For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.
I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.
On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:
(Short term) Study how to implement in the Osmocom 3G network the following attacks:
For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.
After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.
In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.
Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.
By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.
This is the video of the talk:
A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA: