All posts by pedro

CellAnalysis-LTE ready to go!!

We know how difficult it is to have time for everything; too many projects and little time for hacking. For this reason, we have thought about offering you a briefcase with everything ready to use CellAnalysis-LTE, a complete installation mounted in a case so that you only have to insert your SIM card to be able to use it and connect the battery.

The set is composed of three major elements:

  • RaspberryPi 3 model B, transparent plastic case and heatsinks.
  • Power bank to power the equipment (capacity: 12.000 mAh, output: 5V / 3A).
  • Quectel modem EC20 (4G, 3G, 2G y GNSS) placed on a Sysmocom miniPCIe WWAN modem USB break-out board.

The little details will make you not have to worry about anything; the necessary connectors will be installed in the case to be able to connect the antennas on the outside of it and we have selected the most suitable antennas for its use:

  • SMA 4G, 3G, 2G omnidirectional antenna and SMA active GPS antenna with 5 meters cable, 28dB gain.

Finally, we verify manually that the installation is correct by delivering the documentation of your briefcase with the credentials of the users and the Wi-Fi connection network.

As for the software, the equipment is delivered with the Raspbian OS, as well as the free version of CellAnalysis-LTE and of course everything necessary for its correct operation. To thank you for your contribution to the project, we included in the team a script to generate an HTML map from your output files, so you can see the cells to which your modem has been connected as well as the possible alarms generated in a web browser:

 

Connecting to the RPi3

Once you receive your briefcase you will receive with it the certificate with the credentials of the generated users, as well as the default Wifi network to which your equipment will be connected. The RaspberryPi3 will use its internal Wi-Fi interface to connect to the configured network.

If you do not want to connect to the device through a Wi-Fi connection, you can also remove the SDcard from the RaspberryPi3 and insert it in a reader to mount the file system and take the necessary actions, but ATTENTION: you must be aware of the changes at all times you are doing, because it can seriously damage the file system. For this reason, we recommend the Wifi method to manipulate the files in the equipment of the case.

If you provide us with the operator of the SIM card that will be used in the briefcase modem, we will adjust the only variable that you should adjust when receiving the briefcase, which is the operator’s APN connection string. If you do so when you receive the briefcase you only have to connect the battery to start analyzing the information.

Heatmaps

As a thank you for your contribution to our project, you will find next to the CellAnalysis-LTE scripts an HTML map generator (maps based on OpenStreetMap). By manually executing this generator you will be able to visualize the cells to which your briefcase has been connected during your journey and the possible alarms that have been generated:

 

Availability and price

We are preparing the first 10 units, but from today you can order your briefcase and get a special launch offer. This first pack of briefcases we estimate will be ready in about two weeks, we will inform you. Once all the material has been received and you have confirmed your order, we will assemble all the items in your briefcase and quickly verify that it works correctly to be sent by registered postal mail to your delivery address.

The price of each briefcase is € 850.00, (21% taxes not included). But during this month of December, you can enjoy a launch promotion, and you can get your briefcase for € 750.00 (21% taxes not included).

The shipping costs will be calculated when we have received your order, and you can verify them before finally accepting the purchase of the case.

Payment will be made only via Paypal.

If you want to book one of the first 10 cases, write an email to pedro.cabrera at fakebts.com with your contact information so we can process your order.

IMSICatching attacks on 4G networks (part 2)

Some time ago I wrote about IMSI-Catching attacks on 3G and on another previous article the different studies regarding these attacks in 4G networks, but I finally found enough time to write about these attacks in 4G and of course, detection.

 

When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:

The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :

Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.

Detection:

How could we detect these intrusions?  I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.

CellAnalysis 3G & 4G will be released soon, so stay tuned.

YateBTS rogue station running at RSA Conference 2018

It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.

 

 

@s7ephen tweet about this message:

David Burgess (the man who started the OpenBTS project time ago with Harvind Samra) wrote his own note from YateBTS web page regarding this extrange rogue tower:

The ‘rogue GSM tower’ episode and Cambridge Analytica: why ethics matters to technology

Probably this RSA edition will be remembered for the attendees data leak (article from theregister.co.uk), but is also quite interesting this GSM station broadcasting welcome SMS.

Pedro

DHS acknowledges unauthorized foreign Stingray use in Washington D.C.

Hi all,

Once again Washington D.C. But this is believed to be the first time the U.S. government has publicly acknowledged the devices in Washington, according to The Associated Press.

Looking forward to visiting Washington D.C. with my CellAnalysis laptop or even more, deploy probes all around the city to trace these mysterious devices.

The article has been covered by several media/news websites:

[npr] Feds Say They’ve Detected Apparent Rogue Spy Devices In D.C.

[foxnews] Homeland Security finds suspected phone surveillance devices in Washington

[scmagazine] DHS acknowledges unauthorized foreign Stingray use in Washington D.C.

[cnet] Homeland Security has detected phone spying devices in DC

 

Stay tuned for more fake station news and CellAnalysis new versions.

Pedro

Canada: Toronto police admit they use Stingray

source: https://www.thestar.com/content/dam/thestar/news/gta/2018/03/05/two-years-after-they-said-they-didnt-toronto-police-admit-they-use-stingray-cellphone-snooping-device/ci_stingray_police.jpg.size.custom.crop.579×650.jpg 

Quote from the article: “After denying use of the controversial technology, documents obtained by the Star show that the Toronto Police Service has used the cellphone data-capturing device known as an IMSI catcher, or Stingray, in five separate investigations.

This new article from thestar.com rises new use cases from the Toronto Police.

Read the full article here.

IMSICatching attacks on 3G networks (part 1)

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate 3g5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure:


Following the steps in the Getting_Started_with_3G tutorial,  we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G / LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).

Implementation:
3G

    1. femtocell nano3G (Sysmocom)

 

    1. Osmocom 3G network,  running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)

 

2G

    BladeRF x40
    YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

    · Disable the USIM entirely until power-off or USIM removal.
    · Attach requests disable the USIM for packets domain until power-off or USIM removal.
    · Periodic Location Update requests will trigger the UE to attempt GERAN instead.

Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):

Detection:

CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.

Advantages using active monitoring;

  • ciphering algorithms (UEA) usage
  • authentication parameters and rates

But on the other hand, there is a big disadvantage:

  • one SIM card and device per operator in order to scan all the 3G fake stations

Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

CellAnalysis running on GPD Pocket

It all began when I read Simone’s article (@evilsocket) on the Pocket GPD,  I thought it would be a perfect device to pentest radio frecuency, Wifi, BT … and also in which to be able to camouflage CellAnalysis.

My preferred setup is to be used with a rtlsdr dongle and a 2G modem, so I will focus on this hardware.

I received the Windows 10 GPD version (as at the time of writing is the only one available) so first thing to do, is be free:

  • Update the BIOS which can support Ubuntu OS first:

https://mega.nz/#!MN52EChD!n_pgjceHp9hXC-EO51qtUkDncpVXoY_lc1Da0LtgsgM

  • And download the image of Ubuntu 17 already prepared by “nexus511” of his web:

mirror1

mirror2

After writing the image (use “dd” command, you don’t need any GUI or Windows software) to a USB disk, it was installed without any problem in the GPD (screen rotation, partition encrypted, …). Already in Ubuntu, the first thing was to update the apt packages (apt-get update) to install all the dependencies:

-The base software for a RF workstation; HW drivers for rtlsdr,  GNURadio, libosmocore, kalibrate-rtl and GR-GSM. A good reading  recommended is available on the GR-GSM wiki:

https://github.com/ptrkrysik/gr-gsm/wiki/Installation-on-RaspberryPi-3

Although in my case I didn’t install the GNURadio and GR-OsmoSDR packages using apt, I prefer to download from the github;

https://github.com/gnuradio/gnuradio
git: //git.osmocom.org/gr-osmosdr

– Now we only need to install:

Airprobe: https://github.com/pcabreracamara/airprobe
Arfcncalc: http://www.runningserver.com/?page=runningserver.content.download.arfcncalc
Cellanalysis: http://fakebts.com/download/

– Following these steps, you will get the GPD Pocket running with RTLSDR and a 2G modem with cellanalysis, easy to hide and to carry 🙂

CellAnalysis at DefCon DemoLabs

This year I was lucky enough to go for the first time to the DefCon, which was held from July 27th to 30th at the Caesars Hotel in Las Vegas.

In the event, were held the DemoLabs, in which I had the great honor to participate demonstrating and showing the capabilities of CellAnalysis

It was a surprise to see the little use and how the spectrum was distributed in the USA:

In the DemoLab I showed how CellAnalysis can be installed in a RaspberryPi3, using two devices: a 2G modem as a primary device and a RTLSDR dongle as a secondary device: the primary will only scan for 2G cells continuously, while the secondary will scan the broadcast traffic for each detected cell.  This setup will allow very small detection times and can be packed in many ways:

US (Seattle and Milwaukee) Stingray-Detecting Device

Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the wired.com article.

They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.

More information can be found in the project web page and their  white-paper.

CellAnalysis 3G and Osmocom 3.5G

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.