SlideShare ist ein Scribd-Unternehmen logo

Telecom Security

Priyanka Aash
Priyanka Aash

This workshop aims to give an intermediate-level understanding of the potential risk associated with cellular mobile communication networks and the security issues in the radio access network. In particular, we begin with a brief history of Telecom, fundamentals of mobile network, radio signals, the security architecture of GSM/UMTS/LTE, cellular network attack detection methods, and security vulnerabilities with possible practical examples with case studies.

Technologie
1 von 107
Downloaden Sie, um offline zu lesen
Workshop on Telecom Security Harshit Agrawal Himanshu Mehta CISO Platform Best of The World In SecurityNovember 12-14,2020 | 8AM -4PM (EST) | Global Summit
/Speaker/Harshit/> whoami USER INFORMATION --------------------------------------------------- Harshit Agrawal RF and Telecom Security Researcher --------------------------------------------------- Primary Research area includes RF Security, Telecom Security, and IOT Security Speaker at conferences like RSAC USA, HITBSecConf Amsterdam, Cyberweek UAE ---------------------------------------------------- Twitter: @harshitnic Email: harshit[dot]nic[at]gmail[dot]com LinkedIn: https://linkedin.com/in/harshitnic
/Speaker/Himanshu/> whoami USER INFORMATION ----------------------------------------------------- Himanshu Mehta Senior Security Researcher, Xen1thLabs (Digital14 LLC) ----------------------------------------------------- Primary Research area includes Telecom, RF, IoT, Network, Web & Mobile Applications Security ------------------------------------------------------ Twitter: @nullvoid0x Email: himanshu.mehta21@gmail.com LinkedIn: https://www.linkedin.com/in/himanshumehta21/
Topics to be discussed ● Why we need security? ● GSM Architecture Break (5mins) ● Encryption Algorithm ● User Equipment Break (5mins) ● Radio Access Network ● Smartphone Tracking ● IMSI catcher ● Security Threats ● Conclusion Q&A
Introduction
By Alan Coleman
Why we need security in mobile network?
Functions to Target ● All major cellular networks support – Voice calls – Voice mail (VM) – Short Message Service (SMS) – Location-based Services (LBS) – IP Connectivity ● Most also support – Binary configuration messages – Multimedia messages (MMS) – Faxing
You Only Have One Voice —Don’t Let Hackers Steal It descript.com
1G Network
2GNetwork Network Side User Side MSC/VLR BSC/BTS SIM Card Terminal Equipment HLR/AUC
GSM Architecture
Global System for Mobile Communication (GSM) ● Digital Cellular Network ● GSM offers a number of services including voice communications, Short Message Service (SMS), fax, voice mail, and other supplemental services such as call forwarding and caller ID. ● Currently there are several bands in use in GSM. 450 MHz, 850 MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common ones ● Makes use of FDMA and TDMA
Mobile Station (MS) – Mobile Equipment (ME) ● Physical mobile device ● Identifiers ○ IMEI – International Mobile Equipment Identity – Subscriber Identity Module (SIM) ● Smart Card containing keys, identifiers and algorithms ● Identifiers ○ Ki – Subscriber Authentication Key ○ IMSI – International Mobile Subscriber Identity ○ TMSI – Temporary Mobile Subscriber Identity ○ MSISDN – Mobile Station International Service Digital Network ○ PIN – Personal Identity Number protecting a SIM ○ LAI – location area identity
Base Transceiver station (bts) Base Transceiver Station (BTS): It handles speech encoding, encryption, multiplexing (TDMA), and modulation/demodulation of the radio signals. Image source: wikipedia
BASE STATION CONTROLLER Base Station Controller (BSC): The BSC controls multiple BTSs. It handles allocation of radio channels, frequency administration, power and signal measurements from the MS, and handovers from one BTS to another
Image credit: Jörg Eberspächer, Hans-Jörg Vögel
GSM Interface Image credit: Jörg Eberspächer, Hans-Jörg Vögel
Mobile Subscriber ISDN (MSISDN) The MSISDN is the subscriber's phone number. It is the number that another person would dial in order to reach the subscriber. The MSISDN is composed of three parts: ● Country Code (CC) ● National Destination Code (NDC) ● Subscriber Number (SN) MSISDN CC NDC SN
International Mobile Equipment Identity IMEI Uniquely identifies the Mobile Equipment and is burned into phone by the manufacture. The IMEI is composed of three parts: ● Type Allocation Code (TAC) - 8 digits ● Serial Number (SNR) - 6 digits ● Spare (SP) - 1 digit IMEI TAC SNR Spare 8 digits 6 digits 1 digit
International Mobile Subscriber Identity (IMSI) IMSI uniquely identifies the subscriber in network. Burned into SIM Card when subscriber registers with PLMN service provider. ● Mobile Country Code(MCC) ● Mobile Network Code (MNC) ● Mobile Subscriber Identification Number (MSIN) IMSI MCC MNC MSIN 3 digits 2 or 3 digits Max 10 digits <--------------- Not to Exceed 15 Digits------------->
TMSI-Temporary mobile subscriber identity ● Goals ○ TMSI is used instead of IMSI as an a temporary subscriber identifier ○ TMSI prevents an eavesdropper from identifying of subscriber ● Usage ○ TMSI is assigned when IMSI is transmitted to AuC on the first phone switch on ○ Every time a location update (new MSC) occur the networks assigns a new TMSI ○ TMSI is used by the MS to report to the network or during a call initialization ○ Network uses TMSI to communicate with MS ○ On MS switch off TMSI is stored on SIM card to be reused next time – The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI
Case study: GSMA Device check
GSM database and addresses summary Image credit: Jörg Eberspächer, Hans-Jörg Vögel
Multiple Access Image credit: Jörg Eberspächer, Hans-Jörg Vögel
Absolute radio frequency channel number (ARFCN) ● Describes a pair of frequencies (one uplink and one downlink with bandwidth of 200kHz) ● The following table summarizes the frequency ranges, offsets, and ARFCNs for several popular bands. Image credit: Faruk Hadziomerveric, SSST Fall 2009
Calculating Uplink/Downlink Frequencies GSM 900 Up = 890.0 + (ARFCN * 0.2) Down = Up + 45.0 EGSM900 Up = 890.0 + (ARFCN * .2) Down = Up + 45.0 DCS1800 Up = 1710.0 + ((ARFCN - 511) * .2) Down = Up + 95.0 PCS1900 Up = 1850.0 + ((ARFCN - 512) * .2) Down = Up + 80.0
Time location update Image credit: Fabian van den Broek
Identity Management LAI1 LAI2 LAI1, TMSI1 ● IMSI is the long-term identity stored on the SIM card ● TMSI is a short-term identity reallocated periodically, According to the standard at least at each change of location ● New TMSI should not be linkable with old one
Identity Management ● IMSI is the long-term identity stored on the SIM card ● TMSI is a short-term identity reallocated periodically, According to the standard at least at each change of location ● New TMSI should not be linkable with old one LAI1 LAI2 LAI2, TMSI2 Location Update
Roaming location update Image credit: Fabian van den Broek
Handoff in Mobile connections Image source: Tutorialspoint
Types of Handoff Image source: Tutorialspoint
UMTS Network architecture Image credit: Björn Gustaf Landfeldt
LTE Network architecture Image credit: Tutorialspoint
2G,3G,4G Simple NetworkArchitecture Source: 3g4g.co.uk
2G Calling 3G UE Source: GL communications
2G Calling 4G UE Source: GL communications
Telecom Protocol Stack Layers Image Credits: Nutaq.com
Encryption Algorithms
A3 -MS Authentication Algorithm Goal: Generation of SRES response to MSC’s random challenge RAND Image credit: Ankit Pandey
A8 -Voice privacy key generation Algorithm Goal: generation of session key (Kc) from the secret key Ki and the challenge (RAND) A8 Specification was never made public
A3 and A8 -logical implementation COMP128 is used for both A3 and A8 in most GSM networks. - COMP128 is a keyed hash function
A5 -Encryption Algorithm
A5/1 Stream Cipher algorithm Image credit: Ray Felch
Image credit: Hayder Hendi
Image source: Tech Junkie
SS7 Network Overview Image credit: Tobias Engel
SS7 Network Overview Image credit: Tobias Engel
SS7 Network Overview Image credit: Tobias Engel
SS7Attack Impact
Signaling Channels Broadcast Channels(BCH) Common Control Channels (CCH) Standalone Dedicated Control Channels (SDCCH) - Transmitted by BTS to the MS - Carries system parameters needed to identify the network, synchronize time and frequency with the network - Used for signaling between BTS and the MS - To Request and Grant access to the network - Used for call setup - (ACCH) used for signalling associated with calls and call-setup. - Broadcast Control Channel (BCCH) - Frequency Correction Channel (FCCH) - Synchronisation Channel (SCH) - Cell Broadcast Channel (CBCH) - Paging Channel (PCH) - Random Access Channel (RACH) - Access Grant Channel (AGCH) - Associated Control Channel (ACCH) - Fast Associated Control Channel (FACCH) - Slow Associated Control Channel (SACCH)
Location Updating Request (TMSI not established yet)
Authentication Request
TMSI / A5/1 Algorithm Supported
From Speech to Signal Image credit: Fabian van den Broek
UE (Network+SIM CARD)
http://www.mobilecellphonerepairing.com/
SIM card security What is a SIM Card? ● A portable memory chip ● Protected by: ○ –A PIN (Personal Identification Number) ○ –A PUK (Personal Unblocking Code) ● Also includes other parameters of the user such as it's IMSI ● Allows the cell phone to operate on the network.
Uicc & Sim Source: 3g4g.co.uk
SIM JACKER -AdaptiveMobile Security
Radio Access Network
What Is RF?
Radio during WW1 and WW2 1941 Swedish HF portable...One guy carries the radio, the other guy carries the battery. Cavalry horse wearing a field radio.Operating an AAC (Anti-Aircraft) telephone headset to communicate with observation balloon. Image source: wikipedia
Inside the Radio Wave Spectrum 3 KHz 1 GHz 3 GHz 4 GHz 5 GHz 2 GHz AM Radio 2.4 GHz band Used by more than 300 consumer devices, including microwave ovens, cordless phones and wireless networks (WiFi and Bluetooth) Broadcast TV Garage Door Openers Door Openers Auctioned Spectrum Cell Phones Global Positioning System Wireless Medical Telemetry GSM Network Satellite Radio Weather Radar Cable TV Satellite Transmissions Highway Toll Tags 5 GHz WiFi Network Security Alarms Most of the white area of this band is reserved for military, federal government and industry use
How is Radio Spectrum used and managed?
Signals Overview ● Data is transmitted via radio signals in wireless networks ● Radio signal: electromagnetic wave… …generated by a transmitter in dependence on the data to be transferred (modulation*), ○ …emitted by the antenna of the transmitter, ○ …caught by the antenna of the receiver, and ○ …sampled by the receiver to recover the data bits (de-modulation) ● Carrier frequency/carrier: radio signal of a constant frequency generated by the receiver for modulation ● Carrier frequency can be described by a sine wave (defined by three parameters) ● Each parameter can be used for the modulation of data ○ Amplitude Shift Keying ○ Frequency Shift Keying ○ Phase Shift Keying
Time domain and Frequency domain Image source: wikipedia
Characteristics of mobile radio channel
Importance of frequency selection
Importance of frequency selection
Intercepting traffic using software defined radio Image source: ITU 2020
Image source: wikipedia
GSMTAP ● Useful to debug the radio interface. ● GSMTAP encapsulates RF information and transmits it in a UDP encapsulated packet. ● This allows us to see the Um interface traffic from a BTS or MS of downlink and uplink. ● Extremely useful capability when analysing GSM.
...but at first some words about: dB and dBm
Smartphone tracking
Smartphone Surveillance and tracking techniques ● Mobile Signal Tracking ○ Cell Tower ○ IMSI Catcher ● Wi-Fi and Bluetooth Tracking ● Infecting Phones with Spyware/Malware ● Forensic Analysis of Seized Phones ● Location Information Leaks from Apps and Websites ● GPS and Network Time Protocol
GPS Spoofing Prepare the Test Environment: Download the GPS-SIM-SDR Software and Compile it: Get the current satellite positions from NASA: Generate the signal file with the static position (coordinates) you want to send: Send the signal: #!/bin/sh day=$(date +%j) year=$(date +%Y) yr=$(date +%y) wget "ftp://cddis.gsfc.nasa.gov/gnss/data/daily/$year""/brdc/brdc""$day""0.$yr""n.Z" uncompress "brdc""$day""0.$yr""n.Z" echo "brdc""$day""0.$yr""n.Z" ./gps-sdr-sim -b 8 -e YOUR_BRDC_FILE_HERE -l 40.812800,-60.005900,100 Sudo git clone https://github.com/osqzss/gps-sdr-sim.git sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
Locating Mobile Phones Trilateration (by measuring the distance), Triangulation (by measuring angle) to known reference points Image source: Cooper Quintin
Triangulation Source:Mark Godsey
TDOA/ TOA/ AOA / E-OTD Image credit: Omar Ahmad Al-Bayari and http://etutorials.org/
IMSI Catching
IMSI CATCHER In 1996, German company Rohde & Schwarz launched the first IMSI catcher GA090 in Munich. Initial design of IMSI Catcher is to identify the cellphone’s geographic location by instructing the cellphone to transmit IMSI ● IMSI: International Mobile Subscriber Identity ● MCC: Mobile Country Code ● MNC: Mobile Network Code ● MSIN: Mobile Subscriber Identity ● LAC: Location Area Code ● CellId: Unique number to Identity (BTS) within LAC
What kind of data imsi capture? Image source: Electronic Frontier Foundation
GSM sniffing with gr-gsm Prepare the Test Environment: Install the compilation dependencies: Compile “gr-gsm”: Compile “kalibrate” (choose the version based on your hardware) Scan for Base Station with kal git clone https://github.com/ptrkrysik/gr-gsm.git cd gr-gsm mkdir build cd build cmake .. make sudo make install sudo ldconfig git clone https://github.com/scateu/kalibrate-hackrf.git (for HackRF version) git clone https://github.com/steve-m/kalibrate-rtl.git (for RTL version) cd kalibrate-hackrf ./bootstrap ./configure make sudo make install sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy kal -s GSM900 -g 40 //Scan GSM900 band grgsm_livemon -f 945.4e6
GNU radio GNU Radio is a framework that enables users to design, simulate, and deploy highly capable real-world radio systems.
IMSI CATCHER Two Operating Modes are known: ● Identification Mode ● Camping Mode StingRay II, a cellular site simulator used for surveillance purposes manufactured by Harris Corporation, of Melbourne, Fla.Photo: U.S. Patent and Trademark Office via AP
MITM on 3g networks exploiting ss7vulnerability
White-Stingray: Evaluating IMSI Catchers Detection Applications (Ravishankar Borgaonkar, Altaf Shaik) App1: Snoopwitch App2: Cell Spy Catcher App3: GSM Spy Finder App4: Darshak App5: AIMSICD
SecurityThreats
GSM networks are victim and source of attacks on user privacy
Common types of Attack: Image source: ENISA 2018
Threat: SIM Cloning Exploit: weaknesses in COMP128/COMP128-1 used by key-gen (A8) and auth (A3) allow retrieval of the long term key KIMSI Requirements: physical access to original SIM card card reader/writer blank SIM card cracking software Effects: identity theft, available credit/allowance theft, DOS Mitigations: cloning can be detected as SIM using COMP128-2/3 cannot be cloned
Threat: Session key retrieval (cracking tool available) Exploit: weaknesses in A5/1 Requirements: ● 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow tables (implemented in the Kraken tool) ● way of locating target user (eg. silent SMS/silent call locating attack) ● device to sniff traffic on dedicated channel (modified motorola phone) Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption algorithm
Threat: User De-registration DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send IMSI detach messages to the network Effects: user unreachable for mobile terminated services
Threat: Paging response DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send paging response messages to the network answer paging request faster than the victim phone Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network Mitigations: use of encryption, indication of no encryption on MS
Threat: User tracking Exploit: silent phone call/SMS, TMSI not updated often Requirements: MS-like device programmed to sniff signalling messages over dedicated channels Effects: breach of user privacy Mitigations: frequent change of TMSI
Threat: 2G downgrade attack Exploit: lack of authentication of serving network Requirements: Fake BS Effects: Fake BS forces downgrade to 2G Mitigations: set network connection on 3G only in MS settings
Threat: Redirection attack Exploit: lack of authentication of serving network Requirements: Fake BS and a MS connected to a real BS Effects: redirection of the communication to a chosen network perhaps one charging a higher rate or using weaker encryption
Conclusion Security Mitigations improved with evolving Telecom generations, but no matter what security researchers and attackers will always find their way. Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.
Learning: Navigating 3GPP document ● 22 series: Service aspects ● 23 series: Technical realization ○ TS 23.203: Policy and Charging Control Architecture ○ TS 23.401: GPRS enhancements for E-UTRAN access ○ TS 23.501: Systems Architecture for the 5G System ● 24 series: Signaling protocols –user to network ○ TS 24.301 NAS protocol for EPS (MM, SM procedures) ● 29 series: Signaling protocols-intra-fixed-network ○ TS 29.171-173: Location Services ● 33 series: Security ● 36 series: LTE radio aspects ○ TS 36.300: E-UTRAN –Overall description; Stage 2 ○ TS 36.331: Radio Resource Control (RRC); protocol specification ● 38: 5G radio aspects http://www.3gpp.org/specifications/specification-numbering
There’s never enough time... Harshit Agrawal harshit.nic@gmail.com @harshitnic Himanshu Mehta himanshu.mehta21@gmail.com @nullvoid0x

Empfohlen

Ip addressing
Ip addressingIp addressing
Ip addressing
sid1322
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layer
tmavroidis
 
Network management
Network managementNetwork management
Network management
Mohd Arif
 
PPPoE Server & Client Configuration
PPPoE Server & Client ConfigurationPPPoE Server & Client Configuration
PPPoE Server & Client Configuration
NetProtocol Xpert
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
N.Jagadish Kumar
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Cisco packet tracer dhcp
Cisco packet tracer dhcpCisco packet tracer dhcp
Cisco packet tracer dhcp
rishi ram khanal
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 

Empfohlen

Ip addressing
Ip addressingIp addressing
Ip addressing
sid1322
 
Tcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport LayerTcp Udp Icmp And The Transport Layer
Tcp Udp Icmp And The Transport Layer
tmavroidis
 
Network management
Network managementNetwork management
Network management
Mohd Arif
 
PPPoE Server & Client Configuration
PPPoE Server & Client ConfigurationPPPoE Server & Client Configuration
PPPoE Server & Client Configuration
NetProtocol Xpert
 
Transport layer protocol
Transport layer protocolTransport layer protocol
Transport layer protocol
N.Jagadish Kumar
 
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Linux Tutorial For Beginners | Linux Administration Tutorial | Linux Commands...
Edureka!
 
Cisco packet tracer dhcp
Cisco packet tracer dhcpCisco packet tracer dhcp
Cisco packet tracer dhcp
rishi ram khanal
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
DHCP & DNS
DHCP & DNSDHCP & DNS
DHCP & DNS
NetProtocol Xpert
 
Unicasting , Broadcasting And Multicasting New
Unicasting , Broadcasting And Multicasting NewUnicasting , Broadcasting And Multicasting New
Unicasting , Broadcasting And Multicasting New
techbed
 
snmp
snmpsnmp
snmp
حسن رشید
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Subnetting
SubnettingSubnetting
Subnetting
selvakumar_b1985
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
Hema Dhariwal
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
Haitham Ahmed
 
Telnet presentation
Telnet presentationTelnet presentation
Telnet presentation
travel_affair
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
美兰 曾
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcast
NetProtocol Xpert
 
Subnetting
SubnettingSubnetting
Subnetting
Gichelle Amon
 
DHCP
DHCPDHCP
DHCP
Kashif Latif
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
Anthony Daniel
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer Protocol
Peter R. Egli
 
Metasploit
MetasploitMetasploit
Metasploit
henelpj
 
IP addressing and Subnetting PPT
IP addressing and Subnetting PPTIP addressing and Subnetting PPT
IP addressing and Subnetting PPT
Pijush Kanti Das
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
Farooq Khan
 
Snmp
SnmpSnmp
Snmp
hetaljadav
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
Varnnit Jain
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
VIKAS SINGH BHADOURIA
 
GSM
GSMGSM
GSM
Animesh Lochan
 
Switching systems lecture7
Switching systems lecture7Switching systems lecture7
Switching systems lecture7
Jumaan Ally Mohamed
 

Weitere ähnliche Inhalte

Was ist angesagt?

TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
Farooq Khan
 

Was ist angesagt? (20)

DHCP & DNS
DHCP & DNSDHCP & DNS
DHCP & DNS
 
Unicasting , Broadcasting And Multicasting New
Unicasting , Broadcasting And Multicasting NewUnicasting , Broadcasting And Multicasting New
Unicasting , Broadcasting And Multicasting New
 
snmp
snmpsnmp
snmp
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Subnetting
SubnettingSubnetting
Subnetting
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
Security in distributed systems
Security in distributed systems Security in distributed systems
Security in distributed systems
 
Telnet presentation
Telnet presentationTelnet presentation
Telnet presentation
 
Traditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation FirewallTraditional Firewall vs. Next Generation Firewall
Traditional Firewall vs. Next Generation Firewall
 
Unicast multicast & broadcast
Unicast multicast & broadcastUnicast multicast & broadcast
Unicast multicast & broadcast
 
Subnetting
SubnettingSubnetting
Subnetting
 
DHCP
DHCPDHCP
DHCP
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
 
TFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer ProtocolTFTP - Trivial File Transfer Protocol
TFTP - Trivial File Transfer Protocol
 
Metasploit
MetasploitMetasploit
Metasploit
 
IP addressing and Subnetting PPT
IP addressing and Subnetting PPTIP addressing and Subnetting PPT
IP addressing and Subnetting PPT
 
TCP Over Wireless
TCP Over WirelessTCP Over Wireless
TCP Over Wireless
 
Snmp
SnmpSnmp
Snmp
 
Networking in linux
Networking in linuxNetworking in linux
Networking in linux
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 

Ähnlich wie Telecom Security

GSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesGSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE Technologies
Engr.MEESHU SHARKER
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
IJCSES Journal
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
Tempus Telcosys
 
bsnl presentation on gsm
bsnl presentation on gsm bsnl presentation on gsm
bsnl presentation on gsm
Kapil Masatker
 

Ähnlich wie Telecom Security (20)

GSM
GSMGSM
GSM
 
Switching systems lecture7
Switching systems lecture7Switching systems lecture7
Switching systems lecture7
 
GSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE TechnologiesGSM security solution by FINETUNE Technologies
GSM security solution by FINETUNE Technologies
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 
GSM Fundamentals
GSM FundamentalsGSM Fundamentals
GSM Fundamentals
 
Rk 3 gsm network
Rk 3 gsm networkRk 3 gsm network
Rk 3 gsm network
 
Rk 3 gsm network @guddu
Rk 3 gsm network @gudduRk 3 gsm network @guddu
Rk 3 gsm network @guddu
 
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
S ECURITY I SSUES A ND C HALLENGES I N M OBILE C OMPUTING A ND M - C ...
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
 
Operation and mainetainence of switch ppt
Operation and mainetainence of switch pptOperation and mainetainence of switch ppt
Operation and mainetainence of switch ppt
 
Basic of teleom gsm
Basic of teleom gsmBasic of teleom gsm
Basic of teleom gsm
 
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALAGSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
GSM SECURITY AND ENCRYPTION BY SAIKIRAN PANJALA
 
Gsm Network
Gsm NetworkGsm Network
Gsm Network
 
GSM Architecture.ppt
GSM Architecture.ppt GSM Architecture.ppt
GSM Architecture.ppt
 
GSM
GSMGSM
GSM
 
bsnl presentation on gsm
bsnl presentation on gsm bsnl presentation on gsm
bsnl presentation on gsm
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIM
 
GSM Network Architecture
GSM Network ArchitectureGSM Network Architecture
GSM Network Architecture
 
Securing Wireless Cellular Systems
Securing Wireless Cellular SystemsSecuring Wireless Cellular Systems
Securing Wireless Cellular Systems
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Telecom Security

  • 1. Workshop on Telecom Security Harshit Agrawal Himanshu Mehta CISO Platform Best of The World In SecurityNovember 12-14,2020 | 8AM -4PM (EST) | Global Summit
  • 2. /Speaker/Harshit/> whoami USER INFORMATION --------------------------------------------------- Harshit Agrawal RF and Telecom Security Researcher --------------------------------------------------- Primary Research area includes RF Security, Telecom Security, and IOT Security Speaker at conferences like RSAC USA, HITBSecConf Amsterdam, Cyberweek UAE ---------------------------------------------------- Twitter: @harshitnic Email: harshit[dot]nic[at]gmail[dot]com LinkedIn: https://linkedin.com/in/harshitnic
  • 3. /Speaker/Himanshu/> whoami USER INFORMATION ----------------------------------------------------- Himanshu Mehta Senior Security Researcher, Xen1thLabs (Digital14 LLC) ----------------------------------------------------- Primary Research area includes Telecom, RF, IoT, Network, Web & Mobile Applications Security ------------------------------------------------------ Twitter: @nullvoid0x Email: himanshu.mehta21@gmail.com LinkedIn: https://www.linkedin.com/in/himanshumehta21/
  • 4. Topics to be discussed ● Why we need security? ● GSM Architecture Break (5mins) ● Encryption Algorithm ● User Equipment Break (5mins) ● Radio Access Network ● Smartphone Tracking ● IMSI catcher ● Security Threats ● Conclusion Q&A
  • 7. Why we need security in mobile network?
  • 8. Functions to Target ● All major cellular networks support – Voice calls – Voice mail (VM) – Short Message Service (SMS) – Location-based Services (LBS) – IP Connectivity ● Most also support – Binary configuration messages – Multimedia messages (MMS) – Faxing
  • 9. You Only Have One Voice —Don’t Let Hackers Steal It descript.com
  • 11. 2GNetwork Network Side User Side MSC/VLR BSC/BTS SIM Card Terminal Equipment HLR/AUC
  • 13. Global System for Mobile Communication (GSM) ● Digital Cellular Network ● GSM offers a number of services including voice communications, Short Message Service (SMS), fax, voice mail, and other supplemental services such as call forwarding and caller ID. ● Currently there are several bands in use in GSM. 450 MHz, 850 MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common ones ● Makes use of FDMA and TDMA
  • 14. Mobile Station (MS) – Mobile Equipment (ME) ● Physical mobile device ● Identifiers ○ IMEI – International Mobile Equipment Identity – Subscriber Identity Module (SIM) ● Smart Card containing keys, identifiers and algorithms ● Identifiers ○ Ki – Subscriber Authentication Key ○ IMSI – International Mobile Subscriber Identity ○ TMSI – Temporary Mobile Subscriber Identity ○ MSISDN – Mobile Station International Service Digital Network ○ PIN – Personal Identity Number protecting a SIM ○ LAI – location area identity
  • 15. Base Transceiver station (bts) Base Transceiver Station (BTS): It handles speech encoding, encryption, multiplexing (TDMA), and modulation/demodulation of the radio signals. Image source: wikipedia
  • 16. BASE STATION CONTROLLER Base Station Controller (BSC): The BSC controls multiple BTSs. It handles allocation of radio channels, frequency administration, power and signal measurements from the MS, and handovers from one BTS to another
  • 17. Image credit: Jörg Eberspächer, Hans-Jörg Vögel
  • 18. GSM Interface Image credit: Jörg Eberspächer, Hans-Jörg Vögel
  • 19. Mobile Subscriber ISDN (MSISDN) The MSISDN is the subscriber's phone number. It is the number that another person would dial in order to reach the subscriber. The MSISDN is composed of three parts: ● Country Code (CC) ● National Destination Code (NDC) ● Subscriber Number (SN) MSISDN CC NDC SN
  • 20. International Mobile Equipment Identity IMEI Uniquely identifies the Mobile Equipment and is burned into phone by the manufacture. The IMEI is composed of three parts: ● Type Allocation Code (TAC) - 8 digits ● Serial Number (SNR) - 6 digits ● Spare (SP) - 1 digit IMEI TAC SNR Spare 8 digits 6 digits 1 digit
  • 21. International Mobile Subscriber Identity (IMSI) IMSI uniquely identifies the subscriber in network. Burned into SIM Card when subscriber registers with PLMN service provider. ● Mobile Country Code(MCC) ● Mobile Network Code (MNC) ● Mobile Subscriber Identification Number (MSIN) IMSI MCC MNC MSIN 3 digits 2 or 3 digits Max 10 digits <--------------- Not to Exceed 15 Digits------------->
  • 22. TMSI-Temporary mobile subscriber identity ● Goals ○ TMSI is used instead of IMSI as an a temporary subscriber identifier ○ TMSI prevents an eavesdropper from identifying of subscriber ● Usage ○ TMSI is assigned when IMSI is transmitted to AuC on the first phone switch on ○ Every time a location update (new MSC) occur the networks assigns a new TMSI ○ TMSI is used by the MS to report to the network or during a call initialization ○ Network uses TMSI to communicate with MS ○ On MS switch off TMSI is stored on SIM card to be reused next time – The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI
  • 23. Case study: GSMA Device check
  • 24. GSM database and addresses summary Image credit: Jörg Eberspächer, Hans-Jörg Vögel
  • 25. Multiple Access Image credit: Jörg Eberspächer, Hans-Jörg Vögel
  • 26. Absolute radio frequency channel number (ARFCN) ● Describes a pair of frequencies (one uplink and one downlink with bandwidth of 200kHz) ● The following table summarizes the frequency ranges, offsets, and ARFCNs for several popular bands. Image credit: Faruk Hadziomerveric, SSST Fall 2009
  • 27. Calculating Uplink/Downlink Frequencies GSM 900 Up = 890.0 + (ARFCN * 0.2) Down = Up + 45.0 EGSM900 Up = 890.0 + (ARFCN * .2) Down = Up + 45.0 DCS1800 Up = 1710.0 + ((ARFCN - 511) * .2) Down = Up + 95.0 PCS1900 Up = 1850.0 + ((ARFCN - 512) * .2) Down = Up + 80.0
  • 28. Time location update Image credit: Fabian van den Broek
  • 29. Identity Management LAI1 LAI2 LAI1, TMSI1 ● IMSI is the long-term identity stored on the SIM card ● TMSI is a short-term identity reallocated periodically, According to the standard at least at each change of location ● New TMSI should not be linkable with old one
  • 30. Identity Management ● IMSI is the long-term identity stored on the SIM card ● TMSI is a short-term identity reallocated periodically, According to the standard at least at each change of location ● New TMSI should not be linkable with old one LAI1 LAI2 LAI2, TMSI2 Location Update
  • 31. Roaming location update Image credit: Fabian van den Broek
  • 32. Handoff in Mobile connections Image source: Tutorialspoint
  • 33. Types of Handoff Image source: Tutorialspoint
  • 34. UMTS Network architecture Image credit: Björn Gustaf Landfeldt
  • 35. LTE Network architecture Image credit: Tutorialspoint
  • 37. 2G Calling 3G UE Source: GL communications
  • 38. 2G Calling 4G UE Source: GL communications
  • 39. Telecom Protocol Stack Layers Image Credits: Nutaq.com
  • 41. A3 -MS Authentication Algorithm Goal: Generation of SRES response to MSC’s random challenge RAND Image credit: Ankit Pandey
  • 42. A8 -Voice privacy key generation Algorithm Goal: generation of session key (Kc) from the secret key Ki and the challenge (RAND) A8 Specification was never made public
  • 43. A3 and A8 -logical implementation COMP128 is used for both A3 and A8 in most GSM networks. - COMP128 is a keyed hash function
  • 45. A5/1 Stream Cipher algorithm Image credit: Ray Felch
  • 48. SS7 Network Overview Image credit: Tobias Engel
  • 49. SS7 Network Overview Image credit: Tobias Engel
  • 50. SS7 Network Overview Image credit: Tobias Engel
  • 52. Signaling Channels Broadcast Channels(BCH) Common Control Channels (CCH) Standalone Dedicated Control Channels (SDCCH) - Transmitted by BTS to the MS - Carries system parameters needed to identify the network, synchronize time and frequency with the network - Used for signaling between BTS and the MS - To Request and Grant access to the network - Used for call setup - (ACCH) used for signalling associated with calls and call-setup. - Broadcast Control Channel (BCCH) - Frequency Correction Channel (FCCH) - Synchronisation Channel (SCH) - Cell Broadcast Channel (CBCH) - Paging Channel (PCH) - Random Access Channel (RACH) - Access Grant Channel (AGCH) - Associated Control Channel (ACCH) - Fast Associated Control Channel (FACCH) - Slow Associated Control Channel (SACCH)
  • 53. Location Updating Request (TMSI not established yet)
  • 55. TMSI / A5/1 Algorithm Supported
  • 56. From Speech to Signal Image credit: Fabian van den Broek
  • 59. SIM card security What is a SIM Card? ● A portable memory chip ● Protected by: ○ –A PIN (Personal Identification Number) ○ –A PUK (Personal Unblocking Code) ● Also includes other parameters of the user such as it's IMSI ● Allows the cell phone to operate on the network.
  • 60. Uicc & Sim Source: 3g4g.co.uk
  • 64. Radio during WW1 and WW2 1941 Swedish HF portable...One guy carries the radio, the other guy carries the battery. Cavalry horse wearing a field radio.Operating an AAC (Anti-Aircraft) telephone headset to communicate with observation balloon. Image source: wikipedia
  • 65. Inside the Radio Wave Spectrum 3 KHz 1 GHz 3 GHz 4 GHz 5 GHz 2 GHz AM Radio 2.4 GHz band Used by more than 300 consumer devices, including microwave ovens, cordless phones and wireless networks (WiFi and Bluetooth) Broadcast TV Garage Door Openers Door Openers Auctioned Spectrum Cell Phones Global Positioning System Wireless Medical Telemetry GSM Network Satellite Radio Weather Radar Cable TV Satellite Transmissions Highway Toll Tags 5 GHz WiFi Network Security Alarms Most of the white area of this band is reserved for military, federal government and industry use
  • 67. Signals Overview ● Data is transmitted via radio signals in wireless networks ● Radio signal: electromagnetic wave… …generated by a transmitter in dependence on the data to be transferred (modulation*), ○ …emitted by the antenna of the transmitter, ○ …caught by the antenna of the receiver, and ○ …sampled by the receiver to recover the data bits (de-modulation) ● Carrier frequency/carrier: radio signal of a constant frequency generated by the receiver for modulation ● Carrier frequency can be described by a sine wave (defined by three parameters) ● Each parameter can be used for the modulation of data ○ Amplitude Shift Keying ○ Frequency Shift Keying ○ Phase Shift Keying
  • 68. Time domain and Frequency domain Image source: wikipedia
  • 69. Characteristics of mobile radio channel
  • 72. Intercepting traffic using software defined radio Image source: ITU 2020
  • 73.
  • 75. GSMTAP ● Useful to debug the radio interface. ● GSMTAP encapsulates RF information and transmits it in a UDP encapsulated packet. ● This allows us to see the Um interface traffic from a BTS or MS of downlink and uplink. ● Extremely useful capability when analysing GSM.
  • 76. ...but at first some words about: dB and dBm
  • 78. Smartphone Surveillance and tracking techniques ● Mobile Signal Tracking ○ Cell Tower ○ IMSI Catcher ● Wi-Fi and Bluetooth Tracking ● Infecting Phones with Spyware/Malware ● Forensic Analysis of Seized Phones ● Location Information Leaks from Apps and Websites ● GPS and Network Time Protocol
  • 79. GPS Spoofing Prepare the Test Environment: Download the GPS-SIM-SDR Software and Compile it: Get the current satellite positions from NASA: Generate the signal file with the static position (coordinates) you want to send: Send the signal: #!/bin/sh day=$(date +%j) year=$(date +%Y) yr=$(date +%y) wget "ftp://cddis.gsfc.nasa.gov/gnss/data/daily/$year""/brdc/brdc""$day""0.$yr""n.Z" uncompress "brdc""$day""0.$yr""n.Z" echo "brdc""$day""0.$yr""n.Z" ./gps-sdr-sim -b 8 -e YOUR_BRDC_FILE_HERE -l 40.812800,-60.005900,100 Sudo git clone https://github.com/osqzss/gps-sdr-sim.git sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
  • 80.
  • 81.
  • 82. Locating Mobile Phones Trilateration (by measuring the distance), Triangulation (by measuring angle) to known reference points Image source: Cooper Quintin
  • 84. TDOA/ TOA/ AOA / E-OTD Image credit: Omar Ahmad Al-Bayari and http://etutorials.org/
  • 86. IMSI CATCHER In 1996, German company Rohde & Schwarz launched the first IMSI catcher GA090 in Munich. Initial design of IMSI Catcher is to identify the cellphone’s geographic location by instructing the cellphone to transmit IMSI ● IMSI: International Mobile Subscriber Identity ● MCC: Mobile Country Code ● MNC: Mobile Network Code ● MSIN: Mobile Subscriber Identity ● LAC: Location Area Code ● CellId: Unique number to Identity (BTS) within LAC
  • 87. What kind of data imsi capture? Image source: Electronic Frontier Foundation
  • 88. GSM sniffing with gr-gsm Prepare the Test Environment: Install the compilation dependencies: Compile “gr-gsm”: Compile “kalibrate” (choose the version based on your hardware) Scan for Base Station with kal git clone https://github.com/ptrkrysik/gr-gsm.git cd gr-gsm mkdir build cd build cmake .. make sudo make install sudo ldconfig git clone https://github.com/scateu/kalibrate-hackrf.git (for HackRF version) git clone https://github.com/steve-m/kalibrate-rtl.git (for RTL version) cd kalibrate-hackrf ./bootstrap ./configure make sudo make install sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy kal -s GSM900 -g 40 //Scan GSM900 band grgsm_livemon -f 945.4e6
  • 89. GNU radio GNU Radio is a framework that enables users to design, simulate, and deploy highly capable real-world radio systems.
  • 90.
  • 91.
  • 92. IMSI CATCHER Two Operating Modes are known: ● Identification Mode ● Camping Mode StingRay II, a cellular site simulator used for surveillance purposes manufactured by Harris Corporation, of Melbourne, Fla.Photo: U.S. Patent and Trademark Office via AP
  • 93. MITM on 3g networks exploiting ss7vulnerability
  • 94. White-Stingray: Evaluating IMSI Catchers Detection Applications (Ravishankar Borgaonkar, Altaf Shaik) App1: Snoopwitch App2: Cell Spy Catcher App3: GSM Spy Finder App4: Darshak App5: AIMSICD
  • 96. GSM networks are victim and source of attacks on user privacy
  • 97. Common types of Attack: Image source: ENISA 2018
  • 98. Threat: SIM Cloning Exploit: weaknesses in COMP128/COMP128-1 used by key-gen (A8) and auth (A3) allow retrieval of the long term key KIMSI Requirements: physical access to original SIM card card reader/writer blank SIM card cracking software Effects: identity theft, available credit/allowance theft, DOS Mitigations: cloning can be detected as SIM using COMP128-2/3 cannot be cloned
  • 99. Threat: Session key retrieval (cracking tool available) Exploit: weaknesses in A5/1 Requirements: ● 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow tables (implemented in the Kraken tool) ● way of locating target user (eg. silent SMS/silent call locating attack) ● device to sniff traffic on dedicated channel (modified motorola phone) Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption algorithm
  • 100. Threat: User De-registration DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send IMSI detach messages to the network Effects: user unreachable for mobile terminated services
  • 101. Threat: Paging response DOS attack Exploit: lack of authentication of signalling messages Requirements: MS-like device programmed to send paging response messages to the network answer paging request faster than the victim phone Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network Mitigations: use of encryption, indication of no encryption on MS
  • 102. Threat: User tracking Exploit: silent phone call/SMS, TMSI not updated often Requirements: MS-like device programmed to sniff signalling messages over dedicated channels Effects: breach of user privacy Mitigations: frequent change of TMSI
  • 103. Threat: 2G downgrade attack Exploit: lack of authentication of serving network Requirements: Fake BS Effects: Fake BS forces downgrade to 2G Mitigations: set network connection on 3G only in MS settings
  • 104. Threat: Redirection attack Exploit: lack of authentication of serving network Requirements: Fake BS and a MS connected to a real BS Effects: redirection of the communication to a chosen network perhaps one charging a higher rate or using weaker encryption
  • 105. Conclusion Security Mitigations improved with evolving Telecom generations, but no matter what security researchers and attackers will always find their way. Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers.
  • 106. Learning: Navigating 3GPP document ● 22 series: Service aspects ● 23 series: Technical realization ○ TS 23.203: Policy and Charging Control Architecture ○ TS 23.401: GPRS enhancements for E-UTRAN access ○ TS 23.501: Systems Architecture for the 5G System ● 24 series: Signaling protocols –user to network ○ TS 24.301 NAS protocol for EPS (MM, SM procedures) ● 29 series: Signaling protocols-intra-fixed-network ○ TS 29.171-173: Location Services ● 33 series: Security ● 36 series: LTE radio aspects ○ TS 36.300: E-UTRAN –Overall description; Stage 2 ○ TS 36.331: Radio Resource Control (RRC); protocol specification ● 38: 5G radio aspects http://www.3gpp.org/specifications/specification-numbering
  • 107. There’s never enough time... Harshit Agrawal harshit.nic@gmail.com @harshitnic Himanshu Mehta himanshu.mehta21@gmail.com @nullvoid0x