base jumping - github pages...base jumping attacking the gsm baseband and base station...
TRANSCRIPT
Base Jumping
Attacking the GSM baseband and base station
Tuesday, 20 July 2010
Overview
❖GSM❖Base Station❖Base Band❖Conclusion
2
Tuesday, 20 July 2010
GSM: The Protocol
3
Tuesday, 20 July 2010
Documents
4
❖Dozens of docs❖Thousands of pages❖Important one (defines L3)
❖GSM 04 08
Tuesday, 20 July 2010
5
Tuesday, 20 July 2010
6
Tuesday, 20 July 2010
7
Logical Channels
Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH)
Tuesday, 20 July 2010
Logical Channels, cont.❖ Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH)
8
Tuesday, 20 July 2010
Logical Channels, cont.
Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH)
9
Tuesday, 20 July 2010
GSM Channels
10
❖Opening a channel is slow❖Can take seconds
❖Specific channels for specific uses
Tuesday, 20 July 2010
Opening a channel
11
Tuesday, 20 July 2010
12
Tuesday, 20 July 2010
12
RACH
Tuesday, 20 July 2010
12
RACH
AGCH
Tuesday, 20 July 2010
12
RACH
AGCH
LCH
Tuesday, 20 July 2010
13
Tuesday, 20 July 2010
13
PCH
Tuesday, 20 July 2010
13
RACH
PCH
Tuesday, 20 July 2010
13
RACH
PCH
AGCH
Tuesday, 20 July 2010
13
RACH
PCH
AGCH
LCH
Tuesday, 20 July 2010
14
MS
BTS
BTSBSCMSC
ARFCN
Tuesday, 20 July 2010
15
Base Transceiver StationBTS
Base StationController
BSC
Mobile StationController
MSC
Mobile StationMS
Base Station Sub-SystemBSS
Tuesday, 20 July 2010
16
MSBSSMSCHLR
VLR
Tuesday, 20 July 2010
Mobile Identifiers
17
Tuesday, 20 July 2010
18
Tuesday, 20 July 2010
18
IMSI
Tuesday, 20 July 2010
18
IMSI
IMEI
Tuesday, 20 July 2010
GSM Attacks
19
Tuesday, 20 July 2010
20
Tuesday, 20 July 2010
RACHell
21
❖Request channel allocation❖Flood the BSS with requests❖First announced by Dieter Spaar at DeepSec
❖Prevent everyone from using that cell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
RACHell
Tuesday, 20 July 2010
22
?
RACHell
Tuesday, 20 July 2010
23
Tuesday, 20 July 2010
23
Our Target
Tuesday, 20 July 2010
Demo - RACHell
24
Tuesday, 20 July 2010
IMSI Flood
❖Send IMSI ATTACH messages❖pre-authentication❖Overload the HLR/VLR infrastructure❖Prevent everyone using the network
25
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
26
IMSI Flood
Tuesday, 20 July 2010
How hard to get an IMSI?
27
Tuesday, 20 July 2010
IMSI DETACH
❖Send multiple Location Update Requests including a spoofed IMSI❖Unauthenticated
❖Prevent SIM from receiving calls and SMS
❖Discovered by Sylvain Munaut
28
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
29
IMSI DETACH
Tuesday, 20 July 2010
Baseband Fuzzing
30
Tuesday, 20 July 2010
31
=+
How to make a smartphone
Tuesday, 20 July 2010
32
Two separate computers
Tuesday, 20 July 2010
32
Two separate computers
Tuesday, 20 July 2010
33
Baseband
❖Controls the radio❖Separate CPU and code base❖RTOS❖Written in C❖Typically legacy code base (decades)
Tuesday, 20 July 2010
Coseinc GSM FuzzFarm❖OpenBTS based fuzzer delivery engine
❖Targetting❖ iPhone❖HTC (Android)❖Palm Pre❖Blackberry❖Nokia
34
Tuesday, 20 July 2010
35
Tuesday, 20 July 2010
Conclusion
36
Tuesday, 20 July 2010
GSM Trouble
37
❖GSM is no longer a walled garden❖GSM spec has security problems❖Expect many more issues as OSS reduces costs for entry
Tuesday, 20 July 2010
Future work
❖More GSM stack fuzzing❖Next gen protocol stacks
38
Tuesday, 20 July 2010
39
Thanks to
Harald Walte, Osmocom-bb & OpenBTS
Tuesday, 20 July 2010
Questions?
40
Tuesday, 20 July 2010