Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | ali-shehryar |
View: | 310 times |
Download: | 0 times |
of 19
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
1/19
A practical attack againstGPRS/EDGE/UMTS/HSPA mobile data
communications
Matiaz Ouine : [email protected]
Benot Raymond : [email protected]
ENSIMAG - 4MMSR : Network Security - Student Seminar 1 / 1720/03/2012
Keywords : GPRS, EDGE, UMTS, BTS, MS, authentication, encryption
David Perez - [email protected] Pico - [email protected]
Black Hat DC 2011 (Jan. 18-19)
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
2/19
Summary
Background Vocabulary
Presentation of the talk
Description of the GSM Architecture
Vulnerabilities Attack implementation
Possibilities offered by the attack
Countermeasures
Limitations
Conclusion
References
ENSIMAG - 4MMSR : Network Security - Student Seminar 2 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
3/19
Papers authors
David Perez and Jose Pico
Co-Founders and Senior Security analysts at Taddong
Skills
Network
Web applications
Mobile communications
VoIP
Etc.
Last paper
New attack scenarios with rogue base stations at RootedCON2012 (3/03/2012)
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 3 / 17
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
4/19
Background - Vocabulary
Background of the talk Protocol stack
Vocabulary GPRS = 2G EDGE = 2,5G
UMTS = 3G HSPA = 3,5G (= 3G+)
MS = Mobile Station (ex: phone, tablet computer, computer with 3Gmodem, )
IMEI = unique identification number for 1 phone
IMSI = unique identification number for 1 SIM card
USIM key (Ki) = shared key between the SIM and the mobile phonecompany
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 4 / 17
Access Layer in UMTS
Non Access Layer in UMTS(Main subject of the talk)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
5/19
Presentation of the talk
A practical attack againstGPRS/EDGE/UMTS/HSPA (2G/3G)mobile data communications
Budget < $10,000
Exploitation ofthree vulnerabilities of 2G/3G
ENSIMAG - 4MMSR : Network Security - Student Seminar 5 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
6/19
Description of the GSM Architecture (1/2)
ENSIMAG - 4MMSR : Network Security - Student Seminar 6 / 1720/03/2012
: Voice (ex : SMS/MMS/Voice Call): Data (ex : HTTP,DNS,VoIP,P2P,)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
7/19
Description of the GSM Architecture (2/2)
Circuit switched
2 communications channels Up and Down
GSM medium access TDMA
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 7 / 17
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
8/19
Vulnerabilities
Lack of mutual authentication in GPRS/EDGE
Unidirectional authentication
MS (Mobile Station) authenticates to the BTS
Encryption algorithm
Negotiation of encryption algorithm
MS indicates its supported encryption algorithms (ex : GEA-0, GEA-1,)
BTS chooses one of those algorithms
Algorithm GEA-0 (= no encryption)
Fall back to GPRS/EDGE
UMTS/HSPA uses mutual authentication
Back to GSM/GPRS/EDGE network when UMTS/HSPA network isnot available
ENSIMAG - 4MMSR : Network Security - Student Seminar 8 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
/
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
9/19
Attack implementation (1/3) Experimental setup
ENSIMAG - 4MMSR : Network Security - Student Seminar 9 / 1720/03/2012
- OpenBSC implementsthe BSC, MSC and HLR
- OsmoSGSN implementsSGSN
- OpenGGSN implementsthe GGSN
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
ENSIMAG 4MMSR N t k S it St d t S i 10 / 1720/03/2012
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
10/19
Attack implementation (2/3) Description of each step
Position of the attacker
Be close enough to the target
Listen radio spectrum
Search a neighbour frequency of the real BTS frequencies
Configure to emit at the chosen frequency
Take the identity of the real BTS
Set up BTS to accept connection of the target
Identified by his IMSI / IMEI
Working uplink to the Internet Configure OsmoSGSN, OpenGGSN, routing tables
Power up BTS
Read / Modify / Redirect IP paquet send and received by the victim
ENSIMAG - 4MMSR : Network Security - Student Seminar 10 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
ENSIMAG 4MMSR N t k S it St d t S i 11 / 1720/03/2012
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
11/19
Attack implementation (3/3)
Extension to 3G
Create interference in the UMTS frequencybands
Use a jammer
UMTS spectrum allocation in France (900 MHz and 2100MHz)
Exploit the 3rd vulnerability
ENSIMAG - 4MMSR : Network Security - Student Seminar 11 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
ENSIMAG 4MMSR : Network Security Student Seminar 12 / 1720/03/2012
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
12/19
Possibilities offered by the attack Possibilities
Sniff traffic, redirecting traffic, compromising LAN,
Full man in the middle !
Security properties that are violated on the transmitted data
Confidentiality : attacker can read transmitted data Integrity : attacker can modify transmitted data
Authenticity : message not from the assumed sender (man in the middle)
Freshness : attacker can replay old transmitted data
Security properties that are violated on the user identity
Privacy : attacker can know victims private identity data
Security properties that are violated on the communication system
Availability : attacker can not serve all users
Traceability : the mobile phone company will not be able to list your actions
ENSIMAG - 4MMSR : Network Security - Student Seminar 12 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
ENSIMAG 4MMSR : Network Security Student Seminar 13 / 1720/03/2012
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
13/19
Countermeasures (1/2)
Countermeasures
Use protocol from upper layer for ensuringendpoint authentication and encryption
(ex : SSL, IPsec,..) Use only UMTS/HSPA
Do not accept fall back to 2G
iPhone : Jailbreak Android / Windows Mobile / Symbian : Parameters
(only WCDMA)
ENSIMAG - 4MMSR : Network Security - Student Seminar 13 / 1720/03/2012
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
Access Layer compromised
Must ensuring authenticationand encryption
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 14 / 17
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
14/19
AUTN number of the assumedHLR/BTS ?
YES => Step 3 NO => STOP
XRES = RES ?YES => Authentication OKNO => STOP
Countermeasures (2/2) UMTS authentication
Mutual authentication
UMTS encryption Data : UMTS Encryption Algorithm1
(UEA1), based on KASUMI
Symmetric encryption
Word : 64 bits
Key (=Ki=USIM Key) : 128 bits
20/03/2012 ENSIMAG 4MMSR : Network Security Student Seminar 14 / 17
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
UMTS Integrity MAC (Message Authentication Code)
Birthday paradox attack (2^33 paquetsneed => not realistic in UMTS)
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 15 / 17
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
15/19
Limitations
Limitations
Be close enough to the target
Have a budget of 10000$
Know the target in advance (IMEI and/or IMSI)
SMS/MMS/Voice call impossible
Why ? The attacker is not connected to the RTCP
network Hypothesis : use VoIP to get around this problem
(forward SMS/MMS/Voice call)
20/03/2012 ENSIMAG 4MMSR : Network Security Student Seminar 15 / 17
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 16 / 17
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
16/19
Conclusion
GPRS/EDGE architecture is insecure
Only client authentication
Negotiation of encryption
Be afraid of GPRS/EDGE data connections
UMTS is not impacted by this attack
Because ofmutual authentication
y 16 / 17
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17 / 17
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
17/19
References
GSM architecture http://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-
Club_QoS_GPRS_12_03.ppt
UMTS frequency bands https://en.wikipedia.org/wiki/UMTS_frequency_bands
Security in UMTS Encryption in UMTS
http://sebastien.mougel.free.fr/download/securite_UMTS.ppt
Authentication and encryption in UMTS
http://freesecure.info/doc/securite-UMTS.pdf
http://www.tcs.hut.fi/Publications/knyberg/eccomas.pdf
Paper of the talk http://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf
Book (Spanish) Hacking y seguridad en comunicaciones mviles GSM/GPRS/UMTS/LTE, Jos Pic Garca
and David Prez Conde
y
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)
David Perez - [email protected] Jose Pico - [email protected]
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-1 / 17
http://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttps://en.wikipedia.org/wiki/UMTS_frequency_bandshttp://sebastien.mougel.free.fr/download/securite_UMTS.ppthttp://freesecure.info/doc/securite-UMTS.pdfhttp://www.tcs.hut.fi/Publications/knyberg/eccomas.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.taddong.com/docs/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdfhttp://www.tcs.hut.fi/Publications/knyberg/eccomas.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://freesecure.info/doc/securite-UMTS.pdfhttp://sebastien.mougel.free.fr/download/securite_UMTS.ppthttps://en.wikipedia.org/wiki/UMTS_frequency_bandshttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppthttp://www.afutt.org/Qostic/qostic5/MOB-CN-DFF-AFUTT-030025-Club_QoS_GPRS_12_03.ppt7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
18/19
Questions ?!?!
Attack with the VoIP hypothesis
Appareil A
Appareil B
Case 1 :A calls B, attacker forwardsthe call into a VoIP call
=> Attack OK
Data : HTTP, SMS/MMS/Voice Call : Forward VoIP
Case 2 :B calls A, RTCP cant find A.
B hits the voice mail of A.
=> Attack KO
20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 17-2 / 17
7/28/2019 4MMSR-2011-2012-Student Seminar-A Practical Attack Against GPRS EDGE UMTS HSPA Mobile Data Communications - David Perez, Jose Pico - Black-Hat DC 2011
19/19
Questions ?!?!
GSM Cells
One cell has 1 frequency
Neighbour cells have different frequencies
Cell A
GSM Neighbour Cellof A