gsm security problems
play

GSM Security Problems Harald Welte osmocom.org hmw-consulting.de - PowerPoint PPT Presentation

Nov 01, 2022 •412 likes •1.19k views

Introduction GSM security problems The False BTS Security beyond the Um interface GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC TIB, Taipei/TAIWAN 1 / 77 Harald Welte GSM Security Problems

  1. Introduction GSM security problems The False BTS Security beyond the Um interface GSM Security Problems Harald Welte osmocom.org hmw-consulting.de sysmocom.de July 2013, TSC TIB, Taipei/TAIWAN 1 / 77 Harald Welte GSM Security Problems

  2. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview About Harald Welte hwelte@hmw-consulting.de Linux Kernel, bootloader, driver, firmware developmer since 1999 IT security specialist, focus on network protocol security Board-level Electrical Engineering Interested in various protocols (RFID, DECT, GSM) netfilter/iptables, OpenPCD, OpenMoko, librfid, OpenEZX Main developer of OpenBSC project Founder and key developer of OsmocomBB project Co-founder of sysmocom - systems for mobile communications GmbH 2 / 77 Harald Welte GSM Security Problems

  3. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview About Osmocom.org Open Source MObile COMmunications community-driven project to implement communcation systems on protocol and/or radio level many sub-projects, including OsmocomBB (telephone-side GSM stack) OpenBSC (OsmoNITB, OsmoBSC, network-side GSM stack) OsmoSGSN and OpenGGSN (network-side GPRS+EDGE) OsmocomTETRA (TETRA PMR receiver/decoder) OsmocomGMR (GMR satellite telephony decoder) OsmocomDECT (DECT cordless telephony) OsmocomSIMTRACE (SIM protocol tracer hardware) OsmocomSDR (SDR receiver hardware) 3 / 77 Harald Welte GSM Security Problems

  4. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview Legal Disclaimer GSM operates in licensed spectrum Operating any transmitter in the GSM frequency bands requires a license from the respective regulatory authority Interference with commercial cellular operators is often a fellony and punishable as a crime It is the users responsibility to configure OpenBSC and BTS equipment in a way that complies with the law 4 / 77 Harald Welte GSM Security Problems

  5. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview Legal Disclaimer We are demonstrating normal GSM operations and security flaws using a private network and informed participants By leaving your GSM handset turned on during this workshop, you consent to participate in these demonstrations Nothing we do will damage your handset, but may cause temporary disruptions in service, unsolicited text messages or other annoyances Not all of the software used to demonstrate security weaknesses is part of the normal OpenBTS or OpenBSC distributions 5 / 77 Harald Welte GSM Security Problems

  6. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview Information Sources All information presented here is available form public sources Most of the information presented here is readily derived from public specifications, if you actually take the time to read them Nothing presented here is subject to trade secret restrictions Nothing presented here was received under a government security clearance agreement 6 / 77 Harald Welte GSM Security Problems

  7. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview Threat Models GSM is a massively distributed network with many interfaces Some interfaces are exposed completley public, others not Attack vectors and threat models depend on who you are 7 / 77 Harald Welte GSM Security Problems

  8. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview If you are an operator The subscriber is a potential attacker may want to commit fraud may want to DoS or otherwise impact your network may be violating your terms of services (VoIP , SIMboxes) SIM card cloning A third party is a potential attacker only as much as a subscriber (see above) SS7 based fraud (SMS spam, etc.) eavesdropping on Um, Abis/microwave, SS7 etc. is mostly to invide subscriber privacy. Not primarliy an operator concern! 8 / 77 Harald Welte GSM Security Problems

  9. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview If you are a subscriber The operator is a potential threat detailed location profiles about subscriber access to all plain-text communication untrusted operator SIM card tied into your phone A third party is a potential threat eavesdropping on the radio interface eavesdropping on microwave back-haul intelligence based on SS7 queries on the worldwide SS7 network mobile malware on your phone, on your SIM Governments are a potential threat access to all data (location, CDR) at the operator actively performing air interface attacks (IMSI catcher, etc) lawful intercept at the core network 9 / 77 Harald Welte GSM Security Problems

  10. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview If you are a government The operator is a potential threat mostly because operator has all CDRs, location profiles and access to content of communication. An informant at the operator could coopeate with foreign governments or criminal groups security of the private operator affects your security operator wants to maximize profits, not subscriber :security Other governments are a potential threat eavesdropping on the air interface or microwave back-haul active attacks on the air interface mobile malware on phone or SIM cards SS7 based intelligence (location, etc.) from worldwide SS7 network Criminal organizations are a potential threat the same as Other governments above 10 / 77 Harald Welte GSM Security Problems

  11. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview The GSM network 11 / 77 Harald Welte GSM Security Problems

  12. Introduction Security if you are an Operator GSM security problems Security if you are a Subscriber The False BTS Security if you are a Government Security beyond the Um interface The GSM network – Overview GSM network components The BSS (Base Station Subsystem) MS (Mobile Station): Your phone BTS (Base Transceiver Station): The cell tower BSC (Base Station Controller): Controlling up to hundreds of BTS The NSS (Network Sub System) MSC (Mobile Switching Center): The central switch HLR (Home Location Register): Database of subscribers AUC (Authentication Center): Database of authentication keys VLR (Visitor Location Register): For roaming users EIR (Equipment Identity Register): To block stolen phones 12 / 77 Harald Welte GSM Security Problems

  13. Introduction The Baseband GSM security problems GSM Security – Design Flaws + Oversights The False BTS Intentional Weaknesses Security beyond the Um interface GSM security research Known GSM security problems Scientific papers, etc No mutual authentication between phone and network leads to rogue network attacks leads to man-in-the-middle attacks is what enables IMSI-catchers Weak encryption algorithms Encryption is optional, user never knows when it’s active or not DoS of the RACH by means of channel request flooding RRLP (Radio Resource Location Protocol) the network can obtain GPS fix or even raw GPS data from the phone combine that with the network not needing to authenticate itself 13 / 77 Harald Welte GSM Security Problems

  14. Introduction The Baseband GSM security problems GSM Security – Design Flaws + Oversights The False BTS Intentional Weaknesses Security beyond the Um interface GSM security research Known GSM security problems The Baseband side GSM protocol stack always runs in a so-called baseband processor (BP) What is the baseband processor Typically ARM7 (2G/2.5G phones) or ARM9 (3G/3.5G phones) Runs some RTOS (often Nucleus, sometimes L4) No memory protection between tasks Some kind of DSP , model depends on vendor Runs the digital signal processing for the RF Layer 1 Has hardware peripherals for A5 encryption The software stack on the baseband processor is written in C and assembly lacks any modern security features (stack protection, non-executable pages, address space randomization, ..) 14 / 77 Harald Welte GSM Security Problems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an

Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an

Security and Cooperation in Wireless Networks Additional Problems edited by Levente Butty an and Jean-Pierre Hubaux July 2009 Lausanne Preface The problems hereafter have been generated by students participating in the course Security and

480 views • 15 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses & worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The

Detecting Security Problems and Internet Measurement Evaluating Security Solutions The Internet as a whole is poorly CS 239 measured Advanced Topics in Network And, hence, poorly understood Security No existing network-wide

354 views • 4 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning

The Unspoken Problems With Machine Learning in Security Noa Weiss Hi! AI & Machine Learning Consultant Playing with data for over a decade Risk and Security PayPal, Armis 2 Hi! Deep Voice foundation Leader of

554 views • 54 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

CS 4803 to find some building blocks - hard problems (assumptions about hardness of some

As no encryption scheme besides the OneTimePad is unconditionally secure, we need CS 4803 to find some building blocks - hard problems (assumptions about hardness of some Computer and Network Security problems) to base security of our new

553 views • 3 slides
Security deposits cause problems for Property Owners and Managers Compliance Banking Payments

Security deposits cause problems for Property Owners and Managers Compliance Banking Payments

10/4/17 [Property owner] presentation Security deposit management when renting. Security deposits cause problems for Property Owners and Managers Compliance Banking Payments Disputes triple trust managing dispute damages accounts

189 views • 3 slides
Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing

Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World Bradly Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, Kevin Butler University of Florida Published at USENIX Security 2015 Based on

444 views • 19 slides
secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start

secmon Basic Oracle Security Monitoring Basic Oracle Security Monitoring motivation & start motivation & start internet security evaluate password cracker to check security of passwords passwords problems problems default

703 views • 27 slides
deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Using SAT solvers for security related SAT problems Formula construction Pysolver Conclusion

Using SAT solvers for security related SAT problems Formula construction Pysolver Conclusion

Using SAT solvers for security related problems Pierre Bourdon Introduction Using SAT solvers for security related SAT problems Formula construction Pysolver Conclusion Pierre Bourdon delroth@lse.epita.fr http://lse.epita.fr February

575 views • 15 slides
Problems and VPNs Johannes Weber Webernetz.net Network Security Consulting #whoami: Johannes

Problems and VPNs Johannes Weber Webernetz.net Network Security Consulting #whoami: Johannes

Dynamic IPv6 Prefix Problems and VPNs Johannes Weber Webernetz.net Network Security Consulting #whoami: Johannes Weber Network Security Consultant @ TV Rheinland i-sec GmbH Firewall VPN/Crypto Routing/Switching Mail

453 views • 30 slides
Food Security Issues as a Key Element in the Solution of Socio- Economic Problems of the

Food Security Issues as a Key Element in the Solution of Socio- Economic Problems of the

Food Security Issues as a Key Element in the Solution of Socio- Economic Problems of the Country Izzatullo Sattori Minister of Agriculture Republic of Tajikistan Sector Context Largest share of the population over 70% residing in the

504 views • 11 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put

Wednesday's slides TUTORIAL (n) Security (2): The security considerations for ECRIT are put forth in IETF RFC-5069 There are a few problems which seem to be intractable in a wireless environment with unauthenticated users.

133 views • 9 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless

Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless

Building Scalable Wireless Networks Network Startup Resource Center ATI-4 Campus Wireless Networking www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license Text

1.27k views • 28 slides
Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 LinuxCon Europe

Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 LinuxCon Europe

Conducting Defensive Information Warfare on Open Platforms 23rd October 2013 LinuxCon Europe Ben Tullis (formerly of) LinuxIT (Europe) Ltd. Ben Tullis - Background Professional Linux sysadmin (etc.) for 12+ years Worked in

883 views • 59 slides
SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major

SVT DAQ 2019 Physics Run Cameron Bravo (SLAC) Introduction SVT DAQ system underwent a major overhaul before the run FEB bootloader image Rogue framework TI interface on PCIE cards in SVT DAQ blades (clonfarm 2 and 3)

530 views • 10 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Tor: a quick overview (How Twitter can help) Jacob Appelbaum The Tor Project

Tor: a quick overview (How Twitter can help) Jacob Appelbaum The Tor Project

Tor: a quick overview (How Twitter can help) Jacob Appelbaum The Tor Project https://www.torproject.org/ 1 About me: Free software hacker (libmsr, blockfinder, etc) General human and other animal rights activist Founder of

679 views • 40 slides
Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

542 views • 36 slides

More recommend