base jumping
play

Base Jumping Attacking the GSM baseband and base station - PowerPoint PPT Presentation

Sep 29, 2023 •363 likes •1.07k views

Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com Tuesday, 20 July 2010 Overview GSM Base Station Base Band Conclusion 2 Tuesday, 20 July 2010 GSM: The Protocol 3 Tuesday, 20 July 2010 Documents

  1. Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com Tuesday, 20 July 2010

  2. Overview ❖ GSM ❖ Base Station ❖ Base Band ❖ Conclusion 2 Tuesday, 20 July 2010

  3. GSM: The Protocol 3 Tuesday, 20 July 2010

  4. Documents ❖ Dozens of docs ❖ Thousands of pages ❖ Important one (defines L3) ❖ GSM 04 08 4 Tuesday, 20 July 2010

  5. 5 Tuesday, 20 July 2010

  6. 6 Tuesday, 20 July 2010

  7. Logical Channels Broadcast Channels ( BCH ) Broadcast Control Channel ( BCCH ) Frequency Correction Channel ( FCCH ) Synchronization Channel ( SCH ) Cell Broadcast Channel ( CBCH ) 7 Tuesday, 20 July 2010

  8. Logical Channels, cont. ❖ Common Control Channels ( CCCH ) Paging Channel ( PCH ) Random Access Channel ( RACH ) Access Grant Channel ( AGCH ) 8 Tuesday, 20 July 2010

  9. Logical Channels, cont. Standalone Dedicated Control Channel ( SDCCH ) Associated Control Channel ( ACCH ) Fast Associated Control Channel ( FACCH ) Slow Associated Control Channel ( SACCH ) 9 Tuesday, 20 July 2010

  10. GSM Channels ❖ Opening a channel is slow ❖ Can take seconds ❖ Specific channels for specific uses 10 Tuesday, 20 July 2010

  11. Opening a channel 11 Tuesday, 20 July 2010

  12. 12 Tuesday, 20 July 2010

  13. RACH 12 Tuesday, 20 July 2010

  14. RACH AGCH 12 Tuesday, 20 July 2010

  15. RACH AGCH LCH 12 Tuesday, 20 July 2010

  16. 13 Tuesday, 20 July 2010

  17. PCH 13 Tuesday, 20 July 2010

  18. PCH RACH 13 Tuesday, 20 July 2010

  19. PCH RACH AGCH 13 Tuesday, 20 July 2010

  20. PCH RACH AGCH LCH 13 Tuesday, 20 July 2010

  21. ARFCN MSC MS BSC BTS BTS 14 Tuesday, 20 July 2010

  22. Mobile Station MS Mobile Station Base Transceiver Base Station Controller Station Controller MSC BTS BSC Base Station Sub-System BSS 15 Tuesday, 20 July 2010

  23. VLR HLR MSC MS BSS 16 Tuesday, 20 July 2010

  24. Mobile Identifiers 17 Tuesday, 20 July 2010

  25. 18 Tuesday, 20 July 2010

  26. IMSI 18 Tuesday, 20 July 2010

  27. IMSI IMEI 18 Tuesday, 20 July 2010

  28. GSM Attacks 19 Tuesday, 20 July 2010

  29. 20 Tuesday, 20 July 2010

  30. RACHell ❖ Request channel allocation ❖ Flood the BSS with requests ❖ First announced by Dieter Spaar at DeepSec ❖ Prevent everyone from using that cell 21 Tuesday, 20 July 2010

  31. RACHell 22 Tuesday, 20 July 2010

  32. RACHell 22 Tuesday, 20 July 2010

  33. RACHell 22 Tuesday, 20 July 2010

  34. RACHell 22 Tuesday, 20 July 2010

  35. RACHell 22 Tuesday, 20 July 2010

  36. RACHell 22 Tuesday, 20 July 2010

  37. RACHell ? 22 Tuesday, 20 July 2010

  38. 23 Tuesday, 20 July 2010

  39. Our Target 23 Tuesday, 20 July 2010

  40. Demo - RACHell 24 Tuesday, 20 July 2010

  41. IMSI Flood ❖ Send IMSI ATTACH messages ❖ pre-authentication ❖ Overload the HLR/VLR infrastructure ❖ Prevent everyone using the network 25 Tuesday, 20 July 2010

  42. IMSI Flood 26 Tuesday, 20 July 2010

  43. IMSI Flood 26 Tuesday, 20 July 2010

  44. IMSI Flood 26 Tuesday, 20 July 2010

  45. IMSI Flood 26 Tuesday, 20 July 2010

  46. IMSI Flood 26 Tuesday, 20 July 2010

  47. IMSI Flood 26 Tuesday, 20 July 2010

  48. IMSI Flood 26 Tuesday, 20 July 2010

  49. How hard to get an IMSI? 27 Tuesday, 20 July 2010

  50. IMSI DETACH ❖ Send multiple Location Update Requests including a spoofed IMSI ❖ Unauthenticated ❖ Prevent SIM from receiving calls and SMS ❖ Discovered by Sylvain Munaut 28 Tuesday, 20 July 2010

  51. IMSI DETACH 29 Tuesday, 20 July 2010

  52. IMSI DETACH 29 Tuesday, 20 July 2010

  53. IMSI DETACH 29 Tuesday, 20 July 2010

  54. IMSI DETACH 29 Tuesday, 20 July 2010

  55. IMSI DETACH 29 Tuesday, 20 July 2010

  56. IMSI DETACH 29 Tuesday, 20 July 2010

  57. IMSI DETACH 29 Tuesday, 20 July 2010

  58. Baseband Fuzzing 30 Tuesday, 20 July 2010

  59. How to make a smartphone + = 31 Tuesday, 20 July 2010

  60. Two separate computers 32 Tuesday, 20 July 2010

  61. Two separate computers 32 Tuesday, 20 July 2010

  62. Baseband ❖ Controls the radio ❖ Separate CPU and code base ❖ RTOS ❖ Written in C ❖ Typically legacy code base (decades) 33 Tuesday, 20 July 2010

  63. Coseinc GSM FuzzFarm ❖ OpenBTS based fuzzer delivery engine ❖ Targetting ❖ iPhone ❖ HTC (Android) ❖ Palm Pre ❖ Blackberry ❖ Nokia 34 Tuesday, 20 July 2010

  64. 35 Tuesday, 20 July 2010

  65. Conclusion 36 Tuesday, 20 July 2010

  66. GSM Trouble ❖ GSM is no longer a walled garden ❖ GSM spec has security problems ❖ Expect many more issues as OSS reduces costs for entry 37 Tuesday, 20 July 2010

  67. Future work ❖ More GSM stack fuzzing ❖ Next gen protocol stacks 38 Tuesday, 20 July 2010

  68. Thanks to Harald Walte, Osmocom-bb & OpenBTS 39 Tuesday, 20 July 2010

  69. Questions? 40 Tuesday, 20 July 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July 2014 What is in a scale? This article describes the inspiration, design and operation of the Radix 2/10 System Leibniz slide rule, and the

403 views • 24 slides
Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim

Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim

Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim Aim To move at different speeds. Success Criteria Success Criteria Statement 1 Lorem ipsum dolor sit amet, consectetur adipiscing elit. I

539 views • 18 slides
Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so

Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so

Prof. Dr. Annette R. Hofmann Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so much to get acknowledged in ski jumping? Why did women ski jumpers not make it into the Olympic program for

288 views • 26 slides
ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1. CONSTRUCTING our TEACHING CHALLENGES in a low tech 1. ORCHESTRATION environment 1. SHOW-AND-TELL Selma Hamdani Psychology / DALC / Neuroscience

836 views • 50 slides
Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In

Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In

Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In Lets get started right away by the loading ggplot2 package and reading in our dataset. ### Install packages if you don't have them yet ### Typical

1.13k views • 40 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

387 views • 17 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

1.13k views • 18 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

477 views • 15 slides
Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a

Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a

Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a planning and budgeting tool that uses cost-benefit analysis of programs and activities to improve the allocation of funds and staff resources in an

412 views • 8 slides
ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call

ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call

ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call Apologies Obituaries Rhonda Goddard, Ray Burmester, Bob Lilburne, Murray Thompson Approve minutes of previous meeting Matters arising

809 views • 56 slides
Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free

Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free

Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free Money Grants- Need Based Scholarships- Merit Based Self-Help Aid Loans- Need and Non-Need Based Employment Opportunities

594 views • 20 slides
What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do

What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do

What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do they eat? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do they eat? How do they get food? Crouching Chameleon - Jumping

418 views • 30 slides
PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING Consider the problem of

PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING Consider the problem of

08 08 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING

333 views • 16 slides
Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation

Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation

Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation behaviour Nina Hall Post-Doctoral Fellow, Hertie School of Governance Research Questions Why do international organizations bandwagon on the

387 views • 17 slides
Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty

Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty

Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty We help businesses and organizations to better connect with their audience and customers through virtual worlds,

380 views • 14 slides
MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks

MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks

MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue with my research. But

829 views • 58 slides
EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 5:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 5:

EECS 373 Design of Microprocessor-Based Systems Prabal Dutta University of Michigan Lecture 5: Memory and Peripheral Busses September 16, 2014 1 Announcements Homework #2 Where was I last week? VLCS14 MobiCom14

885 views • 41 slides
Ryan C. Gordon icculus.org Getting Started with Linux Game Development A few notes Feel

Ryan C. Gordon icculus.org Getting Started with Linux Game Development A few notes Feel

Ryan C. Gordon icculus.org Getting Started with Linux Game Development A few notes Feel free to interrupt! Slides are at https://icculus.org/SteamDevDays/ Today is a high-level overview. Who am I? Hacker, game developer, porter

865 views • 37 slides
Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc.

Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc.

Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc. Trajectory Optimism We can do this! Firewalls Browser active content Cloud Malware Cloud 1989 1997 2008 IoT Current Trends Management:

605 views • 44 slides
Agility in eBay QCon San Francisco November 17, 2011 Deepak Nadig Distinguished Application

Agility in eBay QCon San Francisco November 17, 2011 Deepak Nadig Distinguished Application

Agility in eBay QCon San Francisco November 17, 2011 Deepak Nadig Distinguished Application Architect The eBay context eBay manages Over 97 million active users Over 2 Billion photos An SUV is sold every 5 minutes eBay users

301 views • 19 slides
Critical Computing Education Amy J. Ko, Ph.D. Professor The Information School University of

Critical Computing Education Amy J. Ko, Ph.D. Professor The Information School University of

Critical Computing Education Amy J. Ko, Ph.D. Professor The Information School University of Washington, Seattle Critical Computing Education Amy J. Ko Computing can be magical Critical Computing Education Amy J. Ko I fell in love

761 views • 50 slides
How Apache works JB Onofr <jbonofre@apache.org> Who am I JB Onofr

How Apache works JB Onofr <jbonofre@apache.org> Who am I JB Onofr

How Apache works JB Onofr <jbonofre@apache.org> Who am I JB Onofr <jbonofre@apache.org> @jbonofre | http://blog.nanthrax.net Fellow /Software Architect at Talend Member of the Apache Software Foundation (started in 2004)

821 views • 45 slides
Intro to iOS Development Patrick Linskey @plinskey You Enterprise Java iOS development Me

Intro to iOS Development Patrick Linskey @plinskey You Enterprise Java iOS development Me

Intro to iOS Development Patrick Linskey @plinskey You Enterprise Java iOS development Me Patrick Linskey @plinskey http://versly.com Objective C Primer Object-oriented extension of C Smalltalk-like syntax Full C

654 views • 49 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net Australia's Academic and Research Network IPv6 policy Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require

631 views • 52 slides

More recommend