Top Banner
FOS LTE IMSI CATCHER DOMI
17

fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

May 26, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

FOSLTEIMSICATCHERDOMI

Page 2: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

WARNING!ThistalkwillbeaboutclassicIMSIcatchers– do

notexpectMITMcalls,dataetc.

Page 3: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

GSMIMSIcatcher- recap• CreateafakeBTSwith• highreselectionvalue(C1,C2)• randomlocationareacode

• PhoneswillconnectandinitiateLocationUpdate• ReplywithIdentityRequest(requestIMSI)• AftergettingtheIMSIsendLUReject– cause13oranyotherdependingonyourintention

Page 4: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Whycouldwedothis?Nomutualauthentication,thenetworkisalwaystrusted

Rejectmessagesneedtobeunencrypted

(Sh*tty ornullcryptoalsoleadtoMITMetc.)

Page 5: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

LTEArchitecture

EUTRANArchitecturebyCrati underCCBY-SA3.0

INTERNETPSTNPLMN

Page 6: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ChangesinLTE•Mutualauthentication

• Integrityprotection

• Bettercrypto

Page 7: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Procedureimprovements•MostproceduresrequireASsecurityenabled(integrityprotection)• UEsdropnon-protectedmessagesoncetheyhaveestablishedsecuritycontext

•Shouldbefine,right?

Page 8: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •
Page 9: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Tinylittleprotocolproblem…

Page 10: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

TrackingAreaUpdateReject• UEsendsaTrackingAreaUpdateRequest• RogueeNodeB rejectsitwithcause9

3GPPTS24.301-5.5.3.2.5

Page 11: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

CatchingtheIMSI• Nomorekey/securitycontextinUE

• UEwillinitiateattach

• ItisallowedtoaskforitsIMSIinanIDENTITYREQUEST

• AftergettingitwesendanATTACHREJECTwithcause#12(TrackingAreanotallowed)

Page 12: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

HWandSW• USRPandlaptop•ManyopensourceLTEprojects(thisisAWESOMEbtw):•openLTE•OpenAirInterface• srsLTE andsrsUE• OwnimplementationofMME/corenetwork(pendingrequesttoopensourceit)

Page 13: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

RogueeNodeB• Needtosomehow‘lure’UEs• InGSMyoujustneededaneighborcell’sfrequency+highreselectionvalue• InLTEalistoffrequenciesarebroadcastedwiththeirpriorities–>youneedtodecodethelist,andselectthefrequencywiththehighestpriority

Page 14: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •
Page 15: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

ThesePeoplearegreat!*APPLAUSE*• Ravishankar Borgaonkar andAltaf ShaikfordiscoveringtheTAURejectvuln (andmanyotherproblems)inLTE• BenoitMichau forthelibrarymycorenetworkisbasedon• PhilippeLanglois andElvisPfützenreuter forpysctp

•MymentorsduringmyinternshipatQualcomm:KevinRedonandNicoGolde

Page 16: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Q&A

Page 17: fos lte imsi catchers - H.A.C.K.Catching the IMSI • No more key/security context in UE • UE will initiate attach • It is allowed to ask for its IMSI in an IDENTITY REQUEST •

Thankyou!Key-ID:E2712651

Fingerprint:811C3FC3CFCB16E4BAEBF5FB7440DF59E2712651


Related Documents
Informations- und Datenschutzrecht Modul 4 Recht der ... · Mit Hilfe des IMSI-Catchers können zwei Arten von Maßnahmen durchgeführt werden, die in § 100i Abs. 1 Nr. 1 und 2 StPO

Informations- und Datenschutzrecht Modul 4 Recht der ... ·...

Category: Documents
Wind Catchers

Wind Catchers

Category: Documents
Perspectives of Physical Layer Security (Physec) for the ... · hacking systems (such as advanced IMSI catchers for example [2]) that operate at the radio interface of wireless networks,

Perspectives of Physical Layer Security (Physec) for the...

Category: Documents
OSM#9 Hackfest · 2020. 6. 1. · Software Components: eNodeB + UE 16 Configuration: Information needed: Where is EPC Core Radio parameters (MCC, MNC, etc) UE parameters (IMSI, encryption

OSM#9 Hackfest · 2020. 6. 1. · Software Components:...

Category: Documents
White-Stingray: Evaluating IMSI Catchers Detection ... · which contains IMSI in plaintext. Also, certain networks request for IMEI from the MS before authentication pro-cedure, however,

White-Stingray: Evaluating IMSI Catchers Detection ... ·.....

Category: Documents
Junk Catchers

Junk Catchers

Category: Documents
IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · Catcher will produce all of the artifacts described below. 4.1 Choosing a Frequency To increase signal quality, avoid radio interference,

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers · Catcher....

Category: Documents
Low Cost Stingrays (IMSI-Catchers) - CyberCamp · 2018. 12. 17. · Introducción #CyberCamp18 • An International Mobile Subscriber Identity-catcher, or IMSI-catcher, is a telephone

Low Cost Stingrays (IMSI-Catchers) - CyberCamp · 2018. 12....

Category: Documents
Rain catchers

Rain catchers

Category: Education
5G Security - dspcsp.com · IMSI catching IMSI catching is a man-in-the-middle attack to collect IMSIs (there are even miniature wearable IMSI catchers used by police) Since IMSIs

5G Security - dspcsp.com · IMSI catching IMSI catching is....

Category: Documents
Spidey: Android-based Stingray Detector - GitHub Pagesjtwarren.github.io/files/spidey.pdf · Spidey: Android-based Stingray Detector ... IMSI catchers, meaning that people whose information

Spidey: Android-based Stingray Detector - GitHub...

Category: Documents
IMSI catcher detection and evolution - Simula · B IMSI catcher detection pitfalls (2/3) False positive causes Femto cells behave very similar to IMSI catchers: a. Query IMSI + IMEI

IMSI catcher detection and evolution - Simula · B IMSI...

Category: Documents