This workshop aims to give an intermediate-level understanding of the potential risk associated with cellular mobile communication networks and the security issues in the radio access network. In particular, we begin with a brief history of Telecom, fundamentals of mobile network, radio signals, the security architecture of GSM/UMTS/LTE, cellular network attack detection methods, and security vulnerabilities with possible practical examples with case studies.
1. Workshop on Telecom Security
Harshit Agrawal
Himanshu Mehta
CISO Platform
Best of The World In SecurityNovember 12-14,2020 | 8AM -4PM (EST) | Global Summit
2. /Speaker/Harshit/> whoami
USER INFORMATION
---------------------------------------------------
Harshit Agrawal
RF and Telecom Security Researcher
---------------------------------------------------
Primary Research area includes
RF Security, Telecom Security,
and IOT Security
Speaker at conferences like RSAC USA,
HITBSecConf Amsterdam, Cyberweek UAE
----------------------------------------------------
Twitter: @harshitnic
Email: harshit[dot]nic[at]gmail[dot]com
LinkedIn: https://linkedin.com/in/harshitnic
3. /Speaker/Himanshu/> whoami
USER INFORMATION
-----------------------------------------------------
Himanshu Mehta
Senior Security Researcher, Xen1thLabs (Digital14 LLC)
-----------------------------------------------------
Primary Research area includes Telecom, RF,
IoT, Network, Web & Mobile Applications Security
------------------------------------------------------
Twitter: @nullvoid0x
Email: himanshu.mehta21@gmail.com
LinkedIn: https://www.linkedin.com/in/himanshumehta21/
4. Topics to be discussed
● Why we need security?
● GSM Architecture
Break (5mins)
● Encryption Algorithm
● User Equipment
Break (5mins)
● Radio Access Network
● Smartphone Tracking
● IMSI catcher
● Security Threats
● Conclusion
Q&A
8. Functions to Target
● All major cellular networks support
– Voice calls
– Voice mail (VM)
– Short Message Service (SMS)
– Location-based Services (LBS)
– IP Connectivity
● Most also support
– Binary configuration messages
– Multimedia messages (MMS)
– Faxing
9. You Only Have One Voice —Don’t Let Hackers Steal It
descript.com
13. Global System for Mobile Communication (GSM)
● Digital Cellular Network
● GSM offers a number of services
including voice communications, Short
Message Service (SMS), fax, voice mail,
and other supplemental services such
as call forwarding and caller ID.
● Currently there are several bands in
use in GSM. 450 MHz, 850 MHZ, 900
MHz, 1800 MHz, and 1900 MHz are the
most common ones
● Makes use of FDMA and TDMA
14. Mobile Station (MS)
– Mobile Equipment (ME)
● Physical mobile device
● Identifiers
○ IMEI – International Mobile Equipment Identity
– Subscriber Identity Module (SIM)
● Smart Card containing keys, identifiers and algorithms
● Identifiers
○ Ki – Subscriber Authentication Key
○ IMSI – International Mobile Subscriber Identity
○ TMSI – Temporary Mobile Subscriber Identity
○ MSISDN – Mobile Station International Service Digital Network
○ PIN – Personal Identity Number protecting a SIM
○ LAI – location area identity
15. Base Transceiver station (bts)
Base Transceiver Station (BTS): It handles speech encoding, encryption, multiplexing (TDMA), and
modulation/demodulation of the radio signals.
Image source: wikipedia
16. BASE STATION CONTROLLER
Base Station Controller (BSC): The BSC controls multiple BTSs. It handles allocation of radio channels, frequency
administration, power and signal measurements from the MS, and handovers from one BTS to another
19. Mobile Subscriber ISDN (MSISDN)
The MSISDN is the subscriber's phone number. It is the number that another person would dial in order to reach the
subscriber. The MSISDN is composed of three parts:
● Country Code (CC)
● National Destination Code (NDC)
● Subscriber Number (SN)
MSISDN
CC NDC SN
20. International Mobile Equipment Identity IMEI
Uniquely identifies the Mobile Equipment and is burned into phone by the manufacture.
The IMEI is composed of three parts:
● Type Allocation Code (TAC) - 8 digits
● Serial Number (SNR) - 6 digits
● Spare (SP) - 1 digit
IMEI
TAC SNR Spare
8 digits 6 digits 1 digit
21. International Mobile Subscriber Identity (IMSI)
IMSI uniquely identifies the subscriber in network.
Burned into SIM Card when subscriber registers with PLMN service provider.
● Mobile Country Code(MCC)
● Mobile Network Code (MNC)
● Mobile Subscriber Identification Number (MSIN)
IMSI
MCC MNC MSIN
3 digits 2 or 3 digits Max 10 digits
<--------------- Not to Exceed 15 Digits------------->
22. TMSI-Temporary mobile subscriber identity
● Goals
○ TMSI is used instead of IMSI as an a temporary subscriber identifier
○ TMSI prevents an eavesdropper from identifying of subscriber
● Usage
○ TMSI is assigned when IMSI is transmitted to AuC on the first phone switch on
○ Every time a location update (new MSC) occur the networks assigns a new TMSI
○ TMSI is used by the MS to report to the network or during a call initialization
○ Network uses TMSI to communicate with MS
○ On MS switch off TMSI is stored on SIM card to be reused next time
– The Visitor Location Register (VLR) performs assignment, administration and update of the TMSI
26. Absolute radio frequency channel number (ARFCN)
● Describes a pair of frequencies (one
uplink and one downlink with bandwidth
of 200kHz)
● The following table summarizes the
frequency ranges, offsets, and ARFCNs
for several popular bands.
Image credit: Faruk Hadziomerveric, SSST Fall 2009
27. Calculating Uplink/Downlink Frequencies
GSM 900
Up = 890.0 + (ARFCN * 0.2)
Down = Up + 45.0
EGSM900
Up = 890.0 + (ARFCN * .2)
Down = Up + 45.0
DCS1800
Up = 1710.0 + ((ARFCN - 511) * .2)
Down = Up + 95.0
PCS1900
Up = 1850.0 + ((ARFCN - 512) * .2)
Down = Up + 80.0
29. Identity Management
LAI1 LAI2
LAI1,
TMSI1
● IMSI is the long-term identity stored on the SIM card
● TMSI is a short-term identity reallocated periodically, According to the standard at least at each
change of location
● New TMSI should not be linkable with old one
30. Identity Management
● IMSI is the long-term identity stored on the SIM card
● TMSI is a short-term identity reallocated periodically, According to the standard at least at each
change of location
● New TMSI should not be linkable with old one
LAI1 LAI2
LAI2,
TMSI2
Location Update
41. A3 -MS Authentication Algorithm
Goal: Generation of SRES response to MSC’s random challenge RAND
Image credit: Ankit Pandey
42. A8 -Voice privacy key generation Algorithm
Goal: generation of session key (Kc) from the secret key Ki and the challenge (RAND)
A8 Specification was never made public
43. A3 and A8 -logical implementation
COMP128 is used for both A3 and A8 in most GSM networks.
- COMP128 is a keyed hash function
52. Signaling Channels
Broadcast Channels(BCH) Common Control Channels (CCH) Standalone Dedicated Control
Channels (SDCCH)
- Transmitted by BTS to the MS
- Carries system parameters
needed to identify the network,
synchronize time and frequency
with the network
- Used for signaling between
BTS and the MS
- To Request and Grant
access to the network
- Used for call setup
- (ACCH) used for signalling
associated with calls and
call-setup.
- Broadcast Control Channel
(BCCH)
- Frequency Correction Channel
(FCCH)
- Synchronisation Channel (SCH)
- Cell Broadcast Channel (CBCH)
- Paging Channel (PCH)
- Random Access Channel
(RACH)
- Access Grant Channel
(AGCH)
- Associated Control Channel
(ACCH)
- Fast Associated Control
Channel (FACCH)
- Slow Associated Control
Channel (SACCH)
59. SIM card security
What is a SIM Card?
● A portable memory chip
● Protected by:
○ –A PIN (Personal Identification Number)
○ –A PUK (Personal Unblocking Code)
● Also includes other parameters of the user
such as it's IMSI
● Allows the cell phone to operate on the
network.
64. Radio during WW1 and WW2
1941 Swedish HF portable...One guy carries
the radio, the other guy carries the battery.
Cavalry horse wearing a field radio.Operating an AAC (Anti-Aircraft) telephone headset to
communicate with observation balloon.
Image source: wikipedia
65. Inside the Radio Wave Spectrum
3 KHz
1 GHz 3 GHz
4 GHz
5 GHz
2 GHz
AM Radio
2.4 GHz band
Used by more than 300 consumer devices, including
microwave ovens, cordless phones and wireless
networks (WiFi and Bluetooth)
Broadcast TV
Garage Door
Openers
Door Openers
Auctioned
Spectrum
Cell Phones
Global
Positioning
System
Wireless
Medical
Telemetry
GSM Network
Satellite
Radio
Weather Radar
Cable TV
Satellite
Transmissions
Highway Toll
Tags
5 GHz
WiFi Network
Security
Alarms
Most of the white
area of this band is
reserved for
military, federal
government and
industry use
67. Signals Overview
● Data is transmitted via radio signals in wireless
networks
● Radio signal: electromagnetic wave… …generated
by a transmitter in dependence on the data to be
transferred (modulation*),
○ …emitted by the antenna of the transmitter,
○ …caught by the antenna of the receiver, and
○ …sampled by the receiver to recover the data
bits (de-modulation)
● Carrier frequency/carrier: radio signal of a constant
frequency generated by the receiver for modulation
● Carrier frequency can be described by a sine
wave (defined by three parameters)
● Each parameter can be used for the modulation of
data
○ Amplitude Shift Keying
○ Frequency Shift Keying
○ Phase Shift Keying
75. GSMTAP
● Useful to debug the radio
interface.
● GSMTAP encapsulates RF
information and transmits it in a
UDP encapsulated packet.
● This allows us to see the Um
interface traffic from a BTS or MS
of downlink and uplink.
● Extremely useful capability when
analysing GSM.
78. Smartphone Surveillance and tracking techniques
● Mobile Signal Tracking
○ Cell Tower
○ IMSI Catcher
● Wi-Fi and Bluetooth Tracking
● Infecting Phones with Spyware/Malware
● Forensic Analysis of Seized Phones
● Location Information Leaks from Apps and Websites
● GPS and Network Time Protocol
79. GPS Spoofing
Prepare the Test Environment:
Download the GPS-SIM-SDR Software and Compile it:
Get the current satellite positions from NASA:
Generate the signal file with the static position (coordinates) you want to send:
Send the signal:
#!/bin/sh
day=$(date +%j)
year=$(date +%Y)
yr=$(date +%y)
wget "ftp://cddis.gsfc.nasa.gov/gnss/data/daily/$year""/brdc/brdc""$day""0.$yr""n.Z"
uncompress "brdc""$day""0.$yr""n.Z"
echo "brdc""$day""0.$yr""n.Z"
./gps-sdr-sim -b 8 -e YOUR_BRDC_FILE_HERE -l 40.812800,-60.005900,100
Sudo git clone https://github.com/osqzss/gps-sdr-sim.git
sudo hackrf_transfer -t gpssim.bin -f 1575420000 -s 2600000 -a 1 -x 0
80.
81.
82. Locating Mobile Phones
Trilateration (by measuring the distance), Triangulation (by measuring angle)
to known reference points
Image source: Cooper Quintin
86. IMSI CATCHER
In 1996, German company Rohde & Schwarz
launched the first IMSI catcher GA090 in Munich.
Initial design of IMSI Catcher is to identify the
cellphone’s geographic location by instructing the
cellphone to transmit IMSI
● IMSI: International Mobile Subscriber Identity
● MCC: Mobile Country Code
● MNC: Mobile Network Code
● MSIN: Mobile Subscriber Identity
● LAC: Location Area Code
● CellId: Unique number to Identity (BTS) within
LAC
87. What kind of data imsi capture?
Image source: Electronic Frontier Foundation
88. GSM sniffing with gr-gsm
Prepare the Test Environment:
Install the compilation dependencies:
Compile “gr-gsm”:
Compile “kalibrate” (choose the version based on your hardware)
Scan for Base Station with kal
git clone https://github.com/ptrkrysik/gr-gsm.git
cd gr-gsm
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
git clone https://github.com/scateu/kalibrate-hackrf.git (for HackRF version)
git clone https://github.com/steve-m/kalibrate-rtl.git (for RTL version)
cd kalibrate-hackrf
./bootstrap
./configure
make
sudo make install
sudo apt-get install git cmake libboost-all-dev libcppunit-dev swig doxygen liblog4cpp5-dev python-scipy
kal -s GSM900 -g 40 //Scan GSM900 band
grgsm_livemon -f 945.4e6
89. GNU radio
GNU Radio is a framework that enables users to design, simulate, and deploy highly capable real-world
radio systems.
90.
91.
92. IMSI CATCHER
Two Operating Modes are known:
● Identification Mode
● Camping Mode
StingRay II, a cellular site simulator used for surveillance purposes manufactured by
Harris Corporation, of Melbourne, Fla.Photo: U.S. Patent and Trademark Office via AP
93. MITM on 3g networks exploiting ss7vulnerability
98. Threat: SIM Cloning
Exploit: weaknesses in COMP128/COMP128-1 used by key-gen (A8) and auth (A3) allow retrieval of
the long term key KIMSI
Requirements: physical access to original SIM card card reader/writer blank SIM card cracking
software
Effects: identity theft, available credit/allowance theft, DOS
Mitigations: cloning can be detected as SIM using COMP128-2/3 cannot be cloned
99. Threat: Session key retrieval (cracking tool available)
Exploit: weaknesses in A5/1
Requirements:
● 64bits of known plaintext, e.g. control messages uses brute force-like attack based on rainbow
tables (implemented in the Kraken tool)
● way of locating target user (eg. silent SMS/silent call locating attack)
● device to sniff traffic on dedicated channel (modified motorola phone)
Effects: breach of phone call/SMS message confidentiality Mitigations: use stronger encryption
algorithm
100. Threat: User De-registration DOS attack
Exploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send IMSI detach messages to the network
Effects: user unreachable for mobile terminated services
101. Threat: Paging response DOS attack
Exploit: lack of authentication of signalling messages
Requirements: MS-like device programmed to send paging response messages to the network
answer paging request faster than the victim phone
Effects: incoming call dropped incoming call hijacked if attack performed in unencrypted network
Mitigations: use of encryption, indication of no encryption on MS
102. Threat: User tracking
Exploit: silent phone call/SMS, TMSI not updated often
Requirements: MS-like device programmed to sniff signalling messages over dedicated channels
Effects: breach of user privacy
Mitigations: frequent change of TMSI
103. Threat: 2G downgrade attack
Exploit: lack of authentication of serving network
Requirements: Fake BS
Effects: Fake BS forces downgrade to 2G
Mitigations: set network connection on 3G only in MS settings
104. Threat: Redirection attack
Exploit: lack of authentication of serving network
Requirements: Fake BS and a MS connected to a real BS
Effects: redirection of the communication to a chosen network perhaps one charging a higher rate
or using weaker encryption
105. Conclusion
Security Mitigations improved with evolving Telecom generations, but no matter what security
researchers and attackers will always find their way.
Telecommunications providers are under fire from two sides: they face direct attacks from
cybercriminals intent on breaching their organization and network operations, and indirect attacks
from those in pursuit of their subscribers.
106. Learning: Navigating 3GPP document
● 22 series: Service aspects
● 23 series: Technical realization
○ TS 23.203: Policy and Charging Control Architecture
○ TS 23.401: GPRS enhancements for E-UTRAN access
○ TS 23.501: Systems Architecture for the 5G System
● 24 series: Signaling protocols –user to network
○ TS 24.301 NAS protocol for EPS (MM, SM procedures)
● 29 series: Signaling protocols-intra-fixed-network
○ TS 29.171-173: Location Services
● 33 series: Security
● 36 series: LTE radio aspects
○ TS 36.300: E-UTRAN –Overall description; Stage 2
○ TS 36.331: Radio Resource Control (RRC); protocol specification
● 38: 5G radio aspects
http://www.3gpp.org/specifications/specification-numbering