Base Jumping Attacking the GSM baseband and base station - - PowerPoint PPT Presentation

▶

Sep 29, 2023 363 likes •1.08k views

Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com Tuesday, 20 July 2010 Overview GSM Base Station Base Band Conclusion 2 Tuesday, 20 July 2010 GSM: The Protocol 3 Tuesday, 20 July 2010 Documents

SLIDE 1

Base Jumping

Attacking the GSM baseband and base station grugq@coseinc.com

Tuesday, 20 July 2010

SLIDE 2

Overview

❖GSM ❖Base Station ❖Base Band ❖Conclusion

2 Tuesday, 20 July 2010

SLIDE 3

GSM: The Protocol

3 Tuesday, 20 July 2010

SLIDE 4

Documents

❖Dozens of docs ❖Thousands of pages ❖Important one (defines L3)

❖GSM 04 08

Tuesday, 20 July 2010

SLIDE 5

5 Tuesday, 20 July 2010

SLIDE 6

6 Tuesday, 20 July 2010

SLIDE 7

Logical Channels

Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH)

Tuesday, 20 July 2010

SLIDE 8

Logical Channels, cont.

❖ Common Control Channels (CCCH)

Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH)

8 Tuesday, 20 July 2010

SLIDE 9

Logical Channels, cont.

Standalone Dedicated Control Channel (SDCCH) Associated Control Channel (ACCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH)

9 Tuesday, 20 July 2010

SLIDE 10

GSM Channels

❖Opening a channel is slow

❖Can take seconds

❖Specific channels for specific uses

Tuesday, 20 July 2010

SLIDE 11

Opening a channel

11 Tuesday, 20 July 2010

SLIDE 12

12 Tuesday, 20 July 2010

SLIDE 13

RACH

Tuesday, 20 July 2010

SLIDE 14

RACH AGCH

Tuesday, 20 July 2010

SLIDE 15

RACH AGCH LCH

Tuesday, 20 July 2010

SLIDE 16

13 Tuesday, 20 July 2010

SLIDE 17

PCH

Tuesday, 20 July 2010

SLIDE 18

RACH PCH

Tuesday, 20 July 2010

SLIDE 19

RACH PCH AGCH

Tuesday, 20 July 2010

SLIDE 20

RACH PCH AGCH LCH

Tuesday, 20 July 2010

SLIDE 21

MS BTS BTS BSC MSC ARFCN

Tuesday, 20 July 2010

SLIDE 22

Base Transceiver Station BTS Base Station Controller BSC Mobile Station Controller MSC Mobile Station MS Base Station Sub-System BSS

Tuesday, 20 July 2010

SLIDE 23

MS BSS MSC HLR VLR

Tuesday, 20 July 2010

SLIDE 24

Mobile Identifiers

17 Tuesday, 20 July 2010

SLIDE 25

18 Tuesday, 20 July 2010

SLIDE 26

IMSI

Tuesday, 20 July 2010

SLIDE 27

IMSI IMEI

Tuesday, 20 July 2010

SLIDE 28

GSM Attacks

19 Tuesday, 20 July 2010

SLIDE 29

20 Tuesday, 20 July 2010

SLIDE 30

RACHell

❖Request channel allocation ❖Flood the BSS with requests ❖First announced by Dieter Spaar at

DeepSec

SLIDE 50

IMSI DETACH

❖Send multiple Location Update

Requests including a spoofed IMSI

❖Unauthenticated

❖Prevent SIM from receiving calls and

SMS

SLIDE 60

Two separate computers

Tuesday, 20 July 2010

SLIDE 61

Two separate computers

Tuesday, 20 July 2010

SLIDE 62

Baseband

❖Controls the radio ❖Separate CPU and code base ❖RTOS ❖Written in C ❖Typically legacy code base (decades)

Tuesday, 20 July 2010

SLIDE 63

Coseinc GSM FuzzFarm

❖OpenBTS based fuzzer delivery

engine

❖Targetting

❖iPhone ❖HTC (Android) ❖Palm Pre ❖Blackberry ❖Nokia

34 Tuesday, 20 July 2010

SLIDE 64

35 Tuesday, 20 July 2010

SLIDE 65

Conclusion

36 Tuesday, 20 July 2010

SLIDE 66

GSM Trouble

❖GSM is no longer a walled garden ❖GSM spec has security problems ❖Expect many more issues as OSS

reduces costs for entry

Tuesday, 20 July 2010

SLIDE 67

Future work

❖More GSM stack fuzzing ❖Next gen protocol stacks

38 Tuesday, 20 July 2010

SLIDE 68

Thanks to

Harald Walte, Osmocom-bb & OpenBTS

Tuesday, 20 July 2010

SLIDE 69

Questions?

40 Tuesday, 20 July 2010