lte redirection
play

LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network - PowerPoint PPT Presentation

May 18, 2023 •547 likes •937 views

360UnicornTeam LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam 1 LTE Redirection LTE and IMSI catcher myths In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar,

  1. 360UnicornTeam LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam 1 LTE Redirection

  2. LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack. 2 LTE Redirection

  3. IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network. 3 LTE Redirection

  4. DoS Attack DoS message examples:  You are an illegal cellphone!  Here is NO network available. You could shut down your 4G/3G/2G modem. 4 LTE Redirection

  5. Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…” 5 LTE Redirection

  6. Demo Fake GSM Network USRPs Fake LTE Network 6 LTE Redirection

  7. Demo Video

  8. Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. 8 LTE Redirection

  9. LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble Unauthorized area • RACH response Attack Space! • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… 9 LTE Redirection

  10. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI! 10 LTE Redirection

  11. Procedure of IMSI Catcher If you send Identity request at the same state, you can also get the cellphone’s IMSI! Identity Request 11 LTE Redirection

  12. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone. 12 LTE Redirection

  13. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to. 13 LTE Redirection

  14. How to Build Fake LTE Network • Computer + USRP 14 LTE Redirection

  15. How to Build Fake LTE Network • There are some popular open source LTE projects: • (1)Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture Advanced Technology of Fake Base Station by Seeker 15 LTE Redirection

  16. How to Build Fake LTE Network • There are some popular open source LTE projects: • (2)OpenLTE by Ben Wojtowicz OpenLTE • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers 16 LTE Redirection

  17. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI! LTE Redirection 17

  18. Procedure of IMSI Catcher If you send Identity request at the same state, you can also get the cellphone’s IMSI! Identity Request 18 LTE Redirection

  19. OpenLTE Source Code (1/3) • In current OpenLTE release, the TAU request isn’t handled. • But TAU reject msg packing function is available. 19 LTE Redirection

  20. OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject message packing module *Refer to Attach reject module 20 LTE Redirection

  21. Procedure of IMSI Catcher Network Optimization Master 21 LTE Redirection

  22. Procedure of IMSI Catcher Identity Request Identity response 22 LTE Redirection

  23. OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message. 23 LTE Redirection

  24. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone. 24 LTE Redirection

  25. OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message. 25 LTE Redirection

  26. OpenLTE Source Code (3/3) 26 LTE Redirection

  27. OpenLTE Source Code (3/3) 27 LTE Redirection

  28. Think from the other side Attacker Defender Why is RRC redirection message not encrypted? 28 LTE Redirection

  29. Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3- 060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: 29 LTE Redirection

  30. 3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 30 LTE Redirection

  31. Why 3GPP Made Such Decision • In special cases, e.g. earthquake, disaster, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Light-loaded Base station Overloaded Overloaded Base station Base station 31 LTE Redirection

  32. Network Availability vs.. Privacy • Global roaming • IMSI Catcher e.g. Wifi MAC addr tracking • Energy saving • DoS Attack VS. • Load balance • Redirection Attack Basic requirement High level requirement 32 LTE Redirection

  33. Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network. 33 LTE Redirection

  34. Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile 34 LTE Redirection

  35. Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team 35 LTE Redirection

  36. Any question? • huanglin-it@360.cn • zhangwanqiao@360.cn 36 LTE Redirection

  37. Thank you ! 37 LTE Redirection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS

.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS

.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS Redirection 2. Use of .kr DNS direction 3. Web-Navigation System 4. Market share of web browser in Korea 5. .kr DNS Redirection status 6. Query status for

164 views • 12 slides
Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison Redirection of DNS Responses Redirection of DNS Responses Issue Issue Wildcarding of DNS records Provides valid address and routing

217 views • 6 slides
GridFTP redirection Currently, all GridFTP requests are streamed through the Head node

GridFTP redirection Currently, all GridFTP requests are streamed through the Head node

GridFTP redirection Currently, all GridFTP requests are streamed through the Head node Same for PUT This is obviously not ideal 1. GET /SFN 2. Fetch via RFIO Client Head Disk 3. Serve file GridFTP redirection Based on the

263 views • 13 slides
More Linux Piping and Redirection Fundamentals of Computer Science Outline File and

More Linux Piping and Redirection Fundamentals of Computer Science Outline File and

More Linux Piping and Redirection Fundamentals of Computer Science Outline File and Directory Permissions File Content Finding Files Sorting Files File Compression Processes Pipes Input/Output Redirection

562 views • 21 slides
COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Redirection Chapter 6 of TLCL Standard Input, Standard Output, and Standard Error Redirecting Standard Output File Desriptors

578 views • 29 slides
Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning

Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning

Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning 1 Redirection and Logical Consequences New Hire Orientation 2018 Please complete DO NOW on page 1 of your notes 2 Objective We will work to:

592 views • 31 slides
I/O redirection Most of the time, programs display their output (stdout) to the monitor and

I/O redirection Most of the time, programs display their output (stdout) to the monitor and

I/O redirection Most of the time, programs display their output (stdout) to the monitor and take their input (stdin) from the keyboard There is also an error stream (stderr) that some programs take advantage of From the command line,

329 views • 6 slides
A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr

A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr

A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr ed eric Prost University of Grenoble IFIP WG1.3 meeting, Sierra Nevada, January 18., 2008 Outline Introduction Basic examples The

733 views • 49 slides
Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy

Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy

Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy , Jet Propulsion Laboratory, Caltech Louis Friedman ,Executive Director Emeritus, The Planetary Society Nathan J. Strange, Jet Propulsion

196 views • 15 slides
05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2]

05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2]

05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2] Matthew Milano February 1, 2019 Cornell University 1 Table of Contents 1. As always: Everybody! ssh to wash.cs.cornell.edu 3. Lets Git back

430 views • 24 slides
Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for media players and VoIP clients in virtual desktop infrastructures Lyakhov F.A., Mazur E.S., Kuzin A.M., Semenov S.K. 1 Common media processing

599 views • 17 slides
Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies India Pvt. Ltd. shreyansh.jain@{nectechnologies.in, gmail.com} Next 45 Minutes A brief introduction to OpenDaylight VTN OpenDaylight

811 views • 44 slides
Why Tria riage in Stroke? 3 1 2/27/2020 MI and STEMI As A Stroke Comparison 4 Stroke:

Why Tria riage in Stroke? 3 1 2/27/2020 MI and STEMI As A Stroke Comparison 4 Stroke:

2/27/2020 Acute Stroke Bypass & Redirection Protocol: Champlain Region Grant Stotts, MD, FRCPC Medical Director, CRSN Mathieu Grenier Acting Deputy Chief, Clinical Programs County of Renfrew Paramedic Service March 4, 2020 1 1.

380 views • 14 slides
Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line

Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line

Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line references Thursday, September 2 CS 375 UNIX System Programming - Lecture 3 1 Outline Filesystems BASH - Bourne Again SHell Redirection

520 views • 27 slides
Content Distribution Networks explicit transparent (hijacking connections) Outline

Content Distribution Networks explicit transparent (hijacking connections) Outline

Design Space Caching Content Distribution Networks explicit transparent (hijacking connections) Outline Replication Implementation Techniques server farms Hashing Schemes Redirection Strategies geographically

237 views • 6 slides
Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang DNS Resolution ISP DNS Resolver Might have

702 views • 41 slides
UNIX Shells CIS 218 Shells A shell is a command line interpreter that is the interface

UNIX Shells CIS 218 Shells A shell is a command line interpreter that is the interface

UNIX Shells CIS 218 Shells A shell is a command line interpreter that is the interface between the user and the OS. It is also a programming language. Shells may be used interactively or non -interactively. In interactive mode, they

283 views • 27 slides
Bulk Density and Void Content Bulk Density Bulk density ( n .) the mass of a unit volume of bulk

Bulk Density and Void Content Bulk Density Bulk density ( n .) the mass of a unit volume of bulk

Bulk Density and Void Content Bulk Density Bulk density ( n .) the mass of a unit volume of bulk aggregate including the volume of the individual particles and the volume of the voids between them. m kg agg bulk density 3 V m

1.45k views • 30 slides
Streams In C, the term stream means any source of input or any destination for output.

Streams In C, the term stream means any source of input or any destination for output.

3/25/14 Streams In C, the term stream means any source of input or any destination for output. Input/Output Accessing a stream is done through a file pointer , which has type FILE * . o A variable point ing to a file FILE *fp;

368 views • 8 slides
Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training

Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training

Motivation Techniques Experiment Result Summary Hybrid-Bridge: Efficiently Bridging the Semantic-Gap in VMI via Decoupled Execution and Training Memoization Alireza Saberi , Yangchun Fu, Zhiqiang Lin Department of Computer Science The

593 views • 46 slides
CBRE Group, Inc. Fourth Quarter 2012 Earnings Conference Call February 6, 2013 Forward-Looking

CBRE Group, Inc. Fourth Quarter 2012 Earnings Conference Call February 6, 2013 Forward-Looking

CBRE Group, Inc. Fourth Quarter 2012 Earnings Conference Call February 6, 2013 Forward-Looking Statements This presentation contains statements that are forward looking within the meaning of the Private Securities Litigation Reform Act of

650 views • 26 slides
XSS Real-life XSS examples fotolog.com xssed mirror

XSS Real-life XSS examples fotolog.com xssed mirror

XSS Real-life XSS examples fotolog.com xssed mirror http://m.fotolog.com/search.php?auth=%3Ch1%3ERME% 20Pwnea%20de%20Nuevo%3C/h1%3E%3Cscript%3E alert%28document.cookie%29%3C/script%3E% 3Cnoscript%3E URL decoder Decoded -- cleaned up a bit

258 views • 22 slides
Credit Where Credit is Due These slides for CSC209H have been developed by Sean Culhane, a

Credit Where Credit is Due These slides for CSC209H have been developed by Sean Culhane, a

Credit Where Credit is Due These slides for CSC209H have been developed by Sean Culhane, a Introduction to previous instructor: I have modified them for this presentation of the course, but must acknowledge their origins! UNIX S -1 S -2

741 views • 37 slides

More recommend