A practical attack against GPRS/EDGE/UMTS/HSPA
Transcript of A practical attack against GPRS/EDGE/UMTS/HSPA
![Page 1: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/1.jpg)
www.taddong.com
A practical attack against
GPRS/EDGE/UMTS/HSPA
mobile data communications
David Perez
Jose Pico
![Page 2: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/2.jpg)
Introduction
• It has been proved that GSM is vulnerable
to multiple attacks (rogue base station,
cryptographic, SMS, OTA, etc.)
• Rogue Base Station attacks have been
demonstrated before against GSM, e.g.:
– PRACTICAL CELLPHONE SPYING. Chris
Paget. DEF CON 18 (July 2010)
http://www.defcon.org/html/defcon-18/dc-18-
speakers.html
![Page 3: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/3.jpg)
Introduction
• Is it possible to extend these attacks to
GPRS/EDGE, i.e., to mobile data
transmissions?
• If YES, what is the impact of such attack?
![Page 4: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/4.jpg)
Introduction
• In this presentations we will show that
GPRS/EDGE is also vulnerable to rogue
base station attacks, just like GSM
• We will describe:
– The vulnerabilities that make this attack possible
– The tools that can be used to perform the attack
– How to perform the attack
– How to extend this attack to UMTS
– What an attacker can gain from it
Objectives
![Page 5: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/5.jpg)
GPRS/EDGE ARQUITECTURE
![Page 6: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/6.jpg)
The vulnerabilities
• Lack of mutual authentication
• GEA0 support
• UMTSGPRS/EDGE fallback
Just like GSM
![Page 7: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/7.jpg)
The threats
• How many people, organizations, or, in general, entities, might be interested in eavesdropping and/or manipulating the mobile data communications of other entities, like competitors, nation enemies, etc?
• And how many of those potential attacking entities could dedicate a budget of $10,000 to this purpose?
![Page 8: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/8.jpg)
The tools
![Page 9: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/9.jpg)
The tools
We run all our tests
inside a faraday
cage, to avoid
emissions into the
public air interface
(Um)
A real attacker won’t need this, but...
![Page 10: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/10.jpg)
The tools
•Commercial BTS
•GSM/GPRS/EDGE capable
•Manufactured by ip.acccess
(www.ipaccess.com)
• IP-over-Ethernet Abis
interface
ip.access nanoBTS
![Page 11: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/11.jpg)
The tools
• GNU/Linux OS
• Uplink to the Internet
• Small netbook is enough
PC
![Page 12: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/12.jpg)
The tools
• Awesome work from Harald Welte, Dieter
Spaar, Andreas Evesberg and Holger
Freyther
• http://openbsc.osmocom.org/trac/
OpenBSC
“[OpenBSC] is a project aiming to create a Free Software,
GPL-licensed Abis (plus BSC/MSC/HLR) implementation for
experimentation and research purpose. What this means:
OpenBSC is a GSM network in a box software, implementing
the minimal necessary parts to build a small, self-contained
GSM network.”
![Page 13: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/13.jpg)
The tools
• Included in OpenBSC
• http://openbsc.osmocom.org/trac/wiki/osmo-sgsn
OsmoSGSN
“OsmoSGSN (also spelled osmo-sgsn when referring to the
program name) is a Free Software implementation of the GPRS
Serving GPRS Support Node (SGSN). As such it implements
the GPRS Mobility Management (GMM) and SM (Session
Management). The SGSN connects via the Gb-Interface to the
BSS (e.g. the ip.access nanoBTS), and it connects via the GTP
protocol to a Gateway GPRS Support Node (GGSN) like
OpenGGSN”
![Page 14: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/14.jpg)
The tools
• Started by: Jens Jakobsen
• Currently maintained by: Harald Welte
• http://sourceforge.net/projects/ggsn/
OpenGGSN
“OpenGGSN is a Gateway GPRS Support Node (GGSN). It is
used by mobile operators as the interface between the Internet
and the rest of the mobile network infrastructure.”
![Page 15: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/15.jpg)
The tools
• Capable of jamming the frequency
bands assigned to UMTS/HSPA in a
particular location, while leaving the
GSM/GPRS/EDGE bands undisturbed
Cell-phone jammer
“A mobile phone jammer is an instrument
used to prevent cellular phones from from
receiving signals from base stations.
When used, the jammer effectively
disables cellular phones.”
[Source: Wikipedia]
Please note: even owning a jammer is illegal in some countries
![Page 16: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/16.jpg)
The attack: initial setup
![Page 17: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/17.jpg)
The attack: step 1
1 Cell characterization
![Page 18: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/18.jpg)
The attack: step 2
2 Attacker starts emitting
![Page 19: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/19.jpg)
The attack: step 3
3 Victim camps to rogue cell
![Page 20: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/20.jpg)
The attack: step 4
Attacker gets full
MitM control of
victim’s data
communications
4
![Page 21: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/21.jpg)
The attack in action
iPhone falls in the rogue base station trap
![Page 22: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/22.jpg)
What happened?
![Page 23: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/23.jpg)
Extending the attack to UMTS
How can we extend this attack to UMTS
devices?
![Page 24: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/24.jpg)
Extending the attack to UMTS:
Simply add step 0
0 Jam UMTS band
![Page 25: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/25.jpg)
The impact
Let us see what an attacker could gain
from the attack...
![Page 26: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/26.jpg)
Leveraging the attack: example 1
Attacker sniffs a google search from an iPhone
![Page 27: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/27.jpg)
What happened?
![Page 28: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/28.jpg)
Leveraging the attack: example 2
Phising attack against an iPad (http version)
![Page 29: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/29.jpg)
What happened?
![Page 30: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/30.jpg)
Leveraging the attack: example 3
Phising attack against an iPad (https version)
![Page 31: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/31.jpg)
What happened?
![Page 32: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/32.jpg)
Leveraging the attack: example 4
Attacker takes over a Windows PC via GPRS/EDGE
![Page 33: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/33.jpg)
What happened?
remote desktop
user / password
![Page 34: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/34.jpg)
Leveraging the attack: example 5
Attacking a 3G Router in order to control the IP traffic of
all devices behind it
![Page 35: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/35.jpg)
What happened?
![Page 36: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/36.jpg)
Leveraging the attack: example 6
Attacking other GPRS/EDGE devices
![Page 37: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/37.jpg)
What happened?
FTP
![Page 38: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/38.jpg)
Defending ourselves
So, what can we do to protect our mobile
data communications?
![Page 39: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/39.jpg)
Countermeasures
• Configure our mobile devices to only
accept 3G service, rejecting GPRS/EDGE
• Encrypt our data communications at
higher layers (https, ssh, IPsec, etc.)
• Install and configure firewall software in
our mobile devices
![Page 40: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/40.jpg)
Summing up (I)
A rogue base station attack against
GPRS/EDGE devices is totally feasible,
just as it is against GSM devices
![Page 41: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/41.jpg)
Summing up (II)
This kind of attack gives an attacker a
privileged position to launch IP-based attacks
against a GPRS/EDGE device...
...or even to attack the GPRS/EDGE stack itself
![Page 42: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/42.jpg)
Summing up (III)
The attack can be extended to UMTS by
simply using a jammer
Effective against any 3G device configured to
fall back to GPRS/EDGE when UMTS is not
available
![Page 43: A practical attack against GPRS/EDGE/UMTS/HSPA](https://reader031.fdocuments.us/reader031/viewer/2022012502/617bc2e8d330f816cc4e2197/html5/thumbnails/43.jpg)
Conclusion
We must protect our GPRS/EDGE
mobile data communications:
• Know the vulnerabilities
• Evaluate the risks
• Take appropriate countermeasures