This document discusses security assessments of 4G mobile networks. It introduces the presenters and provides an overview of 4G network architecture and potential vulnerabilities, including at the radio access network level and GPRS Tunnelling Protocol. Examples of attacks like GTP "synfloods" are mentioned. The document advocates working with mobile operators to identify and address security issues for the benefit of subscribers.
9. why?
ï⯠we use it every day
ï⯠Internet
ï⯠social network
ï⯠to hack stuff
ï⯠IT use it everyday
ï⯠ATM
ï⯠IoT
ï⯠SCADA
30. Guter Weg um ist nie krumm
ï⯠All old IP stuff
ï⯠traces 1.1.1.1/10.1.1.1
ï⯠IP source routing
ï⯠Management ports
ï⯠All new IP stuff
ï⯠IPv6
ï⯠MPTCP
ï⯠Telco specific (GTP, SCTP M3UA, DIAMETER etc)
hQp://ubm.io/11K3yLT Â Â Â Â Â Â Â hQps://www.thc.org/thcâipv6/Â
Â
32. DNS
ï⯠In most cases it internal DNS server
ï⯠Sometimes it uses companyâs FQDN and address space
ï⯠Bruteforce/Zone Transfer and other information leakage
ï⯠.gprs .3gppnetwork.org
ï⯠APIPA IP address reuse
ï⯠local.COMPANY.com have A-record to 10.X.X.X
ï⯠Attacker publishes link to local.COMPANY.com on same address
ï⯠Victims form 10.Đ„ network will transfer cookies to attacker
hQp://lab.onsec.ru/2013/07/insecureâdnsârecordsâinâtopâwebâprojects.htmlÂ
34. Resume
ï⯠For telcos
ï⯠Please scan all your Internets!
ï⯠Your subscribers network is not your internal network
ï⯠For auditors
ï⯠Check all states
ï⯠online/blocked/roaming
ï⯠Check all subscribers
ï⯠APNâs, subscribers plans
ï⯠Donât hack other subscribers
hQp://www.slideshare.net/phdays/howâtoâhackâaâtelecommunica]onâcompanyâandâstayâaliveâgordeychik/32Â
45. all I need is RCE Love !
ï⯠telnet/snmp?
ï⯠Internal interface only
ï⯠Blocked by browsers
ï⯠http/UPNP?
ï⯠Attack via browser (CSRF)
ï⯠broadband
ï⯠?
53. Cute, butâŠ
ï⯠You need to have firmware
ïâŻSometimes you get luckyâŠ
ïâŻâŠother times you donât
ï⯠Integrity control
ïâŻAt least should beâŠ
59. Cute, butâŠ
ï⯠Get firmware?
ïâŻYes it nice, butâŠ
ï⯠Find more bugs?
ïâŻWe have enoughâŠ
ï⯠Get SMS, send USSD?
ïâŻCan be done via CSRF/XSSâŠ
ï⯠PWN the subscriber?
64. Details
ï⯠Dashboard install webserver on localhost
ï⯠Host diagnostics (ipconfig, tracesâŠ)
ï⯠Windows âshellâ script based!
ï⯠Very âsecureâ!
ï⯠Interacts with USB modem webserver
ï⯠Donât care about origin (you donât need even
XSS)
75. Resume
ï⯠For telcos
ï⯠All your 3/4G modems/routers are 5/>< belong to us
ï⯠For everybody
ï⯠Please donât plug computers into your USB
ï⯠Even if it your harmless network printer 4G modem
77. What is SIM: for hacker
ââŻMicrocontroller
âąâŻ Own OS
âąâŻ Own file system
âąâŻ Application platform and API
ââŻUsed in different phones (even after upgrade)
ââŻOS in independent, but can kill all security
âąâŻ Baseband access
âąâŻ OS sandbox bypass
78. What has Karsten taught us?
ï⯠Not all TARs are equally secure
ï⯠If you are lucky enough you could find
something to bruteforce
ï⯠If you are even more lucky you can
crack some keys
ï⯠Or some TARs would accept
commands without any crypto at all
hQps://srlabs.de/roo]ngâsimâcards/Â
79. Getting the keys
ï⯠Either using rainbow tables or by plain
old DES cracking
ï⯠We've chosen the way of brute force
ï⯠Existing solutions were too slow for us
ï⯠So why not to build something new?
80. Getting the keys
ï⯠So why not to build something new?
ï⯠Bitcoin mining business made another
twist
ï⯠Which resulted in a number of
affordable FPGAs on the market
ï⯠SoâŠ
84. The rig
ï⯠Some specs:
Hardware Speed
(Mcrypt/sec)Â
Time for DES
(days)Â
Time for 3DES
(part of key is
known, days)Â
Intel CPU (Core i7-2600K)Â 475Â 1755,8Â
(~5 years)Â
5267,4Â
Radeon GPU (R290X)Â 3`000Â 278Â 834Â
Single chip (xs6slx150-2)Â 7`680Â 108,6Â 325,8Â
ZTEX 1.15y 30`720 27,2 81,6Â
Our rig (8*ZTEX 1.15y)Â 245`760Â 3,4Â 10,2Â
+ descrypt bruteforcer â hQps://twiQer.com/GiBsUngiven/status/492243408120213505Â
85. Now what?
ï⯠So you either got the keys or didnât
need them, whatâs next?
ï⯠Send random commands to any TARs
that accept them
ï⯠Send commands to known TARs
86. Now what?
ï⯠Send random commands to TARs that
accept them
ï⯠Many variables to guess:
CLA INS P1 P2 P3 PROC DATA SW1 SW2
ï⯠Good manuals or intelligent fuzzing
needed
ï⯠Or you'll end up with nothing: not
knowing what you send and receive
87. Now what?
ï⯠Send commands to known TARs
ï⯠Card manager (00 00 00)
ï⯠File system (B0 00 00 - B0 FF FF)
ï⯠âŠ
88. Now what?
Card manager (TAR 00 00 00)
ï⯠Holy grail
ï⯠Install custom applets and jump off the
JCVM
ï⯠Not enough technical details
ï⯠No successful POC publicly available
ï⯠But there are SIM cards allowing to install
apps with no security at all!
ï⯠Someone have done it for sureâŠ
89. Now what?
File system (B0 00 00 - B0 FF FF)
ï⯠Stores interesting stuff: TMSI, Kc
ï⯠May be protected by
CHV1 == PIN code
90. Now what?
ï⯠File system (TAR B0 00 00 - B0 FF FF)
ï⯠Simple well documented APDU
commands (SELECT, GET RESPONSE,
READ BINARY, etc.)
ï⯠Has it's own access conditions (READ,
UPDATE, ACTIVATE, DEACTIVATE |
CHV1, CHV2, ADM)
91. Attack?
ï⯠No fun in sending APDUs through card
reader
ï⯠Let's do it over the air!
ï⯠Wrap file system access APDUs in
binary SMS
ï⯠Can be done with osmocom, some gsm
modems or SMSC gateway
92. Attack?
ï⯠Binary SMS can be filtered
ï⯠Several vectors exist:
ï⯠Intra-network
ï⯠Inter-network
ï⯠SMS gates
ï⯠Fake BTS/FemtoCell
93. Attack?
ï⯠Wait! What about access conditions?
ï⯠We still need a PIN to read interesting
stuff
ï⯠Often PIN is set to 0000 by operator and
is never changed
ï⯠Otherwise needs
bruteforcing
94. Attack?
ï⯠PIN bruteforce
ï⯠Only 3 attempts until PIN is blocked
ï⯠Needs a wide range of victims to get
appropriate success rate
ï⯠Provides some obvious possibilitiesâŠ
95. Attack?
ï⯠Byproduct attack â subscriber DoS
ï⯠Try 3 wrong PINs
ï⯠PIN is locked, PUK(CHV2) requested
ï⯠Try 10 wrong PUKs
ï⯠PUK is locked
ï⯠Subscriber is locked out of GSM network -
needs to replace SIM card
96. Attack?
ï⯠To sniff we still got to figure out the ARFCN
ï⯠There are different waysâŠ
ï⯠Catching paging responses on CCCH feels
like the most obvious way
ï⯠Still have to be coded â go do it!
ï⯠Everything could be built on osmocom-bbâŠ
97. Attack?
ï⯠Assuming we were lucky enough
ï⯠We do have the OTA key either donât need
one
ï⯠Weâve got the PIN either donât need one
ï⯠All we need is to read two elementary files
ï⯠MF/DF/EF/Kc and MF/DF/EF/loci
ï⯠Go look at SIMTracer!
98. Attack?
ï⯠Assuming we were lucky enough
ï⯠We now got TMSI and Kc and don't need to
rely on Kraken anymore
ï⯠Collect some GSM traffic with your SDR of
choice or osmocom-bb phone
ï⯠Decrypt it using obtained Kc
ï⯠Or just clone the victim for a while using
obtained TMSI & Kc
ï⯠Looks like A5/3 friendly!
ï⯠Profit!
100. So?
ï⯠Traffic decryption only takes 2 binary
messages
ï⯠DoS takes 13 binary messages and can be
done via SMS gate
ï⯠There are valuable SMS-packages. Catch the
deal.
ï⯠There are also USSDsâŠ
101. âWhat a girl to do?â
ï⯠Change PIN, maybeâŠ
ï⯠Run SIMTester!
ï⯠Use PSTN FTW:(
ï⯠Pigeon mail anyone?
102. Resume
ï⯠For telcos
ï⯠Check all your SIMs
ï⯠Train your/contractor of SIM/App/Sec
ï⯠For everybody
ï⯠Pray