hacking femtocells
TRANSCRIPT
![Page 1: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/1.jpg)
Hacking Femtocells
Ravishankar Borgaonkar
Kevin Redon
Technical University of Berlin Security in Telecommunication
a femtostep to the holy grail
![Page 2: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/2.jpg)
2
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Introduction
● Ravishankar Borgaonkar− PhD student at TU Berlin
− Area: M2M Security, Mobile Networking Security
● Kevin Redon− Master Student at TU Berlin
− Area: Network Security
● Special thanks to:
− Collin Mulliner, TU Berlin
− Prof. Jean-Pierre Seifert, TU Berlin
− Benjamin Michéle, TU Berlin
− Monty Python
![Page 3: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/3.jpg)
3
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Contents
Introduction to Femtocell
Security of the Femtocell devices
Location verification methods
Beating the location verification methods
Hacking into the device
Demo
![Page 4: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/4.jpg)
4
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Femtocell Technology
● low power wireless device
● supports any 3G mobile device
● provide 3G coverage for places where macrocells can not
● offloads traffic from the macrocell layer, and improve macrocell capacity
● IP connection to the core network
● higher data rates with power saving option to the mobile devices
![Page 5: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/5.jpg)
5
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Femtocell Future
![Page 6: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/6.jpg)
6
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
How and where ?
● currently in the 9 countries (soon in other places)
● you can buy easily
● you need to provide right address to provision since they
lock the device to a particular location
● if you change the address, it will not work (as they say so)
● costs < 100 euro + normal phone subscription
● No Roaming is allowed on the Femtocells
Small base station?
![Page 7: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/7.jpg)
7
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosecRavishankar B. & Kévin Redon Hacking Femtocells t2'10 infosecRavishankar B. & Kévin Redon Hacking Femtocells t2'10 infosecRavishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Country Operator Vendor
USA AT & T, Verizon ip.access, Samsung
Japan KDDI, NTT Docomo Airvana, Mitsubishi
Portugal Optimus Huawei
France SFR Ubiquisys
Singapore Singtel, Starhub Huawei
Japan Softbank Ubiquisys
Spain Telefonica Huawei
UK Vodafone Alcatel-Lucent
Greece Vodafone Huawei
![Page 8: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/8.jpg)
8
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Difference : Femtocell and NodeB
![Page 9: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/9.jpg)
9
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Femtocell Architecture
● femtocell Device aka HNB (Home NodeB)
● Security Gateway (SeGW)
● Operation, Administration & Management server (OAM)
● User Equipment (UE)
![Page 10: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/10.jpg)
10
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Femtocell Security
Only registered SIMs are allowed3G AKA procedure
Secure phone calls
(over-the-air)
IPsec tunnel over boradband Remote controlled HNBLocation verification
![Page 11: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/11.jpg)
11
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Femtocell Security Requirements
● femtocell should be locked to a specific geographical location to
avoid misuse (roaming is good) and to respect radio license
● booting process of the femtocell should be secured by
cryptographic means (e.g. no ROOT access)
● device should not reveal any secret information such as IMSI,
stored keys etc.(e.g. public keys, IPsec keys)
● …
● Security of H(e)NB, TR 33.820
![Page 12: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/12.jpg)
12
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Location Locking Methods
geoIP macrocells
GNSS UE reports
![Page 13: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/13.jpg)
13
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
On the Device
![Page 14: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/14.jpg)
14
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Breaking locks - IP address
● use VPN (Virtual Private Network)
● only need to show that you are at home :-)
![Page 15: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/15.jpg)
15
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Breaking locks – GNSS (GPS)
● tools you need: GPS jammer or GPS spoofer
● go indoor (low GPS signal)
● not all devices have GPS
![Page 16: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/16.jpg)
16
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Breaking locks - macrocells
● tools you need: GSM jammer, fake BTS, or elevator
● LAC and MCC can be faked using fake BTS
● block the signal (jamming, Faraday cage)
![Page 17: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/17.jpg)
17
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Result
what could go wrong? lawful interception
![Page 18: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/18.jpg)
18
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
device security analysis
![Page 19: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/19.jpg)
19
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Rooting the device
different approaches to own an access point:
● scan the network
● finding a serial port
● sniffing the communication
![Page 20: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/20.jpg)
20
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
● no port open apart http
● serial port found, but no login prompt
● all communication is over IPsec
Secured device
![Page 21: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/21.jpg)
21
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Recovery procedure
● image download over http
● using hashes in the url
● encrypted and signed
● one small https request
● some https notifications
1. small loader getting a recovery file system
2. recovery image downloads and flashes all other images
![Page 22: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/22.jpg)
22
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Recovery to failure
0. recovery file system in also available unencrypted
you cannot modify it (signed), but at least analyze (tivo)
1. no mutual authentication over HTTPS
2. given public key is not signed
3. all images can now be decrypted and analyzed
![Page 23: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/23.jpg)
23
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Your mine: pwnd
● setup a fake recovery server
services : DHCP, DNS, NTP, and HTTP[S]
● re-activate login prompt
● flash modified images
● threat 6 of 29 :
Booting H(e)NB with fraudulent software (“re-flashing”)
Impact: up to disastrous. Possibility to use any software can
mean any violation of the security
![Page 24: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/24.jpg)
24
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Doors to heaven
a small eye drop behind the SeGW
![Page 25: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/25.jpg)
25
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Analysis of the Research
● effective technology in terms of offloading the traffic and of new business cases
● provides higher data rates to the user … but ....
● the device security can become a breach
● some serious threats :
− could open gates to the Telecom infrastructure elements (like HLR)
− a very cheap IMSI catcher device
− might used as MiTM device while calling
![Page 26: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/26.jpg)
26
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
References
● 3GPP ,” Security of Home Node B (HNB) / Home evolved Node
B (HeNB) ”, TS 33.320, V9.1.0, April 2010.
http://www.3gpp.org
● 3GPP Technical Specification Group Service and System Aspect, ”
Security of H(e)NB”, TR 33.820, V8.3.0, December 2009
● 3GPP TR 33.820 Release 8 : 3rd Generation Partnership Project; Tech-
nical Specification Group Service and System Aspects; Security of
H(e)NB
● The nanoBTS: small GSM basestations.
http://www.ipaccess.com/picocells/nanoBTS picocells.php
![Page 27: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/27.jpg)
27
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Demo
![Page 28: Hacking Femtocells](https://reader031.vdocuments.site/reader031/viewer/2022021421/586a2c0f1a28ab09568c2ce0/html5/thumbnails/28.jpg)
28
Ravishankar B. & Kévin Redon Hacking Femtocells t2'10 infosec
Questions?
Thank U