSI: eavesdropping, tracking done transparently
GSM: no mutual authentication! OpenBTS supports open network
UMTS, LTE: mutual authentication, implementation is different story
Small GSM IMSI catcher using BeagleBone Black and USRP possible4
4
http://discourse.criticalengineering.org/t/
howto-gsm-base-station-with-the-beaglebone-black-debian-gnu-linux-and-a-us
56
Shinjo (sect)
Telecommunication Security
SoSe 2015
4 / 21
IMSI Catcher Catcher (or Privacy Guard)
Uses baseband-specific approach to sniff control plane messages
Checks for inconsistency on cell ID, Slient SMS, etc.
Focusing on 2G/3G control plane privacy
Darshak for Infineon baseband:
https://github.com/darshakframework/darshak
SnoopSnitch for Qualcomm baseband:
https://opensource.srlabs.de/projects/snoopsnitch
AIMSICD: https:
//github.com/SecUpwN/Android-IMSI-Catcher-Detector
Shinjo (sect)
Telecommunication Security
SoSe 2015
5 / 21
UMTS/LTE Authentication Material
RAND
AUTN
f5
SQN ⊕ AK
AK
⊕
AMF
MAC
SQN
K
Shinjo (sect)
f1
f2
f3
f4
XMAC
RES
CK
IK
Telecommunication Security
SoSe 2015
6 / 21
UMTS/LTE Authentication Procedure
Shinjo (sect)
Telecommunication Security
SoSe 2015
7 / 21
LTE Authentication Example
Authentication Request (Network to Phone)
Authentication Response (Phone to Network)
Communication afterwards is encrypted
Shinjo (sect)
Telecommunication Security
SoSe 2015
8 / 21
AUTN Security
SQN to ensure message “freshness” (replay protection)
MAC to ensure message integrity (forgery protection)
SQN is masked by AK (unpredictability)
Original security capabilities mirrored back alongside with
integrity-protected Security Mode Command after AUTN was
successfully verified - essential for prevention of encryption downgrade
during attack.
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 21
UMTS MitM Attack.
Target phone
IMSI catcher
Attacking phone
Operator’s BTS
Man in the Middle setup
Air/Um interface
Air/Uu interface
Location update REQ
Authentication REQ
1
Authentication RESP
Authentication FAIL
1
Credentials extraction
UMTS jamming
Location update REQ
Authentication REQ
Request authenticity
verification
Authentication RESP
Cipher Mode CMD
All further communication is intercepted
Shinjo (sect)
Telecommunication Security
(1): optional
SoSe 2015
10 / 21
UMTS MitM Attack?
Network to phone impersonation: OK
Phone to network impersonation: Fail
Might happen to normal network for long-distance calls
Enough if further attack require faking incoming call origin
Practical feasibility of the attack is greatly increased due to incomplete
standard conformace of many basebands.
Shinjo (sect)
Telecommunication Security
SoSe 2015
11 / 21
Paging
Common process on every mobile network
To notify mobile phone for new service
Paging Request (Broadcasted)
Identity
(IMSI/TMSI)
UE
Shinjo (sect)
Visible to Anyone!
Telecommunication Security
BTS/NodeB/eNB
SoSe 2015
12 / 21
Paging in GSM Network
Paging Message on the PCH (Broadcasting)
Identity Match!
Initial Channel Request (RACH)
Immediate Assignment (AGCH)
Phone
BTS
Tune to Allocated Channel
Paging Response Message (SDCCH)
Authentication, Ciphering, Service Delivery
Shinjo (sect)
Telecommunication Security
SoSe 2015
13 / 21
Hijacking Services
Impersonation: identity stored in SIM required
Hijacking services: SMS, call
Injecting wrong information in the network
Paging Request
Phone
BTS
Attacker
Shinjo (sect)
Telecommunication Security
SoSe 2015
14 / 21
Identity Harvesting
TMSI: Dial and disconnect early, paged but not ring!
Paging messages are visible for everyone
Could be used in LTE network with CSFB voice call:
Stuck in 3G in some cases
IMSI: HLR query service, SS7 query service5 , ...
Identity
(IMSI/TMSI)
Victim
Attacker
5
Phone Calls
BTS Paging Request (Broadcasted)
Monitoring
Tobias Engel, SS7: Locate. Track. Manipulate., 31C3
Shinjo (sect)
Telecommunication Security
SoSe 2015
15 / 21
GSM RACH Flooding
Attack like TCP SYN flooding: drain all available resources
GSM TDMA (Time Division Multiple Access)
Shinjo (sect)
Telecommunication Security
SoSe 2015
16 / 21
How GSM TDMA Works
Resources are divided into frames and timeslots
Base station knows downlink timing, uplink timing is unknown
Uplink slot is allocated using RACH burst
Sent by UE in fixed time frame, BTS checks propagation delay
BTS do not know whether the request is legitimate
Malicious device can also send RACH burst
Older devices are available as second-hand
Free software GSM implementation with software-defined radios
Shinjo (sect)
Telecommunication Security
SoSe 2015
17 / 21
RACH Flood Attack Scheme
Shinjo (sect)
Telecommunication Security
SoSe 2015
18 / 21
Summary
Mobile authentication scheme
MitM/DoS attack on control plane
Reading list for next lecture:
Reverse engineering a Qualcomm baseband, Guillaume Delugrè, CCC
2011
Baseband Attacks: Remote Exploitation of Memory Corruptions in
Cellular Protocol Stacks, Ralf-Philipp Weinmann, WOOT 2012
Baseband exploitation in 2013: Hexagon challenges, Ralf-Philipp
Weinmann, Pacsec 2013
Similar contents could be found in other conferences
Shinjo (sect)
Telecommunication Security
SoSe 2015
19 / 21
Demo Time!
Let’s see the attack!
Shinjo (sect)
Telecommunication Security
SoSe 2015
20 / 21
References
Ulrike Meyer and Susanne Wetzel:
On the impact of GSM Encryption and Man-in-the-Middle
Attacks on the Security of Interoperating GSM/UMTS
Networks, Proceedings of IEEE International Symposium on
Personal, Indoor and Mobile Radio Communications, September 2004.
A man-in-the-middle attack on UMTS, Proceedings of the 3rd
ACM workshop on Wireless security, 2004.
Shinjo (sect)
Telecommunication Security
SoSe 2015
21 / 21
Telecommunication Security
Cellular Baseband Security
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 21
Recap: Baseband OS
Responsible for cellular capability: registration, authentication,
mobility, in-call voice, ...
Based mostly on RTOS, sometimes including custom DSP (especially
Qualcomm with their Hexagon DSP)
Communicates with application processor using various IPC
(Inter-Procedure Calls)
AT commands
Shared memory
Custom protocol, e.g. QMI
Camera
Apps
Wi-Fi
Middleware
RF TX/RX
GNSS
Display
Kernel/RIL
Baseband Software Stack
Sensors
Application Processor
Baseband Processor
Shinjo (sect)
Telecommunication Security
SIM Card
SoSe 2015
2 / 21
Baseband Market: Time of Troubles
Lots of companies emerged and gone
Qualcomm
Infineon → Intel
Analog Devices → Mediatek
Samsung, LG, Huawei, Spreadtrum, GCT, Altair, · · ·
Nokia → Renesas → Broadcom → Exit
Icera → NVidia → Exit
STM, Ericsson → ST-Ericsson → Exit
TI, Freescale → Exit
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 21
“Open” Mobile OS
Linux-based OSes have image of freedom, but...
Android: Proprietary components (Graphics, Wi-Fi/Bluetooth
firmware, Apache licensed system modifications), Replicant
MeeGo/Mer/Sailfish: More or less better than Android, firmware
problem remains
Firefox OS: Hardware adaptations are not free
Nearly all baseband implementations on smartphone are not free
Let’s go back to the feature phone
Shinjo (sect)
Telecommunication Security
SoSe 2015
4 / 21
Support Status of Replicant1
Nexus One - Qualcomm processor, works with reference RIL
Others are mostly non-Qualcomm devices
1
https://en.wikipedia.org/wiki/Replicant_%28operating_system%29
Shinjo (sect)
Telecommunication Security
SoSe 2015
5 / 21
Qualcomm Baseband
ARM + Hexagon/QDSP: Qualcomm’s in-house DSP
Known architecture details are based on toolchain
Modified ELF executable for baseband binary: lacking section header
OS: REX, REX/OKL4, BLAST/QuRT
Code signing kicks into various places like bootloader
Unsecured bootloader could be found on USB modems
2
2
http://www.anandtech.com/show/4465/samsung-droid-charge-review-droid-goes-lte/2
Shinjo (sect)
Telecommunication Security
SoSe 2015
6 / 21
Qualcomm 3G Modem Hacks
Option iCON 225: 28C3 Talk
Older non-OKL4 chipset (MSM6280), Non-secure bootloader
An overview of Qualcomm REX operating system
GDB proxy using Qualcomm DIAG command for peeking memory
ZTE MF61
Unsigned code execution allowed
Consists of baseband and UI section
Unlocking MiFi: AT+ZNCK command accepts “unlock key”
Modified unlock command handler to accept known value
3
3
http://willsjojo.blogspot.de/2012/06/icon-225-orange-modem-unlocking.html,
http://www.cnet.com/products/t-mobile-4g-mobile-hotspot-zte-mf61/
Shinjo (sect)
Telecommunication Security
SoSe 2015
7 / 21
Infineon Baseband
Actively used in 3G era, especially for non-Qualcomm phones
Everybody wants iPhones, so as hackers
Early iPhones up to iPhone 4 used Infineon baseband
iPhone basebands had problems until switching to Qualcomm4
Overflow: AT+XEMN (Heap), AT+stkprof (Buffer)
Register overwrite: AT+XAPP, AT+FNS, AT+XLOG
JerrySIM (STK exploit), IPSF (RSA/SHA1 bug), Fakeblank
Malformed control plane message can crash baseband
5
4
https://www.theiphonewiki.com/wiki/Baseband_Device
5
http://www.infineon.com/cms/en/about-infineon/press/press-releases/2008/INFCOM200805-068.html,
http://technews.co/2014/07/03/
baseband-chip-battle-apple-rumored-to-be-furthering-partnership-with-intel-chinese-chipmakers-eyeing-broadcom
Shinjo (sect)
Telecommunication Security
SoSe 2015
8 / 21
Hackable Basebands
Nokia DCT3 based NFREE/Blacksphere - website changed into
something else
TI Calypso basebands
TSM30
Motorola C118 and others
Openmoko FreeRunner GTA026
MediaTek MT6260 - Fernvale7
No GSM baseband sources officially available - as usual.
MediaTek sources are floating around Chinese cloud services
6
7
http://wiki.openmoko.org/wiki/Main_Page
http://www.bunniestudios.com/blog/?p=4297
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 21
TI Calypso Friends
Documentation leaked!8
Source code leaked as well!9
OsmocomBB: free baseband firmware for TI Calypso
8
9
http://bb.osmocom.org/trac/wiki/Hardware/Calypso
http://bb.osmocom.org/trac/wiki/TSM30Layer1
Shinjo (sect)
Telecommunication Security
SoSe 2015
10 / 21
MediaTek MT6260
ARM CPU, GSM modem, display, memory, battery: around $15
Nice platform to hack - source in murky license
Interesting approach for copyrights
NuttX (used in OsmocomBB) ported to MT6260
Shinjo (sect)
Telecommunication Security
SoSe 2015
11 / 21
Software-defined Radio Hardwares
Open hardwares capable of TX/RX (at least software)
Project
TI Calypso
USRP
UmTRX
BladeRF
HackRF
SIMtrace
Shinjo (sect)
Details
Motorola C118, C123, C140 etc.
https://www.ettus.com/
http://umtrx.org/
http://www.nuand.com/
http://greatscottgadgets.com/hackrf/
http://bb.osmocom.org/trac/wiki/SIMtrace
Telecommunication Security
SoSe 2015
12 / 21
Free Software Mobile Network Implementation
OpenBTS, OpenBSC, OsmocomBB considered stable
OpenBTS-UMTS: missing voice features
openLTE is not so stable, srsLTE is mainly for scanning
Project
Airprobe
OpenBTS
OpenBSC
OsmocomBB
OpenBTS-UMTS
openLTE
srsLTE
Shinjo (sect)
Details
https://svn.berlin.ccc.de/projects/airprobe
http://openbts.org/
http://openbsc.osmocom.org/trac/
http://bb.osmocom.org/trac/
http://openbts.org/w/index.php/OpenBTS-UMTS
http://openlte.sourceforge.net/
https://github.com/srsLTE/srsLTE
Telecommunication Security
SoSe 2015
13 / 21
Airprobe
Passive sniffing of GSM air interface.
Uses GNURadio stack (USRP, UmTRX etc).
Analyze protocols with Wireshark.
Capture traffic to break A5/1 encryption.10
10
https://srlabs.de/decrypting_gsm/
Shinjo (sect)
Telecommunication Security
SoSe 2015
14 / 21
OpenBTS
Um-to-SIP gateway.
Uses GNURadio stack (USRP, UmTRX etc).
Uses Asterisk, Freeswitch etc as call/sms processing backend.
Get rid of classical GSM architecture (BSC, MSC etc).
Shinjo (sect)
Telecommunication Security
SoSe 2015
15 / 21
OpenBSC
Classical GSM architecture.
Abis over IP.
Capable of interacting with proprietary MSC, BTS etc.
Can use OsmoTRX (GNURadio + USRP, UmTRX) as a BTS.
Shinjo (sect)
Telecommunication Security
SoSe 2015
16 / 21
Diagnostics on Baseband
Every baseband has diagnostic interface to monitor/debug baseband
First-party tools: QxDM (Qualcomm)
Third-party tools: SwissQual QualiPoc, Accuver XCAL, ...
GSMTAP: mobile network payload inside UDP/IP packet
Originally used by Osmocom family, later extended into other softwares
Can tunnel GSM/3G/LTE payloads
Used by BTS or UE to monitor network
Shinjo (sect)
Telecommunication Security
SoSe 2015
17 / 21
GSMTAP Monitoring Examples
xgoldmon: https://github.com/2b-as/xgoldmon
Works for Infineon 3G baseband: Galaxy S2-4, Note 2
Darshak uses code from xgoldmon
Qualcomm baseband
Snoopsnitch:
https://opensource.srlabs.de/projects/snoopsnitch
Not a strict “device monitor”, but uses Qualcomm DIAG interface to
monitor control plane
Monitoring LTE is also possible:
http://www.mirider.com/weblog/2013/08/index.html
OpenBTS, openLTE has capability to store GSMTAP packets
Shinjo (sect)
Telecommunication Security
SoSe 2015
18 / 21
Demo Time!
Monitoring LTE on Qualcomm baseband
You can see control plane messages
Shinjo (sect)
Telecommunication Security
SoSe 2015
19 / 21
What Can We See?
Paging messages
Call control messages for dialing
SMS messages
And many more
Phone can always see unencrypted control plane messages: encryption
endpoint is the mobile phone itself
Attacker with root priviledges can sometimes see control plane
messages
Android with Qualcomm baseband has /dev/diag interface
Usually accessible only by root, Lolipop (5.0) kernel dropped the
interface
Non-Qualcomm baseband has own control message format
Shinjo (sect)
Telecommunication Security
SoSe 2015
20 / 21
Summary
Baseband exploits
Free baseband, mobile network software
Baseband monitoring tools
Shinjo (sect)
Telecommunication Security
SoSe 2015
21 / 21
Telecommunication Security
SIM Security
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 26
Technical Description
(U)SIM often stands for both hardware and software
Multiple sizes of UICC cards (Universal Integrated Circuit Card)
Software inside your UICC card:
USIM (UMTS/LTE), ISIM (IMS/VoLTE), CSIM (CDMA)
Generates authentication data from secret key (Ki and alike)
Algorithms like Milenage, COMP128 generates authentication data
without direct exposure of keys...
... but sometimes they could be broken
Additional function using USIM Application Toolkit
Shinjo (sect)
Telecommunication Security
SoSe 2015
2 / 26
Card Hardware
Four physical sizes: full, mini, micro, nano
Electrically compatible, mechanical compatibility using cutter/adapter
OS is either proprietary or Java Card:
Uses a subset of Java
Optimized byte-code format
Applets are “firewalled” from each other
Common in phones and ATM cards
Data exchange using APDU (Application Protocol Data Unit)
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 26
What’s Inside? (1)
ICCID (Integrated Circuit Card ID) / SIM Serial Number
Uniquely identifies a SIM card (hardware)
Conforms to ISO/IEC 7812 (19-20 digits)
International Mobile Subscriber Identity (IMSI)
Uniquely identifies the mobile subscriber (15 digits, ITU E.212
standard)
MCC (3 digits), MNC (2 or 3 digits), MSIN (9 or 10 digits)
MSIN allocation policy is up to operator
Authentication Key Ki
Only network operator supposed to know the value
(Should) never leave the smartcard
Shinjo (sect)
Telecommunication Security
SoSe 2015
4 / 26
What’s Inside? (2)
Location Area Identity (LAI)
Stores the last known location area (saves time on power cycle)
Address book and SMS messages
Higher capacity in more advanced cards
Some feature phone lacks internal memory, using SIM as the only one
And much much more . . .
SMSC number
Service Provider Name (SPN)
Service Dialing Numbers (SDN)
See GSM/3GPP TS 11.11 for more details
Shinjo (sect)
Telecommunication Security
SoSe 2015
5 / 26
SIM Card Readers
Your phone already has one!
Any kind of smartcard reader will work outside of phone
Physical size is a problem
Read/write files (backup SMS, contacts)
Execute cryptographical functions (might help to extract Ki if known
vulnerability present)
Frequently used for forensics1
1
See NIST “Guidelines on CellPhone Forensics”, Special Pub 800-101
Shinjo (sect)
Telecommunication Security
SoSe 2015
6 / 26
Access Restrictions
PIN 1: asked during phone startup, protects access to network
PIN 2: protects certain network settings
3 failed attempts locks the SIM
Unlocking a locked SIM card is possible:
Personal Unblocking Key for each PIN (PUK1/PUK2)
10 failed attempts permanently locks the SIM
Applet installation requires separate set of keys
Shinjo (sect)
Telecommunication Security
SoSe 2015
7 / 26
SIM Cloning
Extract secret key from one card and transplant into another card
Still available in Chinese online stores
2
Using multiple networks on one card
No simultaneous standby and voice call
2
http://www.aliexpress.com/item/
16-in-1-Max-Slim-SIM-Cell-Phone-Magic-Super-Card-Backup-Back-Up-High-Quality/32229077370.html
Shinjo (sect)
Telecommunication Security
SoSe 2015
8 / 26
SIM Cloning
Sometimes impossible due to deprecation of COMP128v1
COMP128v3/Milenage based cards will not work
3
Requires 4-8 hours of physical access to the card
Might damage the card due to limit on number of authentication
requests
3
http://www.dx.com/p/
2008-edition-6-number-in-1-multi-operator-magic-sim-with-card-cloning-software-and-usb-reader-12425
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 26
Power Analysis
As well as other smartcards vulnerable to Power Analysis attack:
Require special equipment and skills
Simple Power Analysis (SPA): (visual) examination of current (can be
performed with standard digital oscilloscopes)
Differential Power Analysis (DPA): statistical analysis of power
consumption (multiple cryptographic operations)4
Resulted in tamper resistant techniques to defend against Power Analysis,
but not necessary applied to the card in your phone due to cost reasons.
4
See work by Kocher et al.
Shinjo (sect)
Telecommunication Security
SoSe 2015
10 / 26
Network Locking
In some countries/regions operators “subsidize” phones:
Only accept SIM cards of particular operator/country
Based on some random secret embedded into device firmware (OS,
baseband, or both)
Operator could be “convinced” to provide unlock code using $$ or
social engineering
Both locking and unlocking might be (il)legal depending on your
country laws
Banning any type of lock
Locked initially, could be unlocked
Permanently locked
They can still preload tons of bloatware
Shinjo (sect)
Telecommunication Security
SoSe 2015
11 / 26
Unlocking
Permanent unlock requires interaction with baseband
Easy: network lock bits are modifiable using external programmers
(often expensive)
Medium: IMEI-dependent network unlock codes are required
(purchase, bruteforce, ...)
Entering wrong unlock code will permanently lock your phone
Hard: permanently locked, external methods required
Some operators will not unlock their iPhones
Shim cards can “piggyback” and fake provider name
Shinjo (sect)
Telecommunication Security
SoSe 2015
12 / 26
USIM Application Toolkit
Operator’s application without “touching” mobile phones
Apps are implemented using Java with Java Card/STK/USAT API
No native GUI, text-based menus
Can access to mobile network, Over-the-Air (OTA) update possible
Standards
STK: GSM 11.14, 03.48
USAT: 3GPP TS 31.111, 23.048, ETSI TS 102.241
Shinjo (sect)
Telecommunication Security
SoSe 2015
13 / 26
Application Capability
Setting up text menus
Receive and dial calls
Listen and send SMS messages
Track user’s location to the cell level
Play tone, timer, etc.
Premium services
Mobile payment services in Africa, southwest Asia
Public transport ticket in some region
Application without UI also possible
Shinjo (sect)
Telecommunication Security
SoSe 2015
14 / 26
How to Write the Application
Java Card SDK, STK, USAT/UICC APIs are all open
Compling Java file will make CAP (Compressed APplet) for smartcard
You can write your own application!
private HelloSTK () {
// snip
ToolkitRegistry reg = ToolkitRegistrySystem.getEntry();
reg.setEvent(EVENT_EVENT_DOWNLOAD_CALL_CONNECTED);
reg.setEvent(EVENT_EVENT_DOWNLOAD_CALL_DISCONNECTED);
reg.setEvent(EVENT_EVENT_DOWNLOAD_MT_CALL);
reg.setEvent(EVENT_CALL_CONTROL_BY_NAA);
reg.setEvent(EVENT_EVENT_DOWNLOAD_LOCATION_STATUS);
reg.setEvent(EVENT_MO_SHORT_MESSAGE_CONTROL_BY_NAA);
// snip
}
Shinjo (sect)
Telecommunication Security
SoSe 2015
15 / 26
NSA’s GOPHERSET
SIM card data extraction using binary SMS5
5
https://leaksource.files.wordpress.com/2013/12/nsa-ant-gopherset.jpg
Shinjo (sect)
Telecommunication Security
SoSe 2015
16 / 26
Uploading Application
Uploading requires digital signature and/or encryption: different from
the key used for mobile network authentication
Normally 3DES or AES, some older card supports DES
Bladox Turbo SIM: shim card over current card6
Applications are written in Bladox-designed C API
Not so sweet selection for attacker: easily busted
SIMtester from SRLabs fuzzes SIM card7
Some card signs “empty” message if applet upload request has failed
Cracking “response” will reveal keys - DES downgrade
Karl Koscher et al.: uploaded app on custom taylored SIM card8
Their card disabled authentication on applet uploading (not for
commercial cards)
6
7
8
http://bladox.com/index.php?lang=en
https://opensource.srlabs.de/projects/simtester/wiki
Karl Koscher and Eric Butler. The Secret Life of SIM Cards, DEF CON 21
Shinjo (sect)
Telecommunication Security
SoSe 2015
17 / 26
Even NSA Has Problem
So, they chose cracking SIM card vendor to get the key
NSA’s Gemalto hacking breached office networks9
9
http://www.gemalto.com/press/Pages/
Gemalto-presents-the-findings-of-its-investigations-into-the-alleged-hacking-of-SIM-card-encryption-keys.
aspx
Shinjo (sect)
Telecommunication Security
SoSe 2015
18 / 26
How They Are Represented?
(a) iOS
Shinjo (sect)
(b) BlackBerry 10
Telecommunication Security
(c) Android
SoSe 2015
19 / 26
How Can We Access?
SIM toolkit application can relay commands between SIM card and
user interface
Operating system provides limited access to SIM card data via APIs
IMSI, Phone number, MCC/MNC, etc.
Raw access to the SIM card
Depends on operating system
iOS, Windows Phone: Not allowed
BlackBerry 10: Allowed
Android: Allowed using 3rd-party API
Hooking them will reveal the communication between phone and SIM
Shinjo (sect)
Telecommunication Security
SoSe 2015
20 / 26
Mobile Payment Wars
Contactless payment systems are based on NFC
Mobile payment requires secret data to be stored
Who will maintain secure element (SE)?
OS vendor: Host Card Emulation (HCE)
(a) SE on NFC module
(b) SE on SIM card
(c) SE on microSD card
Device vendor
Network operator
Credit institutions
10
10
https://mobile.mastercard.com/Partner/MobilePayPass/SecureElements
Shinjo (sect)
Telecommunication Security
SoSe 2015
21 / 26
Mobile Payment Wars
Each party wants to put the SE on what they controls
Customized Android included support of SIM-based SE
Android 4.4 added support HCE mode (Google Wallet)
Windows Phone up to 8.1: SIM-based SE
Windows 10 Mobile will include HCE mode
Apple Pay: hardware SE, NFC antenna on iPhone 6(+)/Apple Watch
Shinjo (sect)
Telecommunication Security
SoSe 2015
22 / 26
Summary
What is included in SIM card?
Access control, cloning
SIM application, mobile payment
Reading list for next lecture:
Weaponizing Femtocells: The Effect of Rogue Devices on Mobile
Telecommunication, Nico Golde et. al., NDSS 2012
Shinjo (sect)
Telecommunication Security
SoSe 2015
23 / 26
Demo time!
What malicious SIM application can do?
Shinjo (sect)
Telecommunication Security
SoSe 2015
24 / 26
Telecommunication Security
Femtocell Security
Shinjo Park
Prof. Jean-Pierre Seifert
Security in Telecommunications
TU Berlin
SoSe 2015
Shinjo (sect)
Telecommunication Security
SoSe 2015
1 / 27
What is Femtocell?
Miniaturized cell tower in home router size
Only two inputs: power and the Internet
Lower power transmission, covering small area
3G: Home Node B (HNB), 4G: Home eNodeB (HeNB)
Shinjo (sect)
Telecommunication Security
SoSe 2015
2 / 27
Why Femtocells?
Femtocells are intended to complement cell tower coverage
Cell tower coverage could not reach every building, especially in urban
areas
Higher bandwidth, less user shares same network infrastructure
Lower installation and maintanence cost
Lower unit costs compared to big cells
Shinjo (sect)
Telecommunication Security
SoSe 2015
3 / 27
Femtocell in 3G Network
RNS: Radio Network Subsystem
cells
CS: Circuit Switched
Iub
ME
Uu
RNC
NodeB
IuCS
MSC
TR-069
IPsec
UICC [USIM]
HMS
UE: User Equipment
SeGW
MS: Mobile Station
HNB
Iuh
SGSN
Internet
HNB-GW
HNS : Home NodeB Subsystem
User controlled
Shinjo (sect)
IuPS
PS: Packet Switched
CN : Core Network
AN : Access Network
Telecommunication Security
SoSe 2015
4 / 27
Femtocell in 4G Network
RNS: Radio Network Subsystem
cells
MME
ME
S1-MME
S1-U
eNodeB
LTE-Uu
S11
TR-069
IPsec
S1-MME
UICC [USIM]
HeMS
UE: User Equipment
SeGW
MS: Mobile Station
HeNB
Shinjo (sect)
S-GW
Internet
HeNB-GW
HeNS : Home eNodeB Subsystem
User controlled
S1-U
S1
CN : Core Network
AN : Access Network
Telecommunication Security
SoSe 2015
5 / 27
3GPP’s H(e)NB Threat List
3GPP TS 33.820 categorizes threats
Rough summary:
Cracking and cloning authentication token
Physical and logical tampering of hardware and software
Attacking core network via femtocell
Eavesdropping/masquerading
Shinjo (sect)
Telecommunication Security
SoSe 2015
6 / 27
Can I Haz Dah Femtocells?
Available freely on the market
Available, could only be purchased with subscription
Not available, new installations performed by network operator
Shinjo (sect)
Telecommunication Security
SoSe 2015
7 / 27
Femtocell Researches
Vodafone UK femtocells by THC
SFR femtocells by SecT
Verizon femtocells
Probably more unknown researches...
Shinjo (sect)
Telecommunication Security
SoSe 2015
8 / 27
Terminal Access
Serial console available as pin/pads or external port
Might be electrically incompatible with original port - may damage
your equipment!
Bootloader access: can read or write device memory without rooting it
if serial file transfer is included, you can easily modify firmware!
Shinjo (sect)
Telecommunication Security
SoSe 2015
9 / 27
Firmware Update and Recovery Process
User, Telco, femtocell itself can
trigger firmware
upgrade/recovery procedure
New firmware is fetched,
settings are updated
If signature check is not
performed or could be
circumvented, attacker can
upload malicious firmware
Shinjo (sect)
OAM
Femtocell
Telecommunication Security
get parameter and firmware list
HTTP/HTTPS (client certificate)
parameter and firmware list
HTTP/clear text over HTTPS
get new firmware (if different)
FTP/HTTP
firmware
encrypted and signed (optional)
SoSe 2015
10 / 27
Femtocell as 3G/4G IMSI Catcher
3G/4G requires mutual authentication, GSM approach will not
working
Femtocell can capture and relay authentication tokens
Allowing anyone could be connected: effective IMSI catcher
Shinjo (sect)
Telecommunication Security
SoSe 2015
11 / 27
Eavesdropping Traffic
Phone-femtocell encryption and femtocell-core network encryption
uses different sets of keys: transforming is done in the box
Core network connection is tunneled into IPSec
Once getting root permission, IPSec could be broken
strongSwan: increasing log level will reveal keys1
ip xfrm state, often omitted due to space constraints
Proprietary implementation: hooking socket operations
Decoding IPSec: decoding all data
1
https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Shinjo (sect)
Telecommunication Security
SoSe 2015
12 / 27
Voice Calls
3G voice: AMR-NB/WB inside RTP stream (GAN as backhaul)
4G voice (VoLTE): more intuitive than 3G!
SIP used to set up calls, RTP used to carry data
Shinjo (sect)
Telecommunication Security
SoSe 2015
13 / 27
SMS and Data
3G: Easily eavesdroppable if unencrypted GAN is used
4G: SMS over SGs, SMS over IMS
SMS over SGs: SMS PDUs are tunneled into signaling messages,
depends on NAS encryption
SMS over IMS: Same encryption applied as IMS voice traffic
NAS encryption is done end-to-end (between UE and MME)
Data is often unencrypted “inside” IPSec tunnel
Never assume that mobile data network is secure than Wi-Fi!
Shinjo (sect)
Telecommunication Security
SoSe 2015
14 / 27
Remote Attack
Diverse web interface implementation
Attacks are targetting on specific femtocell model
TR-069: widely used, invisible protocol2
Used to remotely control devices by network operator
Based on XML over HTTP, server vendors are limited
Patching one vulnerability involves multiple vendors: TR-069 server
developer, chipset manufacturer, device creator, (network operator)
TR-069 is also widely used in femtocells
Publicly opened remote access services
Telnet, TR-069, SSH, etc.
Shodan (https://shodan.io) is our friend
One token for all devices means security failure
Other operator-specific control interfaces
2
Too Many Cooks - Exploiting the Internet-of-TR-069-Things, Lior Oppenheim and Shahar Tal, CCC 2014
Shinjo (sect)
Telecommunication Security
SoSe 2015
15 / 27
How Not to Implement Remote Management
Design your own protocol
I need to use some executable file
popen() will only call specified executable file
system() will redirect command into the default shell
Unfiltered format string will trigger side effect
Properly filtering user input is another major topic
Never store credentials unencrypted
Some devices will store root password in NVRAM without encryption
Attacker with physical access can hijack password
One uniform password for all product: all devices hacked
Bad example: command execution → loopback telnet access →
plaintext password → all devices are affected!
Shinjo (sect)
Telecommunication Security
SoSe 2015
16 / 27
Femtocell Detection
Mostly based on cell ID/LAC/TAC
MyCell: Preselect nearest cell ID and notifies when the ID is changed
Femto Widget: Determine femtocell by predefined range of LAC
Femto Catcher: Uses predefined range of network ID. Only works on
Verizon CDMA.
Some femtocell uses separate MNC/network name from cell tower
Shinjo (sect)
Telecommunication Security
SoSe 2015
17 / 27
Roaming with Femtocell
Operators with femtocell will block access outside of home country3
What if femtocell is used outside of home country?
3
http://www.verizonwireless.com/support/network-extender-faqs/
Shinjo (sect)
Telecommunication Security
SoSe 2015
18 / 27
Roaming with Femtocell
You can save roaming charges (often excessive)!
You may violate the law of visiting location: frequency overlapping
Site survey: if there is foreign cell or no home country’s cell is
detected, block access to the core network
Positioning: cell tower location could be used for emergency services,
also for detecting where is the femtocell
IP check: only allow HeMS connection from home country’s IP
Femtocells might be used where no mobile signal is detected
GPS could be spoofed, or if internally placed as a module, we can
feed fake data
VPN can spoof the location, beware of multiple level NAT
Shinjo (sect)
Telecommunication Security
SoSe 2015
19 / 27
Portable Femtocell?
Implementing 3G/LTE using SDR requires more power due to wide
spectrum usage and more efficient utilization of frequency
Why not carry femtocell as IMSI catcher and mobile eavesdropper?
Backhaul link: another operator’s LTE connection
Mi-Fi or single board computer: convert wireless link to wired
Large power pack for both femtocell and uplink
Shinjo (sect)
Telecommunication Security
SoSe 2015
20 / 27
DIY (femto)cell
Open Source Software
Open Source Hardware
Legal4
Independent
4
To some extent at least
Shinjo (sect)
Telecommunication Security
SoSe 2015
21 / 27
Open source cell flavors
OpenBTS
SIP ASAP
Stability and compatibility issues
OpenBSC
Classical BTS - BSC - MSC architecture
More complex
Other: OpenLTE etc.
Shinjo (sect)
Telecommunication Security
SoSe 2015
22 / 27
Osmocom Software
OpenBTS: BSC + MSC + HLR
OsmoBTS: BTS
OsmoTRX: L1
LCR: core, call routing
Shinjo (sect)
Telecommunication Security
SoSe 2015
23 / 27
Hardware
USRP: universal5 , no schematics
UmTRX: purpose-built6 , open hardware
BladeRF, HackRF, Motorola C123...
5
6
Wanna run your own TV?
For Mother Russia!
Shinjo (sect)
Telecommunication Security
SoSe 2015
24 / 27
Links
http://openbsc.osmocom.org/trac/
http://openbts.org/
http://umtrx.org/
Shinjo (sect)
Telecommunication Security
SoSe 2015
25 / 27
Quckie
osmo-nitb -c /.config/osmocom/open-bsc.cfg -l
/.config/osmocom/hlr.sqlite3 -P -m -C
–debug=DRR:DPAG:DRSL:DMNCC
sudo chrt 20 osmo-trx -a addr=192.168.9.2
sudo chrt 15 osmobts-trx -c /.config/osmocom/osmo-bts.cfg -i
224.0.0.1 -d DRR:DPAG:DRSL:DMNCC
telnet localhost 4242
Shinjo (sect)
Telecommunication Security
SoSe 2015
26 / 27
Summary
What are femtocells?
How can we break into femtocells?
What happens if femtocell is broken?
Next week lecture is optional: recap of this semester
Oral exam registration: QISPOS if available
If you can not access QISPOS, please send your schedule to
[email protected]
Shinjo (sect)
Telecommunication Security
SoSe 2015
27 / 27
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement