SlideShare une entreprise Scribd logo

Root via sms. 4G security assessment

Télécharger en tant que PPTX, PDF
S
Sergey Gordeychik

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

Technologie
1  sur  87
#root via SMS 4G IP access security assesment
we are…
who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
3G/4G network
the Evil
4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
why?
why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
btw
not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
not enough?
the NET
the NET
thanks John http://www.shodanhq.com/
By devices
the NET
GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
Let’s scan all the Internets!
GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
So what?
Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
Example: GTP “Synflood” http://blog.ptsecurity.com/2013/09/inside-mobile-internet-security.html http://bit.ly/195ZYMR
We are good guys!
I’m inside
Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
Here There Be Tygers
DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
1990th  Your balance is insufficient  Connect to your favorite UDP VPN
Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
The Device
Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
Identification
Identification  Documentation  Google  Box  Google again  Internals
How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
Scan it
Sometimes you get lucky…
…other times you don’t
How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
web – trivial stuff CSRF Insufficient authenticationXSS
Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
DEMO
I need The Power!
“hidden” firmware upload
Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
Getting the shell
Finding “engineering tool”
I’ve got The Power
But whether it is?
Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
PWN - PWN
Profit!111
Sometimes you get lucky…
Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
Very specific case
It still in USB!
It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
Can I SMS keypress to your Laptop?
How to?  android_usb  sysfs  in memory patch
DEMO
Few words about the SIM cards
What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem

Recommandé

Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Luca Bongiorni
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
3G4G
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
Hamidreza Bolhasani
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
3G4G
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
APNIC
 

Recommandé

Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Luca Bongiorni
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
SS7 & SIGTRAN
SS7 & SIGTRANSS7 & SIGTRAN
SS7 & SIGTRAN
Stephanie Galloway-Williams
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
Beginners: Different Types of RAN Architectures - Distributed, Centralized & ...
3G4G
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
Hamidreza Bolhasani
 
Intermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular NetworksIntermediate: Security in Mobile Cellular Networks
Intermediate: Security in Mobile Cellular Networks
3G4G
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
APNIC
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
ENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELINGENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELING
Mohammad Adil
 
How Mobile Technology Works
How Mobile Technology WorksHow Mobile Technology Works
How Mobile Technology Works
3G4G
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
Tempus Telcosys
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM
3G4G
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
Luca Matteo Ruberto
 
Umts fundamentals
Umts fundamentalsUmts fundamentals
Umts fundamentals
Majid Hussain
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation
3G4G
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing ppt
Anushakp9
 
Td1 gsm
Td1 gsmTd1 gsm
Td1 gsm
Said Elabid
 
An Introduction to 5G and ‘Real’ 5G
An Introduction to 5G and ‘Real’ 5GAn Introduction to 5G and ‘Real’ 5G
An Introduction to 5G and ‘Real’ 5G
3G4G
 
Generation of mobile communication systems
Generation of mobile communication systemsGeneration of mobile communication systems
Generation of mobile communication systems
jincy-a
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
PositiveTechnologies
 
Comprendre les technologies LPWA (SIGFOX et LoRa)
Comprendre les technologies LPWA (SIGFOX et LoRa)Comprendre les technologies LPWA (SIGFOX et LoRa)
Comprendre les technologies LPWA (SIGFOX et LoRa)
Robert Vivanco Salcedo
 
3G basic
3G basic3G basic
3G basic
Nguyen Hong Tan
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
P1Security
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 

Contenu connexe

Tendances

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
ENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELINGENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELING
Mohammad Adil
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
Tempus Telcosys
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
PositiveTechnologies
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing ppt
Anushakp9
 
Generation of mobile communication systems
Generation of mobile communication systemsGeneration of mobile communication systems
Generation of mobile communication systems
jincy-a
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
Positive Hack Days
 

Tendances (20)

44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
ENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELINGENCAPSULATION AND TUNNELING
ENCAPSULATION AND TUNNELING
 
How Mobile Technology Works
How Mobile Technology WorksHow Mobile Technology Works
How Mobile Technology Works
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Sigtran Workshop
Sigtran WorkshopSigtran Workshop
Sigtran Workshop
 
Umts fundamentals
Umts fundamentalsUmts fundamentals
Umts fundamentals
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation5G Network Architecture, Design and Optimisation
5G Network Architecture, Design and Optimisation
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing ppt
 
Td1 gsm
Td1 gsmTd1 gsm
Td1 gsm
 
An Introduction to 5G and ‘Real’ 5G
An Introduction to 5G and ‘Real’ 5GAn Introduction to 5G and ‘Real’ 5G
An Introduction to 5G and ‘Real’ 5G
 
Generation of mobile communication systems
Generation of mobile communication systemsGeneration of mobile communication systems
Generation of mobile communication systems
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
 
Telecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasuresTelecom under attack: demo of fraud scenarios and countermeasures
Telecom under attack: demo of fraud scenarios and countermeasures
 
Comprendre les technologies LPWA (SIGFOX et LoRa)
Comprendre les technologies LPWA (SIGFOX et LoRa)Comprendre les technologies LPWA (SIGFOX et LoRa)
Comprendre les technologies LPWA (SIGFOX et LoRa)
 
3G basic
3G basic3G basic
3G basic
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 

Similaire à Root via sms. 4G security assessment

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
DefconRussia
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
Rishabh Mehan
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 

Similaire à Root via sms. 4G security assessment (20)

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Firewall
FirewallFirewall
Firewall
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 

Plus de Sergey Gordeychik

AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 

Plus de Sergey Gordeychik (12)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Root via sms. 4G security assessment

  • 1. #root via SMS 4G IP access security assesment
  • 3. who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
  • 4. behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
  • 7. 4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
  • 9. why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
  • 10. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
  • 11. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
  • 12. radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
  • 13. btw
  • 14. not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
  • 21. GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
  • 22. Let’s scan all the Internets!
  • 23. GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
  • 24. Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
  • 26. Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
  • 28. We are good guys!
  • 30. Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
  • 31. Here There Be Tygers
  • 32. DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
  • 33. 1990th  Your balance is insufficient  Connect to your favorite UDP VPN
  • 34. Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
  • 36. Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
  • 37. Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
  • 38. Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
  • 40. Identification  Documentation  Google  Box  Google again  Internals
  • 41. How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
  • 43. Sometimes you get lucky…
  • 45. How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
  • 46. web – trivial stuff CSRF Insufficient authenticationXSS
  • 47.
  • 48. Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
  • 49. Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
  • 50. DEMO
  • 51. I need The Power!
  • 53. Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
  • 54. dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
  • 57. I’ve got The Power
  • 59. Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
  • 60.
  • 63. Sometimes you get lucky…
  • 64. Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
  • 66. It still in USB!
  • 67. It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
  • 68. Can I SMS keypress to your Laptop?
  • 69. How to?  android_usb  sysfs  in memory patch
  • 70. DEMO
  • 71. Few words about the SIM cards
  • 72. What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
  • 73. Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
  • 74. Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
  • 75. Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
  • 76. Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
  • 77. Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
  • 78. Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
  • 79. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
  • 80. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
  • 81. Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
  • 82. Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
  • 83. Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
  • 84. Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
  • 85. Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
  • 86. Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
  • 87. Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem