As IT and security professionals, most of us are intimately familiar with data networks, their architecture, protocols, and the types of threats posed to them. However, relatively few of us are familiar with structure and inner workings of the mobile telephone system and the threats that lie there. As more and more of our online life and work moves off of landline ISPs and onto the cellular network, it is important to have an understanding of the real risks posed by this shift and just what criminals and nation-states are capable of. This presentation gives an introduction to the GSM/UMTS/LTE mobile telephone system, how it works, and an overview of various real-world and theoretical attacks against it, from the “stingray” devices used by law enforcement to rogue base stations demoed at hacker conferences to traffic sniffing you can do yourself with a $30 European TV tuner dongle. Mobile Telephony for Information Security Practitioners *OUTLINE* Dan Helton Information Security Consultant, Humana Inc. 2014 Brief History of Mobile Telephony • “G” as in “Generations” – 1G – 2G – GSM – 3G – UMTS – 4G – LTE • Two competing families – GSM – CDMA • Focus in this presentation is on GSM family (most common globally) Handset Anatomy • Device – IMEI – Baseband and app processors – Etc • SIM Card – IMSI – Ki – JavaCard – … Mobile Telephone Network (2G GSM) • Insert diagram here Mobile Telephone Network (3G UMTS) • Insert diagram here Mobile Telephone Network (4G LTE) • Insert diagram here GSM Procotols • Protocol Stack • Handshake • Cryptography (A5 family, KASUMI, SNOW, etc) Where Smartphones Are No Different From Laptops (Note: this section is brief) • Malware • OS Vulnerabilities • Wifi and Bluetooth attacks • Physical access to the device • Phishing/SMSishing Where Mobile Devices Are Different • IMSI Catchers AKA Rogue Base Stations – What governments and LEOs use (aka “Stingray”) – What hackers can build (GNURadio, Osmcom, USRP, etc. etc. etc.) – What you can do with $30 and some free software SDR Dongle Demo Nasty Things You Can Do With IMSI Catchers • Sniffing and cracking traffic passively • MiTM Attacks – Spoofing voice service – Spoofing data service – Dropping crypto • DoS/DDoS attacks against cellular network • Extending into 3G and 4G networks – Hacking home femtocells (aka network extenders) Conclusion • Realistic threats • Unrealistic threats • What we can (and can’t) do about it • Being smart and safe on mobile networks References and Links • Kristin Paget • Thegrugq • Michael Ossmann & Great Scott Gadgets • Link to $30 SDR dongle on Amazon • Copious references to past DEFCON and Black Hat presentations Dan Helton is an information security consultant at Humana, a signal officer in the Indiana Army National Guard, and has previously worked for as an information security consultant for Accenture and as an information assurance contractor for the US Navy. Dan is a member of Humana’s Enterprise Information Protection department and specializes in mobile application security testing and identity & access management. After joining Humana, Dan was asked by his manager to write a quick whitepaper on the threat of rogue base stations. With very little experience in mobile telephony, Dan went about extensively researched the subject, eventually building this presentation, and hopes to share his knowledge with you. Dan holds a Bachelors in Informatics from Indiana University and the CISSP, SSCP, and CEH certifications.
If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek