attacking 3g
TRANSCRIPT
1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attacking 3G
Jose [email protected]
David [email protected]
@layakk
www.layakk.com
2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
RootedCON in Valencia
3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Attacks known to work against 2G, based on a rogue base station:
– IMSI Catching
– Geolocation of mobile devices
– Denial of Service
– Eavesdropping
There are devices on the market that offer part of that functionality for 3G
Some “renowned” researches claim that those attacks cannot be performed in 3G
In this talk we tell you that most of the above can be done…
… and we tell you how.
– Selective downgrade to 2G
Note: The theoretical information presented in the following slides is actually a summary of information already public, though not widely publicized.
4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
THEORETICAL BACKGROUND
.
5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
¿How is that possible?
Signaling messages are integrity protected in
3G, thanks to the security mode command and
the structure of the protocol
The cryptography behind the integrity protection
hasn’t been broken yet (at least publicly)
All signaling messages?
.
6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Security mode set-up procedure
MS SRNC VLR/SGSN
RRC connection setup1
Initial level-3 message (Id)2
Authentication and key agreement4
Selection of integrity and ciphering algorithms
5
Security Mode Command (UIAs, IK, UEAs, CK, etc.)
6
Begin ciphering and integrity protection
7
User identification3
.
7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Establishment of a radio channel(RRC protocol)
UE SRNC
RRC CONNECTION REQUEST1
RRC CONNECTION SETUP
2
RRC CONNECTION SETUP COMPLETE3
(Establishment Cause, Initial UE Identity, …)
(Frequency info, secondary CCPCH, …)
(RRC transaction identifier, UE radio access capability, …)
.
8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Rejection of a request to set up a radio channel (RRC)
UE SRNC
RRC CONNECTION REQUEST1
RRC CONNECTION REJECT
2
(Establishment Cause, Initial UE Identity, …)
(Rejection Cause, Redirection info, …)
Frequency info Inter-RAT info
9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
HANDOVER TO UTRAN COMPLETE
PAGING TYPE 1
PUSCH CAPACITY REQUEST
PHYSICAL SHARED CHANNEL ALLOCATION
SYSTEM INFORMATION
SYSTEM INFORMATION CHANGE INDICATION
TRANSPORT FORMAT COMBINATION CONTROL (TM DCCH only)
RRC CONNECTION REQUEST
RRC CONNECTION SETUP
RRC CONNECTION SETUP COMPLETE
RRC CONNECTION REJECT
RRC CONNECTION RELEASE (CCCH only)
RRC signaling messages NOT integrity protected
RRC CONNECTION REQUEST
RRC CONNECTION SETUP
RRC CONNECTION SETUP COMPLETE
RRC CONNECTION REJECT
10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
MM (DL) messages allowed before the security mode command
AUTHENTICATION REQUEST
AUTHENTICATION REJECT
IDENTITY REQUEST
LOCATION UPDATING REJECT
LOCATION UPDATING ACCEPT (at periodic location update with no change of location area or temporary identity)
CM SERVICE ACCEPT, if the following two conditions apply:– no other MM connection is established; and
– the CM SERVICE ACCEPT is the response to a CM SERVICE REQUEST with CM SERVICE TYPE IE set to ‘emergency call establishment’
CM SERVICE REJECT
ABORT
IDENTITY REQUEST
LOCATION UPDATING REJECT
11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack infrastructure:3G base station (node B)
HW
– Radio receiver&transmitter with 5 MHz
bandwidth
– Sampling rate >= 3,84 Msps
– Clock with proper rate and precission
SW
– 3G modem (SW based in order to control the
baseband)
– Emulation of certain parts of the protocols
Let us assume (for now) that
all these elements exist
12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ATTACKSIMSI / IMEI Catching
Geolocation of mobile devices
Denial of Service
Selective downgrade to 2G
.
13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
IMSI / IMEI CatchingUE SRNC
RRC connection setup1
Location Update Request2
Identity Request (IMSI / IMEI / TMSI)3
Identity Response4
Location Update Reject5
.
14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Geolocation of mobile devices
All data needed for geolocation is available on
signaling channels
Once established an RRC connection with a
device, the rest is identical to 2G.
¿Is it necessary to complete the registration of
the device in the network?
.
15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
This radio channel can be kept open long enough to carry out all needed measurements, before the device finally
desists in its attempt to register with the fake cell
Geolocation of mobile devicesUE SRNC
RRC CONNECTION REQUEST
RRC CONNECTION SETUP
RRC CONNECTION SETUP COMPLETE
(Establishment Cause, Initial UE Identity, …)
(Frequency info, secondary CCPCH, …)
(RRC transaction identifier, UE radio access capability, …)
.
16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Denial of Service
Since the “Location Update Reject” message may be sent before
ciphering and integrity protection are established, the DoS attack
based on LU Reject Cause Codes is totally posible in 3G
17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Selective downgrade to 2G
A selective downgrade to 2G may be carried out
in at least two different ways:
– If the TMSI of the target device is known (it may be
obtained via some other technique), the connection
establishment attempts may be redirected to a 2G cell
using Inter-RAT info
– Knowing any ID of the target device, a cell could be
configured with the LAC of the real cells (if there are 2
LACs in the environment, 2 fake base stations could
be used), and this cell could reject the registration attemtps with “Location Area not allowed”
18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack infrastructure:3G base station (node B)
HW
– Radio receiver&transmitter with 5MHz
bandwidth
– Sampling rate >= 3,84 Msps
– Clock with proper rate and precission
SW
– 3G modem (SW based in order to control the
baseband)
– Emulation of certain parts of the protocols
Let us assume (for now) that
all these elements exist
19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March.
20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
DEVELOPMENT OF A SOFTWARE-BASED 3G MODEM
To receive a downlink signal
.
21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
HW
SAMPLING
GigEUHD
UmTRX
https://code.google.com/p/umtrx/
.
22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
A 2G signal in the IQ plane
SAMPLING
.
23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
A 3G signal in the IQ plane
SAMPLING
24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception
The sampling rate must be a
multiple of the modulation symbol
rate
In UMTS the symbol rate is 3,84
Msps (1 symbol = 1 chip)
13 Msps 3,84 Msps
SAMPLING
RESAMPLING
25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception
SAMPLING
RESAMPLING
PSCHIDENTIFICATION
26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception
CAPTURA
RESAMPLING
TIMESLOT SYNCRONIZATION
PSCH IDENTIFICATION
27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception
SSC GROUP IDENTIFICATION
SAMPLING
RESAMPLING
TIMESLOT SYNCRONIZATION
PSCH IDENTIFICATION
.
28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception
FRAME SYNCRONIZATION
SSC GROUP IDENTIFICATION
SAMPLING
RESAMPLING
TIMESLOT SYNCRONIZATION
PSCH IDENTIFICATION
.
29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception (I)
SCRAMBLING CODE IDENTIFICATION
FRAME SYNCRONIZATION
SSC GROUP IDENTIFICATION
SAMPLING
RESAMPLING
TIMESLOT SYNCRONIZATION
PSCH IDENTIFICATION
.
30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Downlink reception (II)
1
1
.
31Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
DEMO
.
32Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
90850023aa1909143219218438c0b48000aa
Master Information Block
10010000 10000101 00000000 00100011 10101010 0001100100001001 00010100 00110010 00011001 00100001 1000010000111000 11000000 10110100 10000000 00000000 10101010
214 01
MCC MNC
(Spain) (Vodafone)
.
33Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attack infrastructure:3G base station (node B)
HW
– Radio receiver&transmitter with 5MHz
bandwidth
– Sampling rate >= 3,84 Msps
– Clock with proper rate and precission
SW
– 3G modem (SW based in order to control the
baseband)
– Emulation of certain parts of the protocols
34Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Introduction
Attacks known to work against 3G, based on a rogue base station:
– IMSI Catching
– Geolocation of mobile devices
– Denial of Service
– Eavesdropping
There are devices on the market that offer part of that functionality for 3G
Some “renowned” researches claim that those attacks can be performed in 3G
In this talk we tell you that most of the above can be done…
… and we tell you how.
– Selective downgrade to 2G
35Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
TO PROBE FURTHER…
.
36Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
QUESTIONS
.
37Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Attacking 3G
Jose [email protected]
David [email protected]
@layakk
www.layakk.com