Upload File

a practical attack against gprs/edge/umts/hspa · pdf filea practical attack against...

  • Home
  • Documents
  • A practical attack against GPRS/EDGE/UMTS/HSPA · PDF fileA practical attack against GPRS/EDGE/UMTS ... A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications
Download A practical attack against GPRS/EDGE/UMTS/HSPA · PDF fileA practical attack against GPRS/EDGE/UMTS ... A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications

If you can't read please download the document

Upload: dangxuyen

Post on 06-Feb-2018

246 views

Category:

Documents


2 download

Report

TRANSCRIPT

  • A practical attack against

    GPRS/EDGE/UMTS/HSPA mobile data

    communications

    Matiaz Ouine : [email protected]

    Benot Raymond : [email protected]

    ENSIMAG - 4MMSR : Network Security - Student Seminar 1 / 17 20/03/2012

    Keywords : GPRS, EDGE, UMTS, BTS, MS, authentication, encryption

    David Perez - [email protected]

    Jose Pico - [email protected]

    Black Hat DC 2011 (Jan. 18-19)

  • Summary

    Background Vocabulary

    Presentation of the talk

    Description of the GSM Architecture

    Vulnerabilities

    Attack implementation

    Possibilities offered by the attack

    Countermeasures

    Limitations

    Conclusion

    References

    ENSIMAG - 4MMSR : Network Security - Student Seminar 2 / 17 20/03/2012

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Papers authors

    David Perez and Jose Pico

    Co-Founders and Senior Security analysts at Taddong

    Skills

    Network

    Web applications

    Mobile communications

    VoIP

    Etc.

    Last paper

    New attack scenarios with rogue base stations at RootedCON

    2012 (3/03/2012)

    20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 3 / 17

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Background - Vocabulary

    Background of the talk

    Protocol stack

    Vocabulary

    GPRS = 2G EDGE = 2,5G

    UMTS = 3G HSPA = 3,5G (= 3G+)

    MS = Mobile Station (ex: phone, tablet computer, computer with 3G

    modem, )

    IMEI = unique identification number for 1 phone

    IMSI = unique identification number for 1 SIM card

    USIM key (Ki) = shared key between the SIM and the mobile phone

    company

    20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 4 / 17

    Access Layer in UMTS

    Non Access Layer in UMTS

    (Main subject of the talk)

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Presentation of the talk

    A practical attack against

    GPRS/EDGE/UMTS/HSPA (2G/3G)

    mobile data communications

    Budget < $10,000

    Exploitation of three vulnerabilities of 2G/3G

    ENSIMAG - 4MMSR : Network Security - Student Seminar 5 / 17 20/03/2012

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Description of the GSM Architecture (1/2)

    ENSIMAG - 4MMSR : Network Security - Student Seminar 6 / 17 20/03/2012

    : Voice (ex : SMS/MMS/Voice Call)

    : Data (ex : HTTP,DNS,VoIP,P2P,)

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Description of the GSM Architecture (2/2)

    Circuit switched

    2 communications channels

    Up and Down

    GSM medium access

    TDMA

    20/03/2012 ENSIMAG - 4MMSR : Network Security - Student Seminar 7 / 17

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Vulnerabilities

    Lack of mutual authentication in GPRS/EDGE

    Unidirectional authentication

    MS (Mobile Station) authenticates to the BTS

    Encryption algorithm

    Negotiation of encryption algorithm

    MS indicates its supported encryption algorithms (ex : GEA-0, GEA-1,)

    BTS chooses one of those algorithms

    Algorithm GEA-0 (= no encryption)

    Fall back to GPRS/EDGE

    UMTS/HSPA uses mutual authentication

    Back to GSM/GPRS/EDGE network when UMTS/HSPA network is not available

    ENSIMAG - 4MMSR : Network Security - Student Seminar 8 / 17 20/03/2012

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Attack implementation (1/3)

    Experimental setup

    ENSIMAG - 4MMSR : Network Security - Student Seminar 9 / 17 20/03/2012

    - OpenBSC implements

    the BSC, MSC and HLR

    - OsmoSGSN implements

    SGSN

    - OpenGGSN implements

    the GGSN

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Attack implementation (2/3) Description of each step

    Position of the attacker

    Be close enough to the target

    Listen radio spectrum

    Search a neighbour frequency of the real BTS frequencies

    Configure to emit at the chosen frequency

    Take the identity of the real BTS

    Set up BTS to accept connection of the target

    Identified by his IMSI / IMEI

    Working uplink to the Internet

    Configure OsmoSGSN, OpenGGSN, routing tables

    Power up BTS

    Read / Modify / Redirect IP paquet send and received by the victim

    ENSIMAG - 4MMSR : Network Security - Student Seminar 10 / 17 20/03/2012

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Attack implementation (3/3)

    Extension to 3G

    Create interference in the UMTS frequency

    bands

    Use a jammer

    UMTS spectrum allocation in France (900 MHz and 2100

    MHz)

    Exploit the 3rd vulnerability

    ENSIMAG - 4MMSR : Network Security - Student Seminar 11 / 17 20/03/2012

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications Black Hat DC 2011 (Jan. 18-19)

    David Perez - [email protected] Jose Pico - [email protected]

  • Possibilities offered by the attack Possibilities

    Sniff traffic, redirecting traffic, compromising LAN,

    Full man in the middle !

    Security properties that are violated on the transmitted data

    Confidentiality : attacker can read transmitted data

    Integrity : attacker can modify transmitted data

    Authenticity : message not from the assumed sender (man in the middle)

    Freshness : attacker can replay old transmitted data

    Security properties that are violated on the user identity

    Privacy


HFC GPRS UMTS

GGSN Support in GPRS/UMTS Wireless Data Services€¦ · GGSN Support in GPRS/UMTS Wireless Data Services TheCiscosystemsprovideswirelesscarrierswithaflexiblesolutionthatfunctionsasaGatewayGPRS

GSM, GPRS and UMTS Overview

Etsi Ts 123 060 Gprs Umts

Overview gsm,gprs& umts

GSM GPRS UMTS LTE TETRA Service Provision

GPRS/UMTS/LTE Router

QoS Issues in GPRS/UMTS Networks

GPRS/UMTS/LTE Router - welotec.com Huawei ME909 2G standard GSM, GPRS 3G standard UMTS, HSDPA, HSUPA, ... Frequency UMTS 850/900/1800/1900/2100 MHz ... GPRS/UMTS/LTE Router 9

(GPRS, EDGE, UMTS, LTE and…)

MobiHealth - Innovative GPRS / UMTS services for healthcare

Bafaneionut- Gsm Gprs Umts

M!DGE– GPRS/UMTS/HSPA+/LTE router

A practical attack against GPRS/EDGE/UMTS/HSPA - Black Hat

HFC, GPRS, UMTS

GSM, GPRS and UMTS: easy handbook

Optimising 3G Migration - itu. · PDF fileLeverage on GSM/GPRS/E-GPRS as substitution to UMTS ... optimization " Mixing UMTS and GSM module is not enough : ... # GSM/GPRS/EDGE + UMTS:

Global Data Transmitter Single Prime GPRS/UMTS

Smart Cellular Modem For GPRS/EDGE/UMTS/HSPA+ · PDF fileSmart Cellular Modem For GPRS/EDGE/UMTS/HSPA+ Networks User Guide Document Name: User Guide ... Standards: GSM/GPRS/EDGE/UMTS/HSDPA/HSPA+

Overview of GSM_ GPRS and UMTS

TK700-Series – Industrial GPRS- and UMTS-Router - … – Industrial GPRS- and UMTS-Router The industrial 2G GPRS- and 3G UMTS routers offered ... 900 / 1800 / 1900 MHz Quad Band

Mobility Management - From GPRS to UMTS

A practical attack against GPRS/EDGE/UMTS/HSPA

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data

Overview of GSM, GPRS, and UMTS - Binyahyabinyahya.com/books/Overview of GSM, GPRS, and UMTS - CISCO.pdf · Overview of GSM, GPRS, and UMTS ... BTS communicates to the BSC over the

GGSN Support in GPRS/UMTS Wireless Data · PDF fileGGSN in the GPRS/UMTS Data Network ... PacketCore(EPC) ... GGSN Support in GPRS/UMTS Wireless Data Services

Gsm Gprs Umts

Mobility Management From GPRS to UMTS

A practical attack against GPRS/EDGE/UMTS/HSPA mobile …

A practical attack against GPRS/EDGE/UMTS/HSPA mobile data ... · Summary Background – Vocabulary Presentation of the talk Description of the GSM Architecture Vulnerabilities Attack

Gprs Attack

Gprs-umts Mob Management

Gsm 3g Gprs Umts Lte Schematics

Gsm gprs-umts

REDES GSM, GPRS, EDGE E UMTS