GSMIMSIcatcher- recap• CreateafakeBTSwith• highreselectionvalue(C1,C2)• randomlocationareacode
• PhoneswillconnectandinitiateLocationUpdate• ReplywithIdentityRequest(requestIMSI)• AftergettingtheIMSIsendLUReject– cause13oranyotherdependingonyourintention
Whycouldwedothis?Nomutualauthentication,thenetworkisalwaystrusted
Rejectmessagesneedtobeunencrypted
(Sh*tty ornullcryptoalsoleadtoMITMetc.)
Procedureimprovements•MostproceduresrequireASsecurityenabled(integrityprotection)• UEsdropnon-protectedmessagesoncetheyhaveestablishedsecuritycontext
•Shouldbefine,right?
TrackingAreaUpdateReject• UEsendsaTrackingAreaUpdateRequest• RogueeNodeB rejectsitwithcause9
3GPPTS24.301-5.5.3.2.5
CatchingtheIMSI• Nomorekey/securitycontextinUE
• UEwillinitiateattach
• ItisallowedtoaskforitsIMSIinanIDENTITYREQUEST
• AftergettingitwesendanATTACHREJECTwithcause#12(TrackingAreanotallowed)
HWandSW• USRPandlaptop•ManyopensourceLTEprojects(thisisAWESOMEbtw):•openLTE•OpenAirInterface• srsLTE andsrsUE• OwnimplementationofMME/corenetwork(pendingrequesttoopensourceit)
RogueeNodeB• Needtosomehow‘lure’UEs• InGSMyoujustneededaneighborcell’sfrequency+highreselectionvalue• InLTEalistoffrequenciesarebroadcastedwiththeirpriorities–>youneedtodecodethelist,andselectthefrequencywiththehighestpriority
ThesePeoplearegreat!*APPLAUSE*• Ravishankar Borgaonkar andAltaf ShaikfordiscoveringtheTAURejectvuln (andmanyotherproblems)inLTE• BenoitMichau forthelibrarymycorenetworkisbasedon• PhilippeLanglois andElvisPfützenreuter forpysctp
•MymentorsduringmyinternshipatQualcomm:KevinRedonandNicoGolde
Top Related