Base Jumping
Attacking the GSM baseband and base station
Thursday, 14 October 2010
Overview
❖GSM❖Base Station❖Base Band❖Conclusion
2
Thursday, 14 October 2010
GSM: The Protocol
3
Thursday, 14 October 2010
Documents
4
❖Dozens of docs❖Thousands of pages❖Important one (defines L3)
❖GSM 04 08
Thursday, 14 October 2010
5
Thursday, 14 October 2010
6
Thursday, 14 October 2010
7
Logical Channels
Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH)
Thursday, 14 October 2010
Logical Channels, cont.❖ Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH)
8
Thursday, 14 October 2010
Logical Channels, cont.
Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH)
9
Thursday, 14 October 2010
GSM Channels
10
❖Opening a channel is slow❖Can take seconds
❖Specific channels for specific uses
Thursday, 14 October 2010
Opening a channel
11
Thursday, 14 October 2010
12
Thursday, 14 October 2010
12
RACH
Thursday, 14 October 2010
12
RACH
AGCH
Thursday, 14 October 2010
12
RACH
AGCH
LCH
Thursday, 14 October 2010
13
Thursday, 14 October 2010
13
PCH
Thursday, 14 October 2010
13
RACH
PCH
Thursday, 14 October 2010
13
RACH
PCH
AGCH
Thursday, 14 October 2010
13
RACH
PCH
AGCH
LCH
Thursday, 14 October 2010
14
MS
BTS
BTSBSCMSC
ARFCN
Thursday, 14 October 2010
15
Base Transceiver StationBTS
Base StationController
BSC
Mobile StationController
MSC
Mobile StationMS
Base Station Sub-SystemBSS
Thursday, 14 October 2010
16
MSBSSMSCHLR
VLR
Thursday, 14 October 2010
Mobile Identifiers
17
Thursday, 14 October 2010
18
Thursday, 14 October 2010
18
IMSI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
18
IMSI
IMEI
Thursday, 14 October 2010
GSM Attacks
19
Thursday, 14 October 2010
20
Thursday, 14 October 2010
RACHell
21
❖Request channel allocation❖Flood the BSS with requests❖First announced by Dieter Spaar at DeepSec
❖Prevent everyone from using that cell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
RACHell
Thursday, 14 October 2010
22
?
RACHell
Thursday, 14 October 2010
23
Thursday, 14 October 2010
23
Our Target
Thursday, 14 October 2010
Demo - RACHell
24
Thursday, 14 October 2010
IMSI Flood
❖Send IMSI ATTACH messages❖pre-authentication❖Overload the HLR/VLR infrastructure❖Prevent everyone using the network
25
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
26
IMSI Flood
Thursday, 14 October 2010
IMSI DETACH
❖Send multiple Location Update Requests including a spoofed IMSI❖Unauthenticated
❖Prevent SIM from receiving calls and SMS
❖Discovered by Sylvain Munaut
27
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
28
IMSI DETACH
Thursday, 14 October 2010
How hard to get an IMSI?
29
Thursday, 14 October 2010
Baseband Fuzzing
30
Thursday, 14 October 2010
31
=+
How to make a smartphone
Thursday, 14 October 2010
32
Two separate computers
Thursday, 14 October 2010
32
Two separate computers
Thursday, 14 October 2010
33
Baseband
❖Controls the radio❖Separate CPU and code base❖RTOS❖Written in C❖Typically legacy code base (decades)
Thursday, 14 October 2010
GSM Frame Delivery
❖OpenBTS + XML-RPC❖ lch_open(char * IMSI)❖ lch_send(int fd, char *buf, size_t len)❖ lch_recv(int fd, char *buf, size_t len)❖ lch_close(int fd)
34
Thursday, 14 October 2010
GSM Fuzzing Framework
❖USRP + OpenBTS for delivery❖GSM900 band❖BugMine case generation & mutation❖No Instrumentation
❖Very bad visibility on bugs
35
Thursday, 14 October 2010
Coseinc GSM FuzzFarm❖Targetting
❖ iPhone❖HTC (Android)❖Palm Pre❖Blackberry❖Nokia
36
Thursday, 14 October 2010
37
Thursday, 14 October 2010
38
Thursday, 14 October 2010
Conclusion
39
Thursday, 14 October 2010
GSM Trouble
40
❖GSM is no longer a walled garden❖GSM spec has security problems❖Expect many more issues as OSS reduces costs for entry
Thursday, 14 October 2010
Future work
❖More GSM stack fuzzing❖Next gen protocol stacks
41
Thursday, 14 October 2010
42
Thanks to
Harald Welte, Osmocom-bb & OpenBTS
Thursday, 14 October 2010
Questions?
43
Thursday, 14 October 2010