weaponizingfemtocells:theeffectof roguedevicesonmobile ... · weaponizingfemtocells:theeffectof...
TRANSCRIPT
.
......
Weaponizing Femtocells: The Effect ofRogue Devices on Mobile
Telecommunication
Kévin Redon, Nico Golde, Ravishankar Borgaonkar
Technische Universität Berlin, Security in [email protected]
Troopers 2012, Heidelberg, 20th March 2012
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksmessy UMTS architecture
SecT / TU-Berlin 2 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackshere be dragons
telecommunication networks are separate andclosed networks, not as Internet iseverything is based on trust and mutual agreementthere a no evil attacker to defend againsta critical infrastructure, with millions of users, leftunprotected …
SecT / TU-Berlin 3 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocells: offloading technology
technical name in 3G: Home Node B (HNB)traffic offload from public operator infrastructureimprove 3G coverage, particularly indoorcheap hardware compared to expensive 3Gequipmentthe user provides prower, Internet connection,maintenance, and still pays for the communication
SecT / TU-Berlin 4 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackssmall cells
SecT / TU-Berlin 5 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksHome Node B Subsystem (HNS)
SecT / TU-Berlin 6 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksSFR femtocell
39 femtocell offers over 24 countriestarget sold by SFR (2nd biggest operator in France)cost: mobile phone subscriptionhardware: ARM9 + FPGA for signal processingOS: embedded Linux kernel + proprietary servicesbuilt by external vendors (in our case Ubiquisys),configured by operator
SecT / TU-Berlin 7 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrecovery procedure
femtocells provide arecovery proceduresimilar to a factoryresetnew firmware isflashed, and settingsare clearedused to "repair" thedevice without anymanual intervention
SecT / TU-Berlin 8 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrecovery to fail
firmware server is notauthenticated
public key is inparameter andfirmware list, which isnot signed
recovery procedure flaws
SecT / TU-Berlin 9 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting traffic
proprietary IPsec client + kernel module(xpressVPN)⇒ LD_PRELOAD ipsec user-space program to hijacksendto() and extract keys, so to decrypt ESPpacketsvoice data encapsulated in unencrypted RTP stream(AMR codec, stream format)⇒ extract RTP stream (rtpbreak), extract AMR anddump to WAV (opencore-based)
SecT / TU-Berlin 10 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgetting the fish into the octopus' tentacles
Howto build a 3G IMSI-Catcher:cell configuration is kindly provided as a feature offemtocellssome comfort provided ⇒ hidden web interface
we can catch any phone user of any operator intousing our boxroaming subscribers are allowed by SFR
⇒ the femtocell is turned into a full 3G IMSI-Catcher
SecT / TU-Berlin 11 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksmutual authentication in the femtocell ecosystem
classical approach in GSM: IMSI-Catcherfake operator BTS (MCC/MNC)acts as MitM between operator and victimphone usually can't detectused to track and intercept communication
UMTS standard requires mutual authenticationmutual authentication is done with the homeoperator, not with the actual cellthe femtocell forwards the authentication tokensmutual authentication is performed even with arogue device
SecT / TU-Berlin 12 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell operator communication: the GAN protocol
device is communicating with operator via GANprotocol (UMA)
TCP/IP mapped radio signalingencapsulates radio Layer3 messages (MM/CC) inGAN protocolone TCP connection per subscriberradio signaling maps to GAN messages are sentover this connection
GAN usage is transparent for the phone
SecT / TU-Berlin 13 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksbut what about over-the-air encryption?
only the phone ⇔ femtocell OTA traffic is encrypted⇒ encryption/decryption happens on the box
femtocell acts as a combination of RNC andNode-B: receives cipher key and integrity key fromthe operator for OTA encryption
reversing tells us: message is SECURITY MODECOMMAND (unspecified RANAP derivate), whichincludes the keys
SecT / TU-Berlin 14 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksSECURITY MODE COMMAND
derived from RANAP, but spec unknown
SecT / TU-Berlin 15 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksGAN proxy/client
proxies all GAN connections/messagesreconfigure femtocell to connect to our proxyinstead of real GANCproxy differs between GAN message typesattack client controls GAN proxy over extendedGAN protocol
SecT / TU-Berlin 16 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksmore mitm pls? sms...
SMS message filtered by GAN proxymodified by clienttransfered to real GANC
SecT / TU-Berlin 17 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackshow about impersonating subscribers?
lets use services forfree, billed to a victimclient requiressubscriber informationproxy additionallycaches subscriber info(TMSI/IMSI) for eachMS-GANC connectionphone needed forauthenticationapplies to any traffic(SMS,voice,data)victim isimpersonated
example: SMS inject
SecT / TU-Berlin 18 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackscollecting subscriber information
other femtocell are accessible within the networkwebsite is also accessibleleaks phone number and IMSI of registeredsubscriber
SecT / TU-Berlin 19 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackslocating subscribers
location verification performed by OAMfemtocell scan for neighbour cells
SecT / TU-Berlin 20 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksglobal control
web-site/database is not read-onlyOAMP, image and GAN server can also be setor using root exploittraffic can be redirected to our femtocell (eithersettings or iptables)⇒ any femtocell subscriber communication can beintercepted, modified and impersonated
SecT / TU-Berlin 21 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksreturn of the IMSI detach
IMSI detach DoS discovered by Sylvaint Munaut in2010 1
⇒ results in discontinued delivery of MT services(call, sms,...)⇒ network assumes subscriber went offlinedetach message is unauthenticatedhowever, this is limited to a geographical area(served by a specific VLR)user can not receive calls
1http://security.osmocom.org/trac/ticket/2SecT / TU-Berlin 22 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksimsi detach in femtocell ecosystem
proximity constraint not existent in femtocellnetworkdevices reside in various geographical areasbut all subscribers meet in one back-end system ⇒and they are all handled by one femtocell VLR (atleast for SFR) ☺we can send IMSI detach payloads via L3 msg inGAN⇒ we can detach any femtocell subscriber, noproximity needed!
SecT / TU-Berlin 23 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksattacking other femtocells
attack surface limited:network protocols: NTP, DNS spoofing (not tested)services: webserver, TR-069 provisioning (feasible)
both HTTP. TR-069 is additionally powered by SOAPand XMLlots of potential parsing failall services run as root
SecT / TU-Berlin 24 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell remote root (CVE-2011-2900, not 7870-8559-1831-2856-1651 )
we went for the web service (wsal)based on shttpd/mongoose/yassl embeddedwebserverwe found a stack-based buffer overflow in theprocessing of HTTP PUT requestsdirect communication between femtocells is notfiltered by SFRexploit allows us to root any femtocell within thenetwork
⇒ any femtocell can be flashed⇒ perfect botnet
SecT / TU-Berlin 25 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvanced access
SeGW is required to access the networkauthentication is performed via the SIM (removable)how about configuring an IPsec client with this SIM?
⇒ no hardware and software limitation⇒ no femtocell required anymore⇒ femtocells don't act as a great wall to protect theoperator network anymore :D⇒ it also works with normal phone SIMs
SecT / TU-Berlin 26 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksmeeting the usual suspects
HNS servers run typical Open Source software, notespecially secured, e.g:
MySQL, SSH, NFS, Apache (with directory indexing),... availableFTP used to submit performance measurementreports, including femtocell identity and activityall devices share the same FTP accountvsftpd users are system users, SSH is open :D
SecT / TU-Berlin 27 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksstairways to heaven
attacks on operatornetworksignaling attacks (notblocked)free HLR queriesleveraging access to:
other AccessNetworksCore Network
...
SecT / TU-Berlin 28 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksthe end
thank you for your attention
questions?
SecT / TU-Berlin 29 / 30
✆ mobile telecommunication ⚔ end-user attacks ☠ network attackscontact us
Nico Golde <[email protected]>@iamnionKévin Redon <[email protected]>Ravi Borgaonkar <[email protected]>@raviborgaonkaror just [email protected]
SecT / TU-Berlin 30 / 30