Category Archives: 4G

CellAnalysis-LTE ready to go!!

Update 2022: Quectel EC20 has been discontinued by the manufacturer, so it is no longer available.

We know how difficult it is to have time for everything; too many projects and little time for hacking. For this reason, we have thought about offering you a briefcase with everything ready to use CellAnalysis-LTE, a complete installation mounted in a case so that you only have to insert your SIM card to be able to use it and connect the battery.

The set is composed of three major elements:

  • RaspberryPi 3 model B, transparent plastic case and heatsinks.
  • Power bank to power the equipment (capacity: 12.000 mAh, output: 5V / 3A).
  • Quectel modem EC20 (4G, 3G, 2G y GNSS) placed on a Sysmocom miniPCIe WWAN modem USB break-out board.

The little details will make you not have to worry about anything; the necessary connectors will be installed in the case to be able to connect the antennas on the outside of it and we have selected the most suitable antennas for its use:

  • SMA 4G, 3G, 2G omnidirectional antenna and SMA active GPS antenna with 5 meters cable, 28dB gain.

Finally, we verify manually that the installation is correct by delivering the documentation of your briefcase with the credentials of the users and the Wi-Fi connection network.

As for the software, the equipment is delivered with the Raspbian OS, as well as the free version of CellAnalysis-LTE and of course everything necessary for its correct operation. To thank you for your contribution to the project, we included in the team a script to generate an HTML map from your output files, so you can see the cells to which your modem has been connected as well as the possible alarms generated in a web browser:

Connecting to the RPi3

Once you receive your briefcase you will receive with it the certificate with the credentials of the generated users, as well as the default Wifi network to which your equipment will be connected. The RaspberryPi3 will use its internal Wi-Fi interface to connect to the configured network.

If you do not want to connect to the device through a Wi-Fi connection, you can also remove the SDcard from the RaspberryPi3 and insert it in a reader to mount the file system and take the necessary actions, but ATTENTION: you must be aware of the changes at all times you are doing, because it can seriously damage the file system. For this reason, we recommend the Wifi method to manipulate the files in the equipment of the case.

If you provide us with the operator of the SIM card that will be used in the briefcase modem, we will adjust the only variable that you should adjust when receiving the briefcase, which is the operator’s APN connection string. If you do so when you receive the briefcase you only have to connect the battery to start analyzing the information.

Heatmaps

As a thank you for your contribution to our project, you will find next to the CellAnalysis-LTE scripts an HTML map generator (maps based on OpenStreetMap). By manually executing this generator you will be able to visualize the cells to which your briefcase has been connected during your journey and the possible alarms that have been generated:

 

IMSICatching attacks on 4G networks (part 2)

Some time ago I wrote about IMSI-Catching attacks on 3G and on another previous article the different studies regarding these attacks in 4G networks, but I finally found enough time to write about these attacks in 4G and of course, detection.

 

When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:

The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :

Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.

Detection:

How could we detect these intrusions?  I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.

CellAnalysis 3G & 4G will be released soon, so stay tuned.