Contenu connexe Similaire à festival ICT 2013: Mobile Network Security: stato dell’arte e oltre (20) Plus de festival ICT 2016 (20) festival ICT 2013: Mobile Network Security: stato dell’arte e oltre1. Mobile Network Security:
stato dell’arte ed oltre
Festival Della Tecnologia ICT
Milano, 18.09.2013
Version: 1.0
Author: L. Bongiorni
Responsible: L. Bongiorni
Date: 18.09.2013
Confidentiality Class: Public
2. © 2013 SEC Consult– All rights reserved
SEC Consult– Who we are
Canada
India
Singapore
SEC Consult Office
SEC Consult Headquarter
Other SEC Consult Clients
Lithuania
Germany
Austria Central and Easter Europe
• Leading international application
security consultancy
• Founded 2002
• Headquarters near Vienna,
Austria
• Delivery Centers in Austria,
Germany, Lithuania and Singapore
• Strong customer base in Central and
Eastern Europe
• Increasing customer base of clients
with global business (esp. out of
Top-10 US and European software
vendors)
• 35+ application security experts
• Industry focus banks, software
vendors, government
USA
2
3. © 2013 SEC Consult– All rights reserved
3
Luca Bongiorni
ü Security Consultant
ü Telco Enthusiast
ü Interests: break stuff ,
lockpicking & collect PayPhones
Work at . . .
!
!a company
Who am I
4. © 2013 SEC Consult– All rights reserved
La Rete GSM
4
A tutt'oggi, sebbene progettualmente datato (1987), lo standard di radio-
comunicazione cellulare più diffuso al mondo è il GSM (Global System
for Mobile Communications), esso conta, infatti, oltre 4.4 miliardi di
utenti in più di 200 stati.
Esso ha garantito negli anni, la possibilità di comunicare mantenendo
un'efficiente mobilità, grazie la quale è massivamente utilizzato non
solo dalla gente comune, ma anche da criminali ed organizzazioni
terroristiche.
5. © 2013 SEC Consult– All rights reserved
Negli ultimi 5 anni un gran numero di Progetti OpenSource
ed Attacchi Pratici sono stati resi pubblici…
GSM + OpenSource == FUN
Um Passive Sniffing A5/1 Cracking
Um Active MITM
RachDoS
IMSI-Detach
GPRS Sniffing
5
6. © 2013 SEC Consult– All rights reserved
• IMSI-Catcher:
• Known Victim Mode (Italia)
• GPRS & Data Connections
• GPRS Passive Sniffing:
• XXXXX (EU Nation 1)
• Wind (Italia)
• XXXXX (EU Nation 2)
• What’s Next?!
• GSM-R (Catching & DoSsing)
Alcuni Casi di Studio…
6
7. © 2013 SEC Consult– All rights reserved
7
Vulnerabilità Architetturali Sfruttate
• No Mutua Autenticazione
o La rete autentica la MS e non viceversa
• Mobilità degli utenti
o Il segnale più forte vince
(Cell Selection e Reselection)
o Location Update forzato
(if LACPLMN != LACIMSI-Catcher
then swtich to IMSI-Catcher)
• La Cifratura è Opzionale
o A5/0 No Encryption
8. © 2013 SEC Consult– All rights reserved
Prototipo
Lab’s
Configuration
IMSI-Catcher: Il Prototipo
8
9. © 2013 SEC Consult– All rights reserved
Location Disclosure
Catch-and-Relay
CallerID
vittima
Lista Città
ed IMSI
Local
Area
Known Victim Mode (Italia)
9
10. © 2013 SEC Consult– All rights reserved
10
Known Victim Mode (Italia): Location Disclosure
11. © 2013 SEC Consult– All rights reserved
+ CRO = 63 (max)
+ T3212 = 0
11
Known Victim Mode (Italia): Catch & Relay
12. © 2013 SEC Consult– All rights reserved
• Spoofing CallerID
• Intercettazione
Chiamate ed SMS in
uscita
• Dirottamento Chiamate
d’Emergenza
Qualche Risultato…
12
13. © 2013 SEC Consult– All rights reserved
What happens if we JAM the UMTS & LTE frequencies?!
Le GSM: “Welcome back my dear”
Le UE: “Nice to meet you again sir GSM”
13
Interoperabilità con UMTS & LTE
15. © 2013 SEC Consult– All rights reserved
E’ una Picocella commerciale sviluppata da ip.Access
100% compatibile con OpenBSC (software OpenSource)
GPRS
[the newest one, also EDGE]
Encryption A5/1 – A5/2IP connection
PoE powered
PCS band (1900 MHz)
Welcome home IMSI-Catcher 2.0
15
16. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Attacchi Man-In-The-Middle verso
interessanti ME!
• Video Poker
• Point-Of-Sale
• Smart Meters • SCADA Remote Stations
• Mobile HotSpots
A quale scopo?! Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
• Alarm Systems
IMSI-Catcher 2.0 for Fun & Profit
16
17. © 2013 SEC Consult– All rights reserved
Esempio: Point-Of-Sale 2G (test preliminare)
17
18. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
• Video Poker• Point-Of-Sale
• Smart Meters • SCADA Remote Stations
• Mobile HotSpots
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
• Alarm Systems
IMSI-Catcher 2.0 for Fun & Profit
18
2G
Antenna
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
19. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
• Point-Of-Sale
• Smart Meters • SCADA Remote Stations
• Mobile HotSpots
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
• Alarm Systems
IMSI-Catcher 2.0 for Fun & Profit
19
• Video Poker
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
20. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
• Point-Of-Sale
• SCADA Remote Stations
• Mobile HotSpots
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
• Alarm Systems
IMSI-Catcher 2.0 for Fun & Profit
20
• Video Poker
• Smart Meters
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
21. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
IMSI-Catcher 2.0 for Fun & Profit
21
• Smart Meters
• Point-Of-Sale
• SCADA Remote Stations
• Mobile HotSpots • Alarm Systems
• Video Poker
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
22. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
IMSI-Catcher 2.0 for Fun & Profit
22
• Smart Meters
• Point-Of-Sale
• SCADA Remote Stations
• Alarm Systems
• Video Poker
• Mobile HotSpots
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
23. © 2013 SEC Consult– All rights reserved
Cosa potremmo mai farci?! Uhm… Man-In-The-Middle Attacks verso
interessanti ME!
A quale scopo? Principalmente tutti gli
attacchi disponibili tramite TCP/IP!
IMSI-Catcher 2.0 for Fun & Profit
23
• Smart Meters
• Point-Of-Sale
• SCADA Remote Stations
• Video Poker
• Mobile HotSpots
• Sniffing communications (e.g. Wireshark + SSLstrip)
• Hijacking trusted connections (e.g. Stealing Credentials)
• Deploying malicious software (e.g. Squid + Metasploit)
• Malware Analysis
• Protocol Analysis
• Etc.
What about UMTS and LTE?!
• Alarm Systems
24. © 2013 SEC Consult– All rights reserved
Catturare ed Intercettare un modem LTE
24
25. © 2013 SEC Consult– All rights reserved
“GPRS Intercept Wardriving phone networks”
by Nohl & Melette, 2011
They patched OsmocomBB and developed GPRSDecode to analyze GPRS
packets.
http://tinyurl.com/gprs-nohl-slides
Alcuni Casi di Studio...
GPRS Passive Sniffing
25
26. © 2013 SEC Consult– All rights reserved
Col fine di stimolare traffico dati, é stato utilizzato un vecchio modem GPRS
Telit MG-10.
Come sniffer invece, un Pirelli DP-L10 con un firmware ad-hoc basato su
Osmocom-BB.
GPRS Passive Sniffing XXXXX (EU Nation 1)
26
27. © 2013 SEC Consult– All rights reserved
27
GPRS Passive Sniffing Wind (Italia)
28. © 2013 SEC Consult– All rights reserved
28
GPRS Passive Sniffing Wind (Italia)
29. © 2013 SEC Consult– All rights reserved
29
GPRS Passive Sniffing Wind (Italia)
Analisi del 14/09/2013 del canale ARFCN 983
(222-88 – Wind Italia)
30. © 2013 SEC Consult– All rights reserved
Quale tipologia di sevizio potrebbe utilizzare le reti
cellulari come mezzo di comunicazione?
GPRS Passive Sniffing: XXXXX (EU Nation 2)
30
31. © 2013 SEC Consult– All rights reserved
“Securing your World. G4S is the world’s leading international security
solutions group”
From http://www.g4s.com/
GPRS Passive Sniffing: XXXXX (EU Nation 2)
31
32. © 2013 SEC Consult– All rights reserved
What’s Next?: GSM-R Catching
32
33. © 2013 SEC Consult– All rights reserved
33
What’s Next?: GSM-R DoSsing
34. © 2013 SEC Consult– All rights reserved
Fine
34
35. © 2013 SEC Consult– All rights reserved
Bibliografia & Link
35
http://www.openbts.org
http://openbsc.osmocom.org
http://bb.osmocom.org
https://srlabs.de/gprs
http://tinyurl.com/gprs-nohl-slides
http://www.youtube.com/watch?v=vqjnhKYEDs0
http://patentscope.wipo.int/search/en/WO2008104739
http://www.tombom.co.uk/blog/?p=262
http://www.etsi.org/deliver/etsi_ts/
101100_101199/101181/08.05.00_60/ts_101181v080500p.pdf
Ringrazio le community di OpenBTS & Osmocom e
tutti i ricercatori che hanno reso le reti cellulari piú
interessanti!
36. © 2013 SEC Consult– All rights reserved
Contatti
Mooslackengasse 17
A-1190 Vienna
Austria
Tel: +43 (0)1 890 30 43-0
Fax: +43 (0)1 890 30 43-15
Email: office@sec-consult.com
www.sec-consult.com
Austria
Saulėtekio al. 15,
LT-10224, Vilnius
Lituania
Tel: +370 671 84203
Email: l.bongiorni@sec-consult.com
Email: office-vilnius@sec-consult.com
www.sec-consult.com
Lituania
36