Category Archives: cellanalysis

CellAnalysis-LTE ready to go!!

Update 2022: Quectel EC20 has been discontinued by the manufacturer, so it is no longer available.

We know how difficult it is to have time for everything; too many projects and little time for hacking. For this reason, we have thought about offering you a briefcase with everything ready to use CellAnalysis-LTE, a complete installation mounted in a case so that you only have to insert your SIM card to be able to use it and connect the battery.

The set is composed of three major elements:

  • RaspberryPi 3 model B, transparent plastic case and heatsinks.
  • Power bank to power the equipment (capacity: 12.000 mAh, output: 5V / 3A).
  • Quectel modem EC20 (4G, 3G, 2G y GNSS) placed on a Sysmocom miniPCIe WWAN modem USB break-out board.

The little details will make you not have to worry about anything; the necessary connectors will be installed in the case to be able to connect the antennas on the outside of it and we have selected the most suitable antennas for its use:

  • SMA 4G, 3G, 2G omnidirectional antenna and SMA active GPS antenna with 5 meters cable, 28dB gain.

Finally, we verify manually that the installation is correct by delivering the documentation of your briefcase with the credentials of the users and the Wi-Fi connection network.

As for the software, the equipment is delivered with the Raspbian OS, as well as the free version of CellAnalysis-LTE and of course everything necessary for its correct operation. To thank you for your contribution to the project, we included in the team a script to generate an HTML map from your output files, so you can see the cells to which your modem has been connected as well as the possible alarms generated in a web browser:

Connecting to the RPi3

Once you receive your briefcase you will receive with it the certificate with the credentials of the generated users, as well as the default Wifi network to which your equipment will be connected. The RaspberryPi3 will use its internal Wi-Fi interface to connect to the configured network.

If you do not want to connect to the device through a Wi-Fi connection, you can also remove the SDcard from the RaspberryPi3 and insert it in a reader to mount the file system and take the necessary actions, but ATTENTION: you must be aware of the changes at all times you are doing, because it can seriously damage the file system. For this reason, we recommend the Wifi method to manipulate the files in the equipment of the case.

If you provide us with the operator of the SIM card that will be used in the briefcase modem, we will adjust the only variable that you should adjust when receiving the briefcase, which is the operator’s APN connection string. If you do so when you receive the briefcase you only have to connect the battery to start analyzing the information.

Heatmaps

As a thank you for your contribution to our project, you will find next to the CellAnalysis-LTE scripts an HTML map generator (maps based on OpenStreetMap). By manually executing this generator you will be able to visualize the cells to which your briefcase has been connected during your journey and the possible alarms that have been generated:

 

IMSICatching attacks on 3G networks (part 1)

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate 3g5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure:


Following the steps in the Getting_Started_with_3G tutorial,  we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G / LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).

Implementation:
3G

    1. femtocell nano3G (Sysmocom)

 

    1. Osmocom 3G network,  running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)

 

2G

    BladeRF x40
    YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

    · Disable the USIM entirely until power-off or USIM removal.
    · Attach requests disable the USIM for packets domain until power-off or USIM removal.
    · Periodic Location Update requests will trigger the UE to attempt GERAN instead.

Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):

Detection:

CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.

Advantages using active monitoring;

  • ciphering algorithms (UEA) usage
  • authentication parameters and rates

But on the other hand, there is a big disadvantage:

  • one SIM card and device per operator in order to scan all the 3G fake stations

Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

CellAnalysis running on GPD Pocket

It all began when I read Simone’s article (@evilsocket) on the Pocket GPD,  I thought it would be a perfect device to pentest radio frecuency, Wifi, BT … and also in which to be able to camouflage CellAnalysis.

My preferred setup is to be used with a rtlsdr dongle and a 2G modem, so I will focus on this hardware.

I received the Windows 10 GPD version (as at the time of writing is the only one available) so first thing to do, is be free:

  • Update the BIOS which can support Ubuntu OS first:

https://mega.nz/#!MN52EChD!n_pgjceHp9hXC-EO51qtUkDncpVXoY_lc1Da0LtgsgM

  • And download the image of Ubuntu 17 already prepared by “nexus511” of his web:

mirror1

mirror2

After writing the image (use “dd” command, you don’t need any GUI or Windows software) to a USB disk, it was installed without any problem in the GPD (screen rotation, partition encrypted, …). Already in Ubuntu, the first thing was to update the apt packages (apt-get update) to install all the dependencies:

-The base software for a RF workstation; HW drivers for rtlsdr,  GNURadio, libosmocore, kalibrate-rtl and GR-GSM. A good reading  recommended is available on the GR-GSM wiki:

https://github.com/ptrkrysik/gr-gsm/wiki/Installation-on-RaspberryPi-3

Although in my case I didn’t install the GNURadio and GR-OsmoSDR packages using apt, I prefer to download from the github;

https://github.com/gnuradio/gnuradio
git: //git.osmocom.org/gr-osmosdr

– Now we only need to install:

Airprobe: https://github.com/pcabreracamara/airprobe
Arfcncalc: http://www.runningserver.com/?page=runningserver.content.download.arfcncalc
Cellanalysis: https://fakebts.com/download/

– Following these steps, you will get the GPD Pocket running with RTLSDR and a 2G modem with cellanalysis, easy to hide and to carry 🙂

CellAnalysis at DefCon DemoLabs

This year I was lucky enough to go for the first time to the DefCon, which was held from July 27th to 30th at the Caesars Hotel in Las Vegas.

In the event, were held the DemoLabs, in which I had the great honor to participate demonstrating and showing the capabilities of CellAnalysis

It was a surprise to see the little use and how the spectrum was distributed in the USA:

In the DemoLab I showed how CellAnalysis can be installed in a RaspberryPi3, using two devices: a 2G modem as a primary device and a RTLSDR dongle as a secondary device: the primary will only scan for 2G cells continuously, while the secondary will scan the broadcast traffic for each detected cell.  This setup will allow very small detection times and can be packed in many ways:

CellAnalysis 3G and Osmocom 3.5G

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.

CellAnalysis at BlackHat Arsenal


For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.

After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.

In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.