All posts by pedro

IMSICatching attacks on 3G networks (part 1)

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate 3g5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure:


Following the steps in the Getting_Started_with_3G tutorial,  we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G / LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).

Implementation:
3G

    1. femtocell nano3G (Sysmocom)

 

    1. Osmocom 3G network,  running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)

 

2G

    BladeRF x40
    YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

    · Disable the USIM entirely until power-off or USIM removal.
    · Attach requests disable the USIM for packets domain until power-off or USIM removal.
    · Periodic Location Update requests will trigger the UE to attempt GERAN instead.

Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):

Detection:

CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.

Advantages using active monitoring;

  • ciphering algorithms (UEA) usage
  • authentication parameters and rates

But on the other hand, there is a big disadvantage:

  • one SIM card and device per operator in order to scan all the 3G fake stations

Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

CellAnalysis running on GPD Pocket

It all began when I read Simone’s article (@evilsocket) on the Pocket GPD,  I thought it would be a perfect device to pentest radio frecuency, Wifi, BT … and also in which to be able to camouflage CellAnalysis.

My preferred setup is to be used with a rtlsdr dongle and a 2G modem, so I will focus on this hardware.

I received the Windows 10 GPD version (as at the time of writing is the only one available) so first thing to do, is be free:

  • Update the BIOS which can support Ubuntu OS first:

https://mega.nz/#!MN52EChD!n_pgjceHp9hXC-EO51qtUkDncpVXoY_lc1Da0LtgsgM

  • And download the image of Ubuntu 17 already prepared by “nexus511” of his web:

mirror1

mirror2

After writing the image (use “dd” command, you don’t need any GUI or Windows software) to a USB disk, it was installed without any problem in the GPD (screen rotation, partition encrypted, …). Already in Ubuntu, the first thing was to update the apt packages (apt-get update) to install all the dependencies:

-The base software for a RF workstation; HW drivers for rtlsdr,  GNURadio, libosmocore, kalibrate-rtl and GR-GSM. A good reading  recommended is available on the GR-GSM wiki:

https://github.com/ptrkrysik/gr-gsm/wiki/Installation-on-RaspberryPi-3

Although in my case I didn’t install the GNURadio and GR-OsmoSDR packages using apt, I prefer to download from the github;

https://github.com/gnuradio/gnuradio
git: //git.osmocom.org/gr-osmosdr

– Now we only need to install:

Airprobe: https://github.com/pcabreracamara/airprobe
Arfcncalc: http://www.runningserver.com/?page=runningserver.content.download.arfcncalc
Cellanalysis: http://fakebts.com/download/

– Following these steps, you will get the GPD Pocket running with RTLSDR and a 2G modem with cellanalysis, easy to hide and to carry 🙂

CellAnalysis at DefCon DemoLabs

This year I was lucky enough to go for the first time to the DefCon, which was held from July 27th to 30th at the Caesars Hotel in Las Vegas.

In the event, were held the DemoLabs, in which I had the great honor to participate demonstrating and showing the capabilities of CellAnalysis

It was a surprise to see the little use and how the spectrum was distributed in the USA:

In the DemoLab I showed how CellAnalysis can be installed in a RaspberryPi3, using two devices: a 2G modem as a primary device and a RTLSDR dongle as a secondary device: the primary will only scan for 2G cells continuously, while the secondary will scan the broadcast traffic for each detected cell.  This setup will allow very small detection times and can be packed in many ways:

US (Seattle and Milwaukee) Stingray-Detecting Device

Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the wired.com article.

They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.

More information can be found in the project web page and their  white-paper.

CellAnalysis 3G and Osmocom 3.5G

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.

4G/LTE IMSI Catchers

Two papers in a short period of time describe how to implement easy IMSI Catchers in 4G, using OpenLTE, srsLTE or gr-LTE:

– “Easy 4G/LTE IMSI Catchers for Non-Programmers“, Stig F. Mjølsnes and Ruxandra F. Olimid (Norwegian University of Science and Technology, Trondheim)

– “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems“, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert

Although these 4G stations aren’t functional, also can be use to downgrade our mobile to a 2G or 3G fake station using “TAU Reject” code “LTE services not allowed”.

CellAnalysis at BlackHat Arsenal


For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.

After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.

In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.