gsm fuzzing

30
GSM/3G security Implementing GSM protocols Security analysis Summary GSM Protocol Fuzzing and other GSM related fun Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de 0sec conference, October 2009, Berne/Switzerland Harald Welte GSM Protocol Fuzzing

Upload: celestin2010

Post on 06-Apr-2015

145 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

GSM Protocol Fuzzingand other GSM related fun

Harald Welte

gnumonks.orggpl-violations.org

OpenBSCairprobe.org

hmw-consulting.de

0sec conference, October 2009, Berne/Switzerland

Harald Welte GSM Protocol Fuzzing

Page 2: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

Outline1 GSM/3G security

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

2 Implementing GSM protocolsGetting startedTimelineOpenBSC

3 Security analysisTheoryThe BasebandObservationsGSM Protocol Fuzzing

4 SummaryWhat we’ve learnedWhere we go from hereWhere we go from hereFurther Reading

Harald Welte GSM Protocol Fuzzing

Page 3: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

About the speaker

Using + playing with Linux since 1994Kernel / bootloader / driver / firmware development since1999IT security specialist, focus on network protocol securityBoard-level Electrical EngineeringAlways looking for interesting protocols (RFID, DECT,GSM)

Harald Welte GSM Protocol Fuzzing

Page 4: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

GSM/3G protocol security

ObservationBoth GSM/3G and TCP/IP protocol specs are publiclyavailableThe Internet protocol stack (Ethernet/Wifi/TCP/IP) receiveslots of scrutinyGSM networks are as widely deployed as the InternetYet, GSM/3G protocols receive no such scrutiny!

There are reasons for that:GSM industry is extremely closed (and closed-minded)Only about 4 closed-source protocol stack implementationsGSM chipset makers never release any hardwaredocumentation

Harald Welte GSM Protocol Fuzzing

Page 5: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

The closed GSM industryHandset manufacturing side

Only very few companies build GSM/3.5G baseband chipstoday

Those companies buy the operating system kernel and theprotocol stack from third parties

Only very few handset makers are large enough tobecome a customer

Even they only get limited access to hardwaredocumentationEven they never really get access to the firmware source

Harald Welte GSM Protocol Fuzzing

Page 6: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

The closed GSM industryNetwork manufacturing side

Only very few companies build GSM network equipmentBasically only Ericsson, Nokia-Siemens, Alcatel-Lucent andHuaweiException: Small equipment manufacturers for picocell /nanocell / femtocells / measurement devices and lawenforcement equipment

Only operators buy equipment from themSince the quantities are low, the prices are extremely high

e.g. for a BTS, easily 10-40k EUR

Harald Welte GSM Protocol Fuzzing

Page 7: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

The closed GSM industryOperator side

Operators are mainly banks todayTypical operator outsources

BillingNetwork planning / deployment / servicing

Operator just knows the closed equipment as shipped bymanufacturerVery few people at an operator have knowledge of theprotocol beyond what’s needed for operations andmaintenance

Harald Welte GSM Protocol Fuzzing

Page 8: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

The closed GSM industrySecurity implications

The security implications of the closed GSM industry are:Almost no people who have detailed technical knowledgeoutside the protocol stack or GSM network equipmentmanufacturersNo independent research on protocol-level security

If there’s security research at all, then only theoretical (likethe A5/2 and A5/1 cryptanalysis)Or on application level (e.g. mobile malware)

No open source protocol implementationswhich are key for making more people learn about theprotocolswhich enable quick prototyping/testing by modifying existingcode

Harald Welte GSM Protocol Fuzzing

Page 9: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

Security analysis of GSMHow would you get started?

If you were to start with GSM protocol level security analysis,where and how would you start?

On the handset side?Difficult since GSM firmware and protocol stacks are closedand proprietaryEven if you want to write your own protocol stack, the layer1 hardware and signal processing is closed andundocumented, tooKnown attempts

The TSM30 project as part of the THC GSM projectmados, an alternative OS for Nokia DTC3 phones

none of those projects successful so far

Harald Welte GSM Protocol Fuzzing

Page 10: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

Security analysis of GSMHow would you get started?

If you were to start with GSM protocol level security analysis,where and how would you start?

On the network side?Difficult since equipment is not easily available andnormally extremely expensiveHowever, network is very modular and has manystandardized/documented interfacesThus, if equipment is available, much easier/faster progress

Harald Welte GSM Protocol Fuzzing

Page 11: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

Security analysis of GSMThe bootstrapping process

Read GSM specs day and night (> 1000 PDF documents)Gradually grow knowledge about the protocolsObtain actual GSM network equipment (BTS)Try to get actual protocol traces as examplesStart a complete protocol stack implementation fromscratchFinally, go and play with GSM protocol security

Harald Welte GSM Protocol Fuzzing

Page 12: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

The GSM network

Harald Welte GSM Protocol Fuzzing

Page 13: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

GSM network components

The BSS (Base Station Subsystem)MS (Mobile Station): Your phoneBTS (Base Transceiver Station): The cell towerBSC (Base Station Controller): Controlling up to hundredsof BTS

The NSS (Network Sub System)MSC (Mobile Switching Center): The central switchHLR (Home Location Register): Database of subscribersAUC (Authentication Center): Database of authenticationkeysVLR (Visitor Location Register): For roaming usersEIR (Equipment Identity Register): To block stolen phones

Harald Welte GSM Protocol Fuzzing

Page 14: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

GSM network interfaces

Um: Interface between MS and BTSthe only interface that is specified over radio

A-bis: Interface between BTS and BSCA: Interface between BSC and MSCB: Interface between MSC and other MSC

GSM networks are a prime example of an asymmetricdistributed network, very different from the end-to-endtransparent IP network.

Harald Welte GSM Protocol Fuzzing

Page 15: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

GSM network protocolsOn the Um interface

Layer 1: Radio Layer, TS 04.04Layer 2: LAPDm, TS 04.06Layer 3: Radio Resource, Mobility Management, CallControl: TS 04.08Layer 4+: for USSD, SMS, LCS, ...

Harald Welte GSM Protocol Fuzzing

Page 16: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

The closed GSM industrySecurity implicationsThe GSM networkThe GSM protocols

GSM network protocolsOn the A-bis interface

Layer 1: Typically E1 line, TS 08.54Layer 2: A variant of ISDN LAPD with fixed TEI’s, TS 08.56Layer 3: OML (Organization and Maintenance Layer, TS12.21)Layer 3: RSL (Radio Signalling Link, TS 08.58)Layer 4+: transparent messages that are sent to the MSvia Um

Harald Welte GSM Protocol Fuzzing

Page 17: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

Getting startedTimelineOpenBSC

Implementing GSM protocolsHow I got started!

In September 2008, we were first able to make the BTSactive and see it on a phone

This is GSM900 BTS with 2 TRX at 2W output power (each)A 48kg monster with attached antenna200W power consumption, passive coolingE1 physical interface

I didn’t have much time at the time (day job at Openmoko)Started to read up on GSM specs whenever I couldBought a HFC-E1 based PCI E1 controller, has mISDNkernel supportFound somebody in the GSM industry who providedprotocol traces

Harald Welte GSM Protocol Fuzzing

Page 18: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

Getting startedTimelineOpenBSC

Implementing GSM protocolsTimeline

In November 2008, I started the development of OpenBSCIn December 2008, we did a first demo at 25C3In January 2009, we had full voice call supportIn June 2009, I started with actual security related stuffIn August 2009, we had the first field test with 2BTS and >860 phones

Harald Welte GSM Protocol Fuzzing

Page 19: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

Getting startedTimelineOpenBSC

Security analysis of GSMOpenBSC

What is OpenBSCA GSM network in a box softwareImplements minimal subset of BSC, MSC, HLR, SMSCIs Free and Open Source Software licensed under GNUGPLSupports Siemens BS-11 BTS (E1) and ip.accessnanoBTS (IP based)Has classic 2G signalling, voice and SMS supportImplements various GSM protocols like

A-bis RSL (TS 08.58) and OML (TS 12.21)TS 04.08 Radio Resource, Mobility Management, CallControlTS 04.11 Short Message Service

Harald Welte GSM Protocol Fuzzing

Page 20: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

Known GSM security problemsScientific papers, etc

No mutual authentication between phone and networkleads to rogue network attacksleads to man-in-the-middle attacksis what enables IMSI-catchers

Weak encryption algorithmsEncryption is optional, user does never know when it’sactive or notDoS of the RACH by means of channel request floodingRRLP (Radio Resource Location Protocol)

the network can obtain GPS fix or even raw GSM data fromthe phonecombine that with the network not needing to authenticateitself

Harald Welte GSM Protocol Fuzzing

Page 21: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

Known GSM security problemsThe Baseband side

GSM protocol stack always runs in a so-called basebandprocessor (BP)What is the baseband processor

Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5Gphones)

Runs some RTOS (often Nucleus, sometimes L4)No memory protection between tasks

Some kind of DSP, model depends on vendorRuns the digital signal processing for the RF Layer 1Has hardware peripherals for A5 encryption

The software stack on the baseband processoris written in C and assemblylacks any modern security features (stack protection,non-executable pages, address space randomization, ..)

Harald Welte GSM Protocol Fuzzing

Page 22: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

Interesting observationsLearned from implementing the stack

While developing OpenBSC, we observed a number ofinteresting

Many phones use their TMSI from the old network whenthey roam to a new networkVarious phones crash when confronted with incorrectmessages. We didn’t even start to intentionally sendincorrect messages (!)There are tons of obscure options on the GSM spec whichno real network uses. Potential attack vector by usingrarely tested code paths.

Harald Welte GSM Protocol Fuzzing

Page 23: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

GSM Protocol FuzzingTheoretical basis

How to do GSM protocol fuzzingFrom the handset to the network

Basically impossible due to closeness of basebandHowever, some incomplete projects working on it

From the network sideEasy in case of rogue network attacksFuzzing target is the GSM stack in the baseband processor

As an A-bis man in the middleNeeds access to an A-bis interface of an actual networkVery attractive, since no encryption and ability to fuzz bothnetwork and handset

Harald Welte GSM Protocol Fuzzing

Page 24: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

A-bis injectionfor A-bis over IP

How to do inject messages into A-bis over IP?Problem

A-bis/IP uses one TCP connection for OML and RSLmessagesOML initialization is essential for BTS to becomeoperationalTCP makes insertion of additional messages relatively hard

Solution: Build an A-bis injection proxyTransparently pass OML and RSL packets between BTSand BSCAdd additional stateless UDP sockets for injectingmessages, one socket each for

injecting OML/RSL to the networkinjecting OML/RSL to the BTS

Harald Welte GSM Protocol Fuzzing

Page 25: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

A-bis Injection ProxyPrinciple of operation

Proxy needs to be brought between BTS and BSCLuckily, A-bis/IP SSL support not always usedThus, physical access to the Ethernet link sufficientConfigure system with two interfaces

BSC-facing interface has IP of BTSBTS-facing interface has IP of BSC / default gw

BTS will make TCP connection to proxyproxy will make independent TCP connection to BSC

Harald Welte GSM Protocol Fuzzing

Page 26: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

TheoryThe BasebandObservationsGSM Protocol Fuzzing

scapy GSM supportThe actual fuzzing

How to actually craft the packets for the fuzzingGSM has many, many protocolsWriting custom code will be a hardcoded special case foreach of themSolution: Use scapy and implement the GSM protocols asscapy "layers"

IPA protocol headerRSL protocol layerRLL data indication / data requestGSM 04.08 RR / MM / CC messages

Harald Welte GSM Protocol Fuzzing

Page 27: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

What we’ve learnedWhere we go from hereWhere we go from hereFurther Reading

SummaryWhat we’ve learned

The GSM industry is making security analysis very difficultIt is well-known that the security level of the GSM stacks isvery lowWe now have multiple solutions for sending arbitraryprotocol data

From a rogue network to phones (OpenBSC, OpenBTS)From an a-bis proxy to the network or the phones

There is ongoing work for a phone-based tool to fuzz thenetwork

Harald Welte GSM Protocol Fuzzing

Page 28: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

What we’ve learnedWhere we go from hereWhere we go from hereFurther Reading

TODOWhere we go from here

The tools for fuzzing mobile phone protocol stacks areavailableIt is up to the security community to make use of thosetools (!)Don’t you too think that TCP/IP security is boringJoin the GSM protocol security research projectsBoldly go where no man has gone before

Harald Welte GSM Protocol Fuzzing

Page 29: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

What we’ve learnedWhere we go from hereWhere we go from hereFurther Reading

Future plans

Packet data (GPRS/EDGE) support in OpenBSCGPRS is used extensively on modern smartphonesEnables us to play with those phones without a heavilyfiltered operator network

UMTS(3G) support in OpenBSCAccess to MS side layer 1Playing with SIM Toolkit from the operator sidePlaying with MMSMore exploration of RRLP

Harald Welte GSM Protocol Fuzzing

Page 30: Gsm Fuzzing

GSM/3G securityImplementing GSM protocols

Security analysisSummary

What we’ve learnedWhere we go from hereWhere we go from hereFurther Reading

Further Reading

http://openbsc.gnumonks.org/http://airprobe.org/http://openbts.sourceforge.net/

Harald Welte GSM Protocol Fuzzing