Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
.
......
Femtocells: a Poisonous Needle in theOperator's Hay Stack
Ravishankar Borgaonkar, Nico Golde, Kévin Redon
Technische Universität Berlin, Security in [email protected]
HITB 2011, Kuala Lampur, 13th October 2011
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacks
Agenda
mobile telecommunicationend-user attacksnetwork attacks
SecT / TU-Berlin 2 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksUMTS architecture
UMTS architecture (complex)
SecT / TU-Berlin 3 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksUMTS architecture
UMTS architecture (simplified)
SecT / TU-Berlin 4 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell definition
technology - femtocell context?!
What is a femtocell?a small access pointconnects the mobile phone to the 3G/UMTS networkcompatible with every UMTS enabled mobile phonesmall cell, with a coverage of less than 50mlow power deviceeasy to install: you only have to provide power andInternet accesstechnical name in 3G: Home Node B (HNB)
SecT / TU-Berlin 5 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages
customer advantages
advantages provided to users:can be installed at home to improve 3G coveragehigh bandwidth, and high voice qualitylocation based services
SecT / TU-Berlin 6 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages
operator advantages
advantages for mobile operators:traffic offload from public operator infrastructure ⇒reduce expenditurecheap hardware compared to expensive 3Gequipmentno installation and maintenance costIP connectivity
SecT / TU-Berlin 7 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages
Home Node B Subsystem (HNS)
SecT / TU-Berlin 8 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages
small cells
SecT / TU-Berlin 9 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksadvantages
femtocell threats (as defined by 3GPP)
HNB threats listed by the 3GPPgroup # threat impact group # threat impact
1 harmful 11 harmful
2 harmful 12 Software simulation of H(e)NB very harmful
4 very harmful 13 very harmful
3 harmful 14 annoying
6 Booting H(e)NB with fraudulent software (“re-flashing”) 16 Denial of service attacks against core network annoying
8 Physical tampering with H(e)NB harmful 24 harmful
26 Environmental/side channel attacks against H(e)NB harmful 9 very harmful
21 Radio resource management tampering harmful 10 Masquerade as other users very harmful
5 very harmful 18
15 Denial of service attacks against H(e)NB annoying 22 Masquerade as a valid H(e)NB very harmful
17 23 Provide radio access service over a CSG very harmful
25 Manipulation of external time source harmful 7
27 Attack on OAM and its traffic very harmful 19 Mis-configuration of H(e)NB
28 Threat of H(e)NB network access harmful 20
Compromise of H(e)NBCredentials
Compromise of H(e)NB authentication token by a bruteforce attack via a weak authentication algorithm
Attacks on the core network,including H(e)NB location-
based attacks
Changing of the H(e)NB location withoutreporting
Compromise of H(e)NB authentication token by localphysical intrusionUser cloning the H(e)NB authentication Token. Usercloning the H(e)NB authentication Token Traffic tunnelling between H(e)NBs
Physical attacks on aH(e)NB
Inserting valid authentication token into a manipulatedH(e)NB
Misconfiguration of the firewall in themodem/router
up todisastrous
H(e)NB announcing incorrect location to thenetwork
User Data and identityprivacy attacks
Eavesdropping of the other user’s UTRAN or E-UTRAN user data
Attacks on Radio resourcesand management
Protocol attacks on aH(e)NB
Man-in-the-middle attacks on H(e)NB first networkaccess
User’s network ID revealed to Home (e)NodeBowner
breakingusers privacy
Compromise of an H(e)NB by exploiting weaknesses ofactive network services
extremelyharmful
Configuration attacks on aH(e)NB
Fraudulent software update / configurationchanges
extremelyharmfulirritating toharmful
Mis-configuration of access control list (ACL)or compromise of the access control list
irritating toharmful
SecT / TU-Berlin 10 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrogue femtocell
SFR femtocell
sold by SFR (2nd biggest operator in France)cost: 99€ + mobile phone subscriptionhardware: ARM9 + FPGA for signal processingOS: embedded Linux kernel + proprietary servicesbuilt by external vendors (in our case Ubiquisys),configured by operator
SecT / TU-Berlin 11 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrogue femtocell
recovery procedure
femtocells provide arecovery proceduresimilar to a factoryresetnew firmware isflashed, and settingsare clearedused to "repair" thedevice without anymanual intervention
SecT / TU-Berlin 12 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksrogue femtocell
recovery to fail
firmware server is notauthenticated
public key is inparameter andfirmware list, which isnot signed
recovery procedure flaws
SecT / TU-Berlin 13 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacks
any attacks hmm?
WHAT NOW?
SecT / TU-Berlin 14 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
requirements
classical approach in GSM: IMSI-Catcherfake operator BTS (MCC/MNC)acts as MitM between operator and victimphone usually can't detectusually used to track and intercept communication
UMTS standard requires mutual authentication⇒ GSM approach not working 1
no devices acting as UMTS base station + code isavailable
1some attacks by using protocol downgrades are knownSecT / TU-Berlin 15 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
mutual authentication in the femtocell ecosystem
in case of femtocell: mutual authentication alsoprovided⇒ but it's useless ☺mutual authentication is done with the homeoperatorNOT with the actual cell⇒ the femtocell forwards the authentication tokens⇒ mutual authentication is performed even with arogue device
SecT / TU-Berlin 16 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
getting the fish into the octopus' tentacles
Howto build a 3G IMSI-Catcher:cell configuration is kindly provided as a feature offemtocellslocal cell settings stored in a proprietary databaseformatsome comfort provided ⇒ web interface
we can catch any phone user of any operator intousing our boxroaming subscribers are allowed by SFR
⇒ the femtocell is turned into a full 3G IMSI-CatcherSecT / TU-Berlin 17 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
intercepting traffic
proprietary IPsec client + kernel module(xpressVPN)multiple ways to decrypt IPsec traffic: NETLINK, ipxfrm state (not available on SFR box)we decided to hijack/parse ISAKMP messagespassed via sendto(2) glibc wrappervoice data encapsulated in unencrypted RTP stream(AMR codec, stream format)
SecT / TU-Berlin 18 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
extracting voice
LD_PRELOAD ipsec user-space program to hijacksendto() and extract keyspass key material to host running tcpdumpdecrypt ESP packetsextract RTP stream (rtpbreak)opencore-based (nb) utility to extract AMR anddump to WAV
SecT / TU-Berlin 19 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
demo time
DEMONSTRATION
interception
SecT / TU-Berlin 20 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
but what about over-the-air encryption?
only the phone ⇔ femtocell OTA traffic is encrypted⇒ encryption/decryption happens on the box
femtocell acts as a combination of RNC andNode-B: receives cipher key and integrity key fromthe operator for OTA encryption
reversing tells us: message is SECURITY MODECOMMAND (unspecified RANAP derivate), whichincludes the keys
SecT / TU-Berlin 21 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksintercepting communication
SECURITY MODE COMMAND
derived from RANAP, but spec unknown
SecT / TU-Berlin 22 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
femtocell operator communication: the GAN protocol
device is communicating with operator via GANprotocol (UMA)
TCP/IP mapped radio signalingencapsulates radio Layer3 messages (MM/CC) inGAN protocolone TCP connection per subscriberradio signaling maps to GAN messages are sentover this connection
GAN usage is transparent for the phone
SecT / TU-Berlin 23 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
GAN proxy/client
proxies all GAN connections/messagesreconfigure femtocell to connect to our proxyinstead of real GANCproxy differs between GAN message typesattack client controls GAN proxy over extendedGAN protocol
SecT / TU-Berlin 24 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
more mitm pls? sms...
SMS message filtered by GAN proxymodified by clienttransfered to real GANC
SecT / TU-Berlin 25 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
demo time
DEMONSTRATION
SMS modification
SecT / TU-Berlin 26 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
how about impersonating subscribers?
lets use services forfree, billed to a victimclient requiressubscriber informationproxy additionallycaches subscriber info(TMSI/IMSI) for eachMS-GANC connectionphone needed forauthenticationapplies to any traffic(SMS,voice,data)victim isimpersonated
example: SMS inject
SecT / TU-Berlin 27 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksplaying with traffic
demo time
DEMONSTRATION
SMS injection
SecT / TU-Berlin 28 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksdos'ing non-local subscribers
return of the IMSI detach
IMSI detach DoS discovered by Sylvaint Munaut in2010 2
⇒ results in discontinued delivery of MT services(call, sms,...)⇒ network assumes subscriber went offlinedetach message is unauthenticatedhowever, this is limited to a geographical area(served by a specific VLR)user can not receive calls
2http://security.osmocom.org/trac/ticket/2SecT / TU-Berlin 29 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksdos'ing non-local subscribers
imsi detach in femtocell ecosystem
proximity constraint not existent in femtocellnetworkdevices reside in various geographical areasbut all subscribers meet in one back-end system ⇒and they are all handled by one femtocell VLR (atleast for SFR) ☺
we can send IMSI detach payloads via L3 msg inGAN⇒ we can detach any femtocell subscriber, noproximity needed!
