The document discusses modifying a Motorola C123 phone to perform passive listening on GSM networks and turn the phone into a basic base transceiver station (BTS). It provides background on GSM, describes dumping the phone's DSP firmware to analyze it, implementing custom tasks to perform passive listening, and work in progress on proof-of-concept efforts to transmit synchronization bursts and dummy traffic to function as a BTS. The presentation concludes by thanking contributors to open source GSM projects.
This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
GSM encryption needs to be shown insecure
- GSM is constantly under attack through demonstrated weaknesses in its A5/1 cipher and lack of network authentication
- However, GSM is used for sensitive applications like banking and access control
- To rectify perceptions of GSM security, the presentation will demonstrate its practical weaknesses through cracking the A5/1 cipher
- The community has already done the computational work needed and the presentation will detail next steps for a public demonstration cracking GSM encryption to raise awareness of ongoing security issues.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
Practical Attacks Against Encrypted VoIP Communicationsiphonepentest
The slides from MDSec's presentation at HackInTheBox KUL 2013. The presentation describes attacks that can be used to deduce spoken conversations from encrypted VoIP communications. The presentation uses Skype as a case study.
This document summarizes optional transmission features for UMTS software packages, including:
1. ATM transmission features such as overbooking, ATM switching for hub node Bs, and fractional ATM functions.
2. IP transmission features such as IP routing for hub node Bs, header compression, UDP multiplexing, transmission resource pooling, and clock synchronization over Ethernet.
3. The purpose is to provide reference for promoting optional transmission features, with basic features described elsewhere. It includes benefits of features to improve efficiency and support smooth evolution of transmission technologies.
This document discusses open sourcing GSM baseband firmware to allow for free cellphone firmware, security research of cellphone networks, and disruptive competition. It notes challenges include closed chipset and network equipment industries and lack of learning materials. It promotes GSM due to its simplicity, worldwide deployment, and hackable hardware. It introduces the Osmocom project which produces open source GSM baseband software and describes its features and code structure.
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
There are over 2.9 BILLION subscribers on GSM networks today. How many of these subscribers are susceptible to trivial attacks that can leave phone calls, text messages and web surfing habits accessible to an attacker? This talk intends to discuss the reasons why GSM networks are still vulnerable today and demonstrate attack tools that might make you re-think how you handle sensitive data via your phone. The presenter will discuss his own experience of analysing GSM environments and provide a demonstration of GreedyBTS which can be used to compromise a targets phone calls, messaging and web surfing habits. Mobile Phones will be harmed during this presentation.
44Con 2014: GreedyBTS - Hacking Adventures in GSMiphonepentest
This presentation examines insecurities in the 2.5G GSM protocol and demonstrates GreedyBTS; a platform for fingerprinting and exploiting cellular devices, including interception of SMS and voice data.
Speaker: Michael Iedema
"OpenBTS implements a complete GSM stack for voice and SMS. It also supports GPRS and UMTS 3G data standards. With an off-the-shelf server and SDR (software defined radio), it is now possible to build real mobile networks. These networks can be used to support true fixed-mobile convergence, bring coverage to remote areas or just experiment and innovate within the cellular network itself. Because OpenBTS converts all cellular signalling and media directly to SIP and RTP, the development environment should be familiar!"
ElastixWorld
Santiago de Chile
October 2014
GSM encryption needs to be shown insecure
- GSM is constantly under attack through demonstrated weaknesses in its A5/1 cipher and lack of network authentication
- However, GSM is used for sensitive applications like banking and access control
- To rectify perceptions of GSM security, the presentation will demonstrate its practical weaknesses through cracking the A5/1 cipher
- The community has already done the computational work needed and the presentation will detail next steps for a public demonstration cracking GSM encryption to raise awareness of ongoing security issues.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
Practical Attacks Against Encrypted VoIP Communicationsiphonepentest
The slides from MDSec's presentation at HackInTheBox KUL 2013. The presentation describes attacks that can be used to deduce spoken conversations from encrypted VoIP communications. The presentation uses Skype as a case study.
This document summarizes optional transmission features for UMTS software packages, including:
1. ATM transmission features such as overbooking, ATM switching for hub node Bs, and fractional ATM functions.
2. IP transmission features such as IP routing for hub node Bs, header compression, UDP multiplexing, transmission resource pooling, and clock synchronization over Ethernet.
3. The purpose is to provide reference for promoting optional transmission features, with basic features described elsewhere. It includes benefits of features to improve efficiency and support smooth evolution of transmission technologies.
This document provides an overview of 3G technology, including:
- The development of 3G standards including WCDMA, CDMA2000, and TD-SCDMA to meet demands for high-speed data and multimedia services.
- Key aspects of 3G including universal frequency bands, high spectral efficiency, quality of service, and support for data rates up to 2Mbps.
- An overview of the WCDMA system architecture including its radio access network components like Node B and RNC, and core network evolution from R99 to R5 specifications.
This document provides an overview of Orthogonal Frequency Division Multiplexing (OFDM). It discusses how OFDM works by dividing a high bit rate stream into several parallel low bit rate streams. It also explains how OFDM is robust against frequency selective fading due to multipath propagation. Key aspects of OFDM like guard intervals, cyclic prefixes, and bit loading are described to mitigate issues like intersymbol interference and intercarrier interference. Common OFDM applications like WiFi, WiMax, DAB, and HDTV are listed.
This document discusses traditional time-division multiplexing (TDM) voice networks. It describes the basic components of TDM voice networks including analog phones, digital phones, fax machines, private branch exchanges (PBXs), and the public switched telephone network (PSTN). It also covers traditional voice signaling protocols like loop start signaling, ground start signaling, channel associated signaling (CAS), and common channel signaling (CCS) protocols like ISDN PRI and SS7. The document provides an overview of how traditional TDM voice networks were structured and operated.
The document describes the hardware structure and features of the Huawei BTS3900 base station system. The BTS3900 system includes a BBU3900 unit, MRFU units, and an indoor cabinet. The BBU3900 processes signals and manages resources, and contains boards like the GTMU, WMPT, WBBP, and UPEU. The system supports GSM, dual-mode GSM/UMTS, and UMTS networks and provides functions such as high capacity, transmission sharing, and flexible clock synchronization.
This document discusses UMTS signaling trace and analysis from Huawei Technologies. It provides an overview of standard trace operations including tracing by IMSI, MSISDN, IMEI, or TMSI. It also discusses debug trace, cell trace, trace on M2000 equipment, and trace review methods. Additionally, it covers basic concepts like typical network topology and interfaces. Finally, it provides examples of using trace analysis to investigate a VIP complaint and locate a network issue related to inter-RAT handover success rate.
This document provides an overview of GSM principles and network structure. It discusses key aspects of the GSM system including frequency reuse, multiple access techniques, network components, numbering plans and identifiers. The objectives are to understand the GSM system, its structure, protocols, channel combinations, radio techniques and the introduction of GPRS and EDGE. It contains detailed descriptions and illustrations of concepts such as cells, frequency division duplexing, time division multiple access, frequency planning and network interfaces.
This document provides instructions on basic GPON configuration, including provisioning PONs, ONT software management, ONT provisioning, ONT card provisioning, and ONT Ethernet port provisioning. The key steps covered are preparing the system to accept HiCAP boards, PON provisioning using TL1 and CLI, downloading ONT software to the AMS server and NE, provisioning ONTs using serial number or SLID both while connected and pre-provisioned, provisioning ONT cards and their port types, and bringing ONT Ethernet ports into service. The document includes screenshots and commands for completing each provisioning task in the GPON network management system.
Accelerating MIPI Interface Development and Validation - Introspect TechnologyJean-Marc Robillard
Modern MIPI interfaces enable remarkable user experiences through the deployment of highly innovative electrical signaling and protocol technologies. Extending well beyond mobile, these interfaces are finding use in autonomous driving systems, augmented reality systems, and rugged or embedded computing applications. Understanding the various interactions between the multitude of physical and protocol layers is critical to achieving successful design and validation of MIPI links, especially when conceived as part of larger system contexts.
The document discusses SDH/SONET alarms and performance monitoring. It begins with an introduction to relevant standards bodies and then covers:
- Alarm types like LOF, AIS, and RDI found in different sections of the SDH frame including the regenerator, multiplex, and path overhead areas.
- Defect naming conventions and how defects are correlated to avoid unnecessary alarms.
- Performance monitoring parameters and what different path levels in the SDH hierarchy represent.
- Examples of how circuits like DS1 and DS3 are carried by SONET through different layers.
The document discusses procedures for configuring NodeB data in a wireless network. It describes configuring physical equipment such as boards, subracks, and peripheral devices. It then covers configuring transport links over ATM, including adding physical links like UNI links, IMA groups, and IMA links to establish connectivity between the NodeB and RNC. The overall goal is to master the procedure for NodeB data configuration using the CME tool to initially configure or modify radio network data.
The document describes an eNodeB LTE base station product. It discusses the functions of an eNodeB including radio resource management and scheduling. It then explains the logical structure of an eNodeB including components like the BBU and RF units. Finally, it covers topics like the subsystems of an eNodeB involved in control, transport, baseband processing and reliability measures.
The document discusses OpenBTS, an open source software that implements a GSM cellular network using software-defined radio (SDR) technology. It can be used to provide cellular coverage in rural areas at a lower cost than traditional networks. The document outlines OpenBTS' capabilities, how it works using SDR hardware and software, potential customers, and the group's progress and future plans to implement a multi-cell system with additional technologies like GPRS and EDGE.
LTE (Long Term Evolution) is a wireless communication standard that provides higher peak data rates, improved spectral efficiency, and reduced latency compared to previous standards. It utilizes technologies like OFDMA, MIMO, and flexible bandwidths between 1.4-20MHz. LTE is developed by 3GPP and supports both FDD and TDD duplexing schemes across various licensed frequency bands for cellular networks worldwide. It provides theoretical data rates up to 300Mbps downlink and 170Mbps uplink.
Opti x rtn 910950980 hardware description windnctgayaranga
The OptiX RTN 910/950 is a split microwave transmission system that provides TDM and hybrid microwave solutions. It consists of an indoor unit (IDU), outdoor unit (ODU), antenna, and other optional components. The IDU supports multiple interface boards and protection schemes. The ODU performs signal conversion and amplification. Adaptive modulation and other functions provide flexibility. The system supports both legacy TDM services and new packet-based Ethernet services.
The document describes the Codan 8800 Series Digital Microwave Radio (DMR). Key features include its split indoor and outdoor unit configuration, robust modulation scheme, redundancy options like 1+1 hot standby and space diversity, flexible data interface units supporting Ethernet and TDM, and compliance with international standards. The DMR provides reliable point-to-point wireless connectivity over long distances.
This document provides an overview of Huawei's NodeB equipment configurations for UMTS networks. It describes the main components of macro indoor and outdoor NodeBs including the BTS3812E, as well as distributed NodeBs and components like the BBU3806. It explains the principles of NodeB configuration for macro and distributed network scenarios.
The document discusses Synchronous Digital Hierarchy (SDH) and provides details on:
1. SDH frame structure including section overhead, path overhead, pointer, and information payload areas.
2. SDH multiplexing methods allowing lower rate signals like E1, E3, E4 to be mapped and multiplexed into higher rate SDH frames like STM-1, STM-4.
3. Overhead bytes including framing bytes A1/A2, data communications channel bytes D1-D12, orderwire bytes E1/E2, parity check bytes B1/B2, and remote error indication byte M1.
5g technology is a unique combination of high speed internet access , low latency , high reliability & seamless coverage which will support no. of vehicles & transport infrastructure. 5G platform will impact many industries like automotive , entertainment, agriculture , manufacturing and IT. As per the research forecast “IOT will account for one quarter of the global 41 million 5G connections in 2024”, out of these ¾ of the devices will be auto industry via embedