LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network - - PowerPoint PPT Presentation

lte redirection
SMART_READER_LITE
LIVE PREVIEW

LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network - - PowerPoint PPT Presentation

May 18, 2023 547 likes •946 views

360UnicornTeam LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam 1 LTE Redirection LTE and IMSI catcher myths In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar,

slide-1
SLIDE 1

360UnicornTeam

LTE Redirection 1

LTE Redirection

Forcing Targeted LTE Cellphone into Unsafe Network

Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam

slide-2
SLIDE 2

LTE Redirection

  • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf

Shaik etc. introduced the LTE IMSI catcher and DoS attack.

2

LTE and IMSI catcher myths

slide-3
SLIDE 3

LTE Redirection 3

IMSI Catcher

Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network.

slide-4
SLIDE 4

LTE Redirection 4

DoS Attack

DoS message examples:  You are an illegal cellphone!  Here is NO network available. You could shut down your 4G/3G/2G modem.

slide-5
SLIDE 5

LTE Redirection 5

Redirection Attack

Malicious LTE: “Hello cellphone, come into my GSM network…”

slide-6
SLIDE 6

LTE Redirection 6

Demo

Fake LTE Network Fake GSM Network USRPs

slide-7
SLIDE 7

Demo Video

slide-8
SLIDE 8

LTE Redirection

  • If forced into fake network
  • The cellphone will have no service (DoS).
  • The fake GSM network can make malicious

call and SMS.

  • If forced into rogue network
  • All the traffic (voice and data) can be

eavesdropped.

8

Risk

slide-9
SLIDE 9

LTE Redirection 9

LTE Basic Procedure

Unauthorized area

Attack Space!

  • (Power on)
  • Cell search, MIB, SIB1, SIB2 and other SIBs
  • PRACH preamble
  • RACH response
  • RRC Connection Request
  • RRC Connection Setup
  • RRC Connection Setup Complete + NAS: Attach request +

ESM: PDN connectivity request

  • RRC: DL info transfer + NAS: Authentication request
  • RRC: UL info transfer + NAS: Authentication response
  • RRC: DL info transfer + NAS: Security mode command
  • RRC: UL info transfer + NAS: Security mode completer
  • ……
slide-10
SLIDE 10

LTE Redirection 10

Procedure of IMSI Catcher

Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!

slide-11
SLIDE 11

LTE Redirection 11

Procedure of IMSI Catcher

If you send Identity request at the same state, you can also get the cellphone’s IMSI!

Identity Request

slide-12
SLIDE 12

LTE Redirection 12

Procedure of DoS Attack

Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.

slide-13
SLIDE 13

LTE Redirection 13

Procedure of Redirection Attack

RRC Release message can bring the cell info which it can let cellphone re-direct to.

slide-14
SLIDE 14

LTE Redirection

  • Computer + USRP

14

How to Build Fake LTE Network

slide-15
SLIDE 15

LTE Redirection

  • There are some popular open source LTE projects:
  • (1)Open Air Interface by Eurecom
  • http://www.openairinterface.org/
  • The most completed and open source LTE software
  • Support connecting cellphone to Internet
  • But have complicated software architecture

Advanced Technology of Fake Base Station by Seeker

15

How to Build Fake LTE Network

slide-16
SLIDE 16

LTE Redirection

  • There are some popular open source LTE projects:
  • (2)OpenLTE by Ben Wojtowicz
  • http://openlte.sourceforge.net/
  • Haven’t achieved stable LTE data connection but

functional enough for fake LTE network

  • Beautiful code architecture
  • More popular in security researchers

16

How to Build Fake LTE Network

OpenLTE

slide-17
SLIDE 17

LTE Redirection 17

Procedure of IMSI Catcher

Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI!

slide-18
SLIDE 18

LTE Redirection 18

Procedure of IMSI Catcher

If you send Identity request at the same state, you can also get the cellphone’s IMSI!

Identity Request

slide-19
SLIDE 19

LTE Redirection

  • In current OpenLTE release, the TAU request isn’t handled.
  • But TAU reject msg packing function is available.

19

OpenLTE Source Code (1/3)

slide-20
SLIDE 20

LTE Redirection 20

OpenLTE Source Code (1/3)

Set the mme procedure as TAU REQUET Call the TAU reject message packing module

*Refer to Attach reject module

slide-21
SLIDE 21

LTE Redirection 21

Procedure of IMSI Catcher

Network Optimization Master

slide-22
SLIDE 22

LTE Redirection 22

Procedure of IMSI Catcher

Identity Request Identity response

slide-23
SLIDE 23

LTE Redirection 23

OpenLTE Souce Code (2/3)

DoS attack can directly utilize the cause setting in Attach Reject message.

slide-24
SLIDE 24

LTE Redirection 24

Procedure of DoS Attack

Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone.

slide-25
SLIDE 25

LTE Redirection 25

OpenLTE Source Code (3/3)

redirectCarrierInfo can be inserted into RRC Connection Release message.

slide-26
SLIDE 26

LTE Redirection 26

OpenLTE Source Code (3/3)

slide-27
SLIDE 27

LTE Redirection 27

OpenLTE Source Code (3/3)

slide-28
SLIDE 28

LTE Redirection 28

Think from the other side

Attacker Defender

Why is RRC redirection message not encrypted?

slide-29
SLIDE 29

LTE Redirection

  • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP

TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3- 060032, 9-13 January 2006

  • This document introduced a ‘Forced handover’ attack:

29

Is This a New Problem?

slide-30
SLIDE 30

LTE Redirection

  • “Reply LS on assumptions for security procedures”, 3GPP

TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006

30

3GPP’s Decision

slide-31
SLIDE 31

LTE Redirection

  • In special cases, e.g. earthquake, disaster, hot events
  • Too many people try to access one base station then make this

base station overloaded.

  • To let network load balanced, this base station can ask the new

coming cellphone to redirect to another base station.

  • If you don’t tell cellphones which

base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load.

31

Why 3GPP Made Such Decision

Overloaded Base station Overloaded Base station Overloaded Base station Light-loaded Base station

slide-32
SLIDE 32

LTE Redirection 32

Network Availability vs.. Privacy

  • Global roaming
  • Energy saving
  • Load balance
  • IMSI Catcher
  • DoS Attack
  • Redirection Attack

VS.

Basic requirement High level requirement

e.g. Wifi MAC addr tracking

slide-33
SLIDE 33

LTE Redirection

  • Cellphone manufacture – smart response
  • Scheme 1: Don’t follow the redirection command,

but auto-search other available base station.

  • Scheme 2: Follow the redirection command, but

raise an alert to cellphone user: Warning! You are downgraded to low security network.

33

Countermeasures (1/2)

slide-34
SLIDE 34

LTE Redirection

  • Standardization effort
  • Fix the weak security of legacy network: GSM
  • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy

Security Issues and Mitigation Proposals, Liaison Statement from GSMA.

  • Refuse one-way authentication
  • Disabling compromised encryption in mobile

34

Countermeasures (2/2)

slide-35
SLIDE 35

LTE Redirection

  • Huawei
  • Peter Wesley (Security expert)
  • GUO Yi (3GPP RAN standardization expert)
  • CHEN Jing (3GPP SA3 standardization expert)
  • Qualcomm
  • GE Renwei (security expert)
  • Apple
  • Apple product security team

35

Acknowledgements

slide-36
SLIDE 36

LTE Redirection

  • huanglin-it@360.cn
  • zhangwanqiao@360.cn

36

Any question?

slide-37
SLIDE 37

LTE Redirection

Thank you!

37