Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Outline
• MaliciousBaseSta1onThreats
• UnderstandingtheNetwork
• UnderstandingtheA<acks
• Preven1onandDetec1on
• Ques1ons/Comments
Catching ’Rays Steve Glass@drsmdg
BSides Canberra 2016
Outline
• S1ngrayThreats
• Detec1veTools
• Self-AssemblyApproach
• Ques1ons/Comments
S1ngrays
Source: Harris Corporation
Source:USAToday
Source: wikimedia.org
Source: ibtimes.co.uk
Subver1ngCellReselec1on
Source:GammaGroup
Subver1ngCell(Re)Selec1on• Searchallchannels• ComputeC1(pathloss)for6channelswithhighestreceivedsignalstrength
• ComputeC2(reselec1onscore)foreach:Where:– PTispenalty1me,CROiscellreselec1onoffset,TOisthePToffsetandH(PT-T)is0foraservingcell
C2 = C1+CRO-TO×H(PT-T) PT ≠11111C1-CRO PT=11111
⎧⎨⎪
⎩⎪
Loca1onTracking
Source:IvyliseSimones(ThinkStock)
Loca1onTripwires
Source:NSASource:rtlsdrblog.rtlsdrblog.netdna-cdn.com
Ac1veTracking(FoxHun1ng)
Source:GammaInterna1onal
Eavesdropping
Crypto-analy1c
SIM
KeyRecovery
SS7
“GhostCalls”
Source:CNET
RovingBugImplementa1on?
DeviceCompromise
“Assoonasyouturnitonitcanbetheirs,theycanturnintoamicrophonetheycantakepicturesfromit,theycantakethedata…Theycanabsolutelyturnthemonwiththepowerturnedofftothedevice.“
Source:EdwardSnowden,interviewwithBrianWilliams(NBC,28May2014)
Outline
• S1ngrayThreats
• Detec1on
• Self-AssemblyApproach
• Ques1ons/Comments
BaseSta1onSecurityExperimentsUsingUSRP,TorjusBryneRe<erstøl,MastersThesis,NTNUTronddheim,2015
Source:Agenposten
Source:PopularScience
Detec1onofFakeBaseSta1on?
Source:SilentCircle
SecurePhones
SnoopSnitchetc.• VariousAndroidappsexisttodetectpresenceofanIMSICatcher:– AIMSICD– Darshak– SnoopSnitch
• Apple’stelephonyAPIsdonotprovidesufficientlydetailedinfooncelltowers/traffic
Source:WallStreetJournal
Source:TheWallStreetJournal
Detec1ngAirborneThreats
Source:BuzzFeedNews
Outline
• S1ngrayThreats
• Detec1onTools
• Self-AssemblyApproach
• Ques1ons/Comments
Detec1onProcess
CaptureSignals
Iden1fyC0s
DecodeTraffic
ComputeMetric
AustralianGSM900Frequencies
Telstra
935MHz–943.4MHz
890.0MHz–898.4MHz
Optus
943.4MHz–951.8MHz
898.4MHz–906.8MHz
Vodafone
951.8MHz–960.0MHz
906.8MHz–915.0MHz
TrafficRecep1on
Detec1onMetric
GeographicLoca1on
Frequency
NeighbourInforma1on
Behaviour
CipherUsage
Loca1on&Frequency
ScapyandGSM
ARFCNsthatcomprisecell
Neighbourlist
CellID,LAI,Reselec1onInfo
ScapyandGSM#GSMTapframeheader#classGSMTap(Packet):"""GSMTapFrameHeaderVersion2"""name="GSMTap"fields_desc=[XByteField("version",0x01),ByteField("hdr_len",4),#in32bitwordsXByteField("type",0x01),#GSMTAP_TYPE_UMByteField("1meslot",0),#1meslot(0..7)ShortField("ARFCN",0),SignedByteField("signal_dBm",0),SignedByteField("snr_dB",0),LongField("frame_nr",0),ByteEnumField("sub_type",0,{0x00:"UNKNOWN",0x01:"BCCH",0x02:"CCCH",0x03:"RACH",0x04:"AGCH",0x05:"PCH",0x06:"SDCCH",0x07:"SDCCH4",0x08:"SDCCH8",0x09:"TCH_F",0x0a:"TCH_H",0x0b:"PACCH",0x0c:"CBCH52",0x0d:"PDCH",0x0e:"PTCCH",0x0f:"CBCH51",}),ByteField("antenna_nr",0),ByteField("sub_slot",0),ByteField("reserved",0),]bind_layers(UDP,GSMTap,dport=4729)
#GSML3frameheaders#classGSM_L3_Hdr(Packet):"""GSMStandardL3Header(Table10.1)"""name="GSM_L3_Hdr"fields_desc=[BitFieldLenField("l2_pseudolen",23,6),BitField("ignored",0x0,2),BitField("skip_txn_id",0x0,4),BitEnumField("proto",0x0,4,{0x3:"CALL_CONTROL",0x5:"MOBILITY_MGMT",0x6:"RADIO_RSRC_MGMT",}),]bind_layers(GSMTap,GSM_L3_Hdr)
SuspiciousBehaviours
Geography
Neighbours
Tracking Ciphering
RefusedConnec1ons
Source:h<ps://www.qrz.com/db/W0JT
References• TheAthensAffair,Prevelakis&Spinellis,IEEESpectrum,2007• Eavesdroppingonanddecryp1ngofGSMcommunica1onusingreadily
availablelow-costhardwareandfreeopen-sourcesogwareinprac1ce,Bosmaet.al.,2012
• InstantCiphertext-OnlyCryptanalysisofGSMEncryptedCommunica1on”,Barkan,Biham,Keller(2003).Crypto2003:600–616.
• AnatomyofContemporaryGSMCellphoneHardware,Welte,Unpublished,2010
• BasebandA<acks:RemoteExploita1onofMemoryCorrup1onsinCellularProtocolStacks,Weinmann,WooT,2012
• Basebandexploita1onin2013:HexagonChallenges,Weinmann,ChaosCommunica1onsCongress,2013
• BaseSta1onSecurityExperimentsUsingUSRP,Re<erstøl,MastersThesis,NorwegianUniversityofScienceandTechnologyDepartmentofTelema1cs,2015