fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will...
Transcript of fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will...
GSMIMSIcatcher- recap• CreateafakeBTSwith• highreselectionvalue(C1,C2)• randomlocationareacode
• PhoneswillconnectandinitiateLocationUpdate• ReplywithIdentityRequest(requestIMSI)• AftergettingtheIMSIsendLUReject– cause13oranyotherdependingonyourintention
Whycouldwedothis?Nomutualauthentication,thenetworkisalwaystrusted
Rejectmessagesneedtobeunencrypted
(Sh*tty ornullcryptoalsoleadtoMITMetc.)
Procedureimprovements•MostproceduresrequireASsecurityenabled(integrityprotection)• UEsdropnon-protectedmessagesoncetheyhaveestablishedsecuritycontext
•Shouldbefine,right?
TrackingAreaUpdateReject• UEsendsaTrackingAreaUpdateRequest• RogueeNodeB rejectsitwithcause9
3GPPTS24.301-5.5.3.2.5
CatchingtheIMSI• Nomorekey/securitycontextinUE
• UEwillinitiateattach
• ItisallowedtoaskforitsIMSIinanIDENTITYREQUEST
• AftergettingitwesendanATTACHREJECTwithcause#12(TrackingAreanotallowed)
HWandSW• USRPandlaptop•ManyopensourceLTEprojects(thisisAWESOMEbtw):•openLTE•OpenAirInterface• srsLTE andsrsUE• OwnimplementationofMME/corenetwork(pendingrequesttoopensourceit)
RogueeNodeB• Needtosomehow‘lure’UEs• InGSMyoujustneededaneighborcell’sfrequency+highreselectionvalue• InLTEalistoffrequenciesarebroadcastedwiththeirpriorities–>youneedtodecodethelist,andselectthefrequencywiththehighestpriority
ThesePeoplearegreat!*APPLAUSE*• Ravishankar Borgaonkar andAltaf ShaikfordiscoveringtheTAURejectvuln (andmanyotherproblems)inLTE• BenoitMichau forthelibrarymycorenetworkisbasedon• PhilippeLanglois andElvisPfützenreuter forpysctp
•MymentorsduringmyinternshipatQualcomm:KevinRedonandNicoGolde