SlideShare ist ein Scribd-Unternehmen logo

Root via sms. 4G security assessment

Als PPTX, PDF herunterladen
S
Sergey Gordeychik

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

Technologie
1 von 87
#root via SMS 4G IP access security assesment
we are…
who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
3G/4G network
the Evil
4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
why?
why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
btw
not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
not enough?
the NET
the NET
thanks John http://www.shodanhq.com/
By devices
the NET
GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
Let’s scan all the Internets!
GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
So what?
Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
Example: GTP “Synflood” http://blog.ptsecurity.com/2013/09/inside-mobile-internet-security.html http://bit.ly/195ZYMR
We are good guys!
I’m inside
Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
Here There Be Tygers
DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
1990th  Your balance is insufficient  Connect to your favorite UDP VPN
Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
The Device
Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
Identification
Identification  Documentation  Google  Box  Google again  Internals
How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
Scan it
Sometimes you get lucky…
…other times you don’t
How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
web – trivial stuff CSRF Insufficient authenticationXSS
Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
DEMO
I need The Power!
“hidden” firmware upload
Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
Getting the shell
Finding “engineering tool”
I’ve got The Power
But whether it is?
Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
PWN - PWN
Profit!111
Sometimes you get lucky…
Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
Very specific case
It still in USB!
It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
Can I SMS keypress to your Laptop?
How to?  android_usb  sysfs  in memory patch
DEMO
Few words about the SIM cards
What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem

Empfohlen

Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
LTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanLTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanDarren Pauli
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionRK Nayak
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 

Empfohlen

Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
SS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkSS7: 2G/3G's weakest link
SS7: 2G/3G's weakest linkPositiveTechnologies
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
LTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanLTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanDarren Pauli
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryptionRK Nayak
 
volte ims network architecture
volte ims network architecturevolte ims network architecture
volte ims network architectureVikas Shokeen
 
Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
Call flow in gsm
Call flow in gsmCall flow in gsm
Call flow in gsmvish0110
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Security in GSM
Security in GSMSecurity in GSM
Security in GSMDr. Ramchandra Mangrulkar
 
Wardriving
WardrivingWardriving
WardrivingSumit Kumar
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....pptbalu008
 
Tti bundling in fdd and tdd
Tti bundling in fdd and tddTti bundling in fdd and tdd
Tti bundling in fdd and tddLaxman Mewari
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
SEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURESEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTUREsalman khan
 
The GSM Technology
The GSM TechnologyThe GSM Technology
The GSM TechnologyWajahatHussain68
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities ExchangeArpit Prajapati
 
2G Topology
2G Topology2G Topology
2G TopologyPedro Vieira
 
Introduction to GSM
Introduction to GSMIntroduction to GSM
Introduction to GSMShilpin Pvt. Ltd.
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 
Cell-Free architectures for 5G
Cell-Free architectures for 5GCell-Free architectures for 5G
Cell-Free architectures for 5GStefano Buzzi
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijackingleminhvuong
 
Call flow in gsm
Call flow in gsmCall flow in gsm
Call flow in gsmvish0110
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....pptbalu008
 
Tti bundling in fdd and tdd
Tti bundling in fdd and tddTti bundling in fdd and tdd
Tti bundling in fdd and tddLaxman Mewari
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core NetworkHamidreza Bolhasani
 
SEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURESEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTUREsalman khan
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities ExchangeArpit Prajapati
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application ToolkitByeongweon Moon
 
Cell-Free architectures for 5G
Cell-Free architectures for 5GCell-Free architectures for 5G
Cell-Free architectures for 5GStefano Buzzi
 

Was ist angesagt? (20)

Module 6 Session Hijacking
Module 6 Session HijackingModule 6 Session Hijacking
Module 6 Session Hijacking
 
Call flow in gsm
Call flow in gsmCall flow in gsm
Call flow in gsm
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
Security in GSM
Security in GSMSecurity in GSM
Security in GSM
 
Wardriving
WardrivingWardriving
Wardriving
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOs
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronights
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....ppt
 
Tti bundling in fdd and tdd
Tti bundling in fdd and tddTti bundling in fdd and tdd
Tti bundling in fdd and tdd
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
 
SEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURESEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURE
 
The GSM Technology
The GSM TechnologyThe GSM Technology
The GSM Technology
 
Diameter Capabilities Exchange
Diameter Capabilities ExchangeDiameter Capabilities Exchange
Diameter Capabilities Exchange
 
2G Topology
2G Topology2G Topology
2G Topology
 
Introduction to GSM
Introduction to GSMIntroduction to GSM
Introduction to GSM
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
USAT : USIM Application Toolkit
USAT : USIM Application ToolkitUSAT : USIM Application Toolkit
USAT : USIM Application Toolkit
 
Cell-Free architectures for 5G
Cell-Free architectures for 5GCell-Free architectures for 5G
Cell-Free architectures for 5G
 

Ähnlich wie Root via sms. 4G security assessment

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016joebursell
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...Felipe Prado
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...DefconRussia
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network securityRishabh Mehan
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)Igalia
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AlivePositive Hack Days
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay aliveqqlan
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveDefconRussia
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 

Ähnlich wie Root via sms. 4G security assessment (20)

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Firewall
FirewallFirewall
Firewall
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 

Mehr von Sergey Gordeychik

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsSergey Gordeychik
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousSergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsSergey Gordeychik
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSergey Gordeychik
 

Mehr von Sergey Gordeychik (12)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Kürzlich hochgeladen

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Kürzlich hochgeladen (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Root via sms. 4G security assessment

  • 1. #root via SMS 4G IP access security assesment
  • 3. who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
  • 4. behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
  • 7. 4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
  • 9. why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
  • 10. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
  • 11. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
  • 12. radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
  • 13. btw
  • 14. not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
  • 21. GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
  • 22. Let’s scan all the Internets!
  • 23. GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
  • 24. Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
  • 26. Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
  • 28. We are good guys!
  • 30. Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
  • 31. Here There Be Tygers
  • 32. DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
  • 33. 1990th  Your balance is insufficient  Connect to your favorite UDP VPN
  • 34. Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
  • 36. Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
  • 37. Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
  • 38. Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
  • 40. Identification  Documentation  Google  Box  Google again  Internals
  • 41. How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
  • 43. Sometimes you get lucky…
  • 45. How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
  • 46. web – trivial stuff CSRF Insufficient authenticationXSS
  • 47.
  • 48. Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
  • 49. Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
  • 50. DEMO
  • 51. I need The Power!
  • 53. Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
  • 54. dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
  • 57. I’ve got The Power
  • 59. Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
  • 60.
  • 63. Sometimes you get lucky…
  • 64. Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
  • 66. It still in USB!
  • 67. It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
  • 68. Can I SMS keypress to your Laptop?
  • 69. How to?  android_usb  sysfs  in memory patch
  • 70. DEMO
  • 71. Few words about the SIM cards
  • 72. What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
  • 73. Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
  • 74. Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
  • 75. Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
  • 76. Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
  • 77. Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
  • 78. Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
  • 79. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
  • 80. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
  • 81. Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
  • 82. Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
  • 83. Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
  • 84. Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
  • 85. Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
  • 86. Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
  • 87. Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem