Femtocells : Inexpensive devices to test UMTS securityFemtocells : Inexpensive devices to test UMTS...

.

.. ..

.

.

Femtocells : Inexpensive devices to testUMTS security

Kévin Redon, Ravishankar Borgaonkar

Technische Universität Berlin, SecTkredon/[email protected]

Hackito Ergo Sum 2011, 8 April 2011

✆ mobile telecommunication ⚛ femtocells ☠ owning it ⚔ analyzing 3G securitysingularity big bang cyberspace

telephony

telegraph invented in the early 1800sidea of a "speaking telegraph" emerges in 1844patent for "voice through a telegraphic circuit" filedin 1876application : speaking instantaneously over longdistances

R. Borgaonkar, K. Redon HNB.secured?(UMTS) 2 / 37


0G/1G

need for business people to be reachable at anytime, anywhere0G - 1950 : not so handy. proprietary attempts1G - 1980 : similar to 2G, but with analog voice(like in PSTN)



2G : Global System for Mobile Communications (GSM)

mobile standard developed in France in 1991(Groupe Spécial Mobile)very popular, unexpected by the telcosnow used world wide



2G : GSM now broken

infrastructure elements now available to the publicIMSI catching possible (no network authentication)sniffing possible (A5/1 encryption algorithm broken)MitM possible (A5/2 encryption algorithm broken)



2G+ : data over mobile

2G : "Internet" access with WAP2.5G : GPRS. Packet Switching capability2.75G : EDGE. Faster, but still too slow



3G : Universal Mobile Telecommunications System (UMTS)

appeared in 2002voice and data communicationthe phone becomes a network devicerequired and supported by smartphones



3G+ : usable Internet

3.5G : HSDPA, faster download3.75G : HSUPA, faster upload3.9G : LTE/WiMAX attempts


✆ mobile telecommunication ⚛ femtocells ☠ owning it ⚔ analyzing 3G securityUMTS architecture Home Node B (HNB) HNB Subsystem (HNS)

UMTS architecture (complex)



UMTS architecture (simplified)



cells



technology

What is a femtocell :it's an access point (sometimes called FAP)it connects the mobile phone to the 3G/UMTSnetworkcompatible with every UMTS capable mobile phonesmall cell, with a coverage of less than 20mlow power deviceeasy to install, you only have provide power andInternet accesstechnical name : Home Node B (HNB)



user advantages

advantages provided to the users :can be installed at home to provide coverage (if notavailable)provides high bandwidth (not shared with thepublic)can provide location based services (kids arrived athome)

but nothing Wifi can not provide for free, except youdon't have to configure the phone.



operator advantages

advantages for the operator :extended coverage, near to the userstraffic offloads from their public infrastructurecheap hardware, that the user even has to buyno installation costno maintenance costnew revenue possibilitiesIP connectivity

conclusion : femtocells are a great opportunity for theoperators.



HNB in UMTS network



HNB Subsystem


✆ mobile telecommunication ⚛ femtocells ☠ owning it ⚔ analyzing 3G securityordering location verification blind dating recovery to failure customizing

requirements

How to get a femtocell :choose a country from the 12 which deploy themget an address and IP from this country, becauseusage in only allowed within the countryselect an operator from the 18 which offer themget a mobile phone subscription from this operator,required to get the femtocell servicegently ask for a femtocellget it for free, one time payment, or monthly feeenjoy ☺


✆ mobile telecommunication ⚛ femtocells ☠ owning it ⚔ analyzing 3G securityordering location verification blind dating recovery to failure customizingpurpose

operators have to verify where the femtocell is, forseveral reasons:

prevent you to avoid roaming costs in foreigncountriesUMTS uses the 2.1 GHz freq. band, a licensedspectrum band. The operators own the radiolicenses for the femtocell only for their countrylocation of the users is required for lawfulinterception



techniques

How to find were the femtocell is located :IP : geoIP, even knowing the ISP is enoughGNSS : Global Navigation Satellite System (oftenGPS)macrocell : cells periodically send country, network,and location information (MCC, MNC, LAC)



attacks



final solution



under the hood



first approach

sniffing :only DHCP and NTP, then everything goes overIPsecprobing ports (nmap) :only port 80 is open (linux has been detected, butthe source code is not available)web interface available :protected access, no documentation, even thecustomer service was unawareserial port :found on PCB, but login prompt is disabled

First impression : the device is secure. ☹But the first impression is not the last impression. ☺



recovery mode and purpose

remember :keep femtocells cheapno maintenance costno local support

if something does not work right, do a factory reset.for that, the recovery procedure has been created.

this is a critical point



process overview



flaws and exploits



reconfigure

the parameter list contains some interesting values :the login prompt or the serial port can be enabled(the root password is the same then in the recoveryimage, stored in md5)it includes the public key used to verify thesignaturesit's possible to clone femtocells (except the SIM)

[General]pcbid=P04S...imei=357539...mac=00:1B:67:...hwflag=2serial=P04S...

[BootSigning]pubkey=EE:17:C5:F2:...



reflashthe firmware list contains all needed informations :

the URLs, encryption keys and signatures are inthereyou can use the previously obtained images, andmodify themyou can provide the modified imagesnow it's possible to install anything


✆ mobile telecommunication ⚛ femtocells ☠ owning it ⚔ analyzing 3G securityauthentication & encryption en garde the end

testing 3G security features

femtocells can be used to check various classmarkssupported by mobiles



authentication tuples

information in the authentication tuples (RAND, XRES,IK, CK, AUTN) :

collect RAND and AUTNcheck randomness of RANDU. Meyer and S. Wetzel, A man-in-the-middle attackon UMTS, in Proceeding of The ACM Workshop onWireless Security (WiSe 2004), October 2004



encryption

calls are encrypted ...... up to the antennathen communication is clear textlike everything else is telecommunication network



phone capabilities

encryption over-the-air can even be turned offhelps to identify which phone indicating it (just afew)



the beginning of a story



episode 1

femtocells is an effective technology in terms ofoffloading the traffic and of new business casesbut ... the operators need to start thinking aboutsecurityfollow the specifications closely, secure the deviceand networkssome serious threats (ongoing work) :

test core networkbuild a MitMtest 3G phones



episode 2

4G (LTE Advanced) is comingall IP infrastructurevery closely connected elementsthe network needs to be compatible with oldtechnologyHeNB (evolved) are also on the way ☺



thanks

Thanks to :Nico Golde, TU BerlinCollin Mulliner, TU BerlinProf. Jean-Pierre Seifert, TU BerlinBenjamin Michéle, TU Berlin



questions

Merci

Questions ?


Femtocells : Inexpensive devices to test UMTS securityFemtocells : Inexpensive devices to test UMTS...

Documents

Transcript of Femtocells : Inexpensive devices to test UMTS securityFemtocells : Inexpensive devices to test UMTS...