Scribd Logo
Carica

Benvenuto in Scribd!

  • D2T1 - The Grugq - Attacking GSM Basestations

    Caricato da

    Hlias Alafogiannis
    120 visualizzazioni77 pagine
    Attacking the GSM baseband and base station Overview GSM: The Protocol Documents Dozens of docs Thousands of pages Important one (defines L3) GSM Logical Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Logical channel (CCCH) Paging Channel (PCH) Random Access Channel (AGCH) GSM Channels Opening Can a channel is slow take

    Descrizione originale:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    Attacking the GSM baseband and base station Overview GSM: The Protocol Documents Dozens of docs Thousands of pages Important one (defines L3) GSM Logical Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Logical channel (CCCH) Paging Channel (PCH) Random Access Channel (AGCH) GSM Channels Opening Can a channel is slow take

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    120 visualizzazioni77 pagine

    D2T1 - The Grugq - Attacking GSM Basestations

    Caricato da

    Hlias Alafogiannis
    Attacking the GSM baseband and base station Overview GSM: The Protocol Documents Dozens of docs Thousands of pages Important one (defines L3) GSM Logical Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Logical channel (CCCH) Paging Channel (PCH) Random Access Channel (AGCH) GSM Channels Opening Can a channel is slow take

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 77

    Base Jumping

    Attacking the GSM baseband and base station grugq@coseinc.com

    Thursday, 14 October 2010

    Overview
    GSM Base

    Station Base Band Conclusion

    2 Thursday, 14 October 2010

    GSM: The Protocol

    3 Thursday, 14 October 2010

    Documents
    Dozens

    of docs Thousands of pages Important one (denes L3)


    GSM

    04 08

    4 Thursday, 14 October 2010

    5 Thursday, 14 October 2010

    6 Thursday, 14 October 2010

    Logical Channels
    Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH)

    7 Thursday, 14 October 2010

    Logical Channels, cont.


    Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH)

    8 Thursday, 14 October 2010

    Logical Channels, cont.


    Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH)

    9 Thursday, 14 October 2010

    GSM Channels
    Opening
    Can

    a channel is slow

    take seconds

    Specic

    channels for specic uses

    10 Thursday, 14 October 2010

    Opening a channel

    11 Thursday, 14 October 2010

    12 Thursday, 14 October 2010

    RACH

    12 Thursday, 14 October 2010

    RACH

    AGCH

    12 Thursday, 14 October 2010

    RACH

    AGCH

    LCH

    12 Thursday, 14 October 2010

    13 Thursday, 14 October 2010

    PCH

    13 Thursday, 14 October 2010

    PCH

    RACH

    13 Thursday, 14 October 2010

    PCH

    RACH

    AGCH

    13 Thursday, 14 October 2010

    PCH

    RACH

    AGCH

    LCH

    13 Thursday, 14 October 2010

    ARFCN

    MSC BSC BTS BTS

    MS

    14 Thursday, 14 October 2010

    Mobile Station MS Mobile Station Controller MSC Base Station Controller BSC Base Transceiver Station BTS

    Base Station Sub-System BSS


    15 Thursday, 14 October 2010

    VLR

    HLR

    MSC BSS

    MS

    16 Thursday, 14 October 2010

    Mobile Identiers

    17 Thursday, 14 October 2010

    18 Thursday, 14 October 2010

    IMSI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    IMSI

    IMEI

    18 Thursday, 14 October 2010

    GSM Attacks

    19 Thursday, 14 October 2010

    20 Thursday, 14 October 2010

    RACHell
    Request

    channel allocation Flood the BSS with requests First announced by Dieter Spaar at DeepSec Prevent everyone from using that cell

    21 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    22 Thursday, 14 October 2010

    RACHell

    ?
    22 Thursday, 14 October 2010

    23 Thursday, 14 October 2010

    Our Target

    23 Thursday, 14 October 2010

    Demo - RACHell

    24 Thursday, 14 October 2010

    IMSI Flood
    Send

    IMSI ATTACH messages pre-authentication Overload the HLR/VLR infrastructure Prevent everyone using the network

    25 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI Flood

    26 Thursday, 14 October 2010

    IMSI DETACH
    Send

    multiple Location Update Requests including a spoofed IMSI


    Unauthenticated

    Prevent

    SIM from receiving calls and

    SMS Discovered by Sylvain Munaut

    27 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    IMSI DETACH

    28 Thursday, 14 October 2010

    How hard to get an IMSI?

    29 Thursday, 14 October 2010

    Baseband Fuzzing

    30 Thursday, 14 October 2010

    How to make a smartphone

    31 Thursday, 14 October 2010

    Two separate computers

    32 Thursday, 14 October 2010

    Two separate computers

    32 Thursday, 14 October 2010

    Baseband
    Controls

    the radio Separate CPU and code base RTOS Written in C Typically legacy code base (decades)

    33 Thursday, 14 October 2010

    GSM Frame Delivery


    OpenBTS

    + XML-RPC

    lch_open(char

    * IMSI) lch_send(int fd, char *buf, size_t len) lch_recv(int fd, char *buf, size_t len) lch_close(int fd)

    34 Thursday, 14 October 2010

    GSM Fuzzing Framework


    USRP

    + OpenBTS for delivery GSM900 band BugMine case generation & mutation No Instrumentation
    Very

    bad visibility on bugs

    35 Thursday, 14 October 2010

    Coseinc GSM FuzzFarm


    Targetting
    iPhone HTC

    (Android) Palm Pre Blackberry Nokia

    36 Thursday, 14 October 2010

    37 Thursday, 14 October 2010

    38 Thursday, 14 October 2010

    Conclusion

    39 Thursday, 14 October 2010

    GSM Trouble
    GSM

    is no longer a walled garden GSM spec has security problems Expect many more issues as OSS reduces costs for entry

    40 Thursday, 14 October 2010

    Future work
    More

    GSM stack fuzzing Next gen protocol stacks

    41 Thursday, 14 October 2010

    Thanks to
    Harald Welte, Osmocom-bb & OpenBTS

    42 Thursday, 14 October 2010

    Questions?

    43 Thursday, 14 October 2010

    Potrebbero piacerti anche