SecT / TU-Berlin 30 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksdos'ing non-local subscribers
demo time
DEMONSTRATION
IMSI detach
SecT / TU-Berlin 31 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell attack surface
attacking other femtocells
attack surface limited:network protocols: NTP, DNS spoofing (not tested)services: webserver, TR-069 provisioning (feasible)
both HTTP. TR-069 is additionally powered by SOAPand XMLlots of potential parsing failall services run as root
SecT / TU-Berlin 32 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell attack surface
femtocell remote root (CVE-2011-2900)
we went for the web service (wsal)based on shttpd 3/mongoose 4/yassl embeddedwebserverwe found a stack-based buffer overflow in theprocessing of HTTP PUT requestsdirect communication between femtocells is notfiltered by SFRexploit allows us to root any femtocell within thenetworkhttp://www.sec.t-labs.tu-berlin.de/~nico/wsal_root.pyfixed in V2.0.24.1 firmware
3http://docs.huihoo.com/shttpd/4http://code.google.com/p/mongoose/
SecT / TU-Berlin 33 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksfemtocell attack surface
demo time
DEMONSTRATION
remote root
SecT / TU-Berlin 34 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
collecting subscribers
other femtocell are accessible within the networkwebsite is also accessibleleaks phone number and IMSI of registeredsubscriberwink IMSI detach ⇒ detach whole network
SecT / TU-Berlin 35 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
locating subscribers
location verification performed by OAMfemtocell scan for neighbour cells
SecT / TU-Berlin 36 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
global control
web-site/database is not read-onlyOAMP, image and GAN server can also be setor using root exploittraffic can be redirected to our femtocell (eithersettings or iptables)
⇒ any femtocell can be flashed⇒ any femtocell subscriber communication can beintercepted, modified and impersonated
SecT / TU-Berlin 37 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
meeting the usual suspects
HNS servers run typical Open Source software, notespecially secured, e.g:
MySQL, SSH, NFS, Apache (with directory indexing),... availableFTP used to submit performance measurementreports, including femtocell identity and activityall devices share the same FTP accountvsftpd users are system users, SSH is open :D
SecT / TU-Berlin 38 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
advanced access
SeGW is required to access the networkauthentication is performed via the SIM (removable)how about configuring an IPsec client with this SIM?
⇒ no hardware and software limitation⇒ no femtocell required anymore⇒ femtocells don't act as a great wall to protect theoperator network anymore :D
SecT / TU-Berlin 39 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
stairways to heaven
attacks on operatornetworksignaling attacks (notblocked)free HLR queriesleveraging access to:
other AccessNetworksCore Network
...
SecT / TU-Berlin 40 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
other femtocell research
THC vodafone http://wiki.thc.org/vodafone, rootedin 2009, unfortunately bug fixed since 2 yearsSamsung femtocellhttp://code.google.com/p/samsung-femtocell/clearly shows that this is no single operatorproblem and might cause some painfemtocell architecture is defective by design,security wise
SecT / TU-Berlin 41 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
thanks (in no particular order)
Jean-Pierre SeifertCollin MullinerBenjamin MichéleDieter SpaarK2
SecT / TU-Berlin 42 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
the end
thank you for your attention
questions?
SecT / TU-Berlin 43 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
contact us
Nico Golde <[email protected]>@iamnionKévin Redon <[email protected]>Ravi Borgaonkar <[email protected]>@raviborgaonkaror just [email protected] all material from this talk (including tools)will be available one week after the HITB KL at:http://tinyurl.com/sectfemtocellhacks
SecT / TU-Berlin 44 / 45
✆ mobile telecommunication ⚔ end-user attacks ☠ network attacksgod mode
extended coverage
femtocells have a small coverage (by definition,25-50m)signal range can be increased using amplifier andexternal antenna
SecT / TU-Berlin 45 / 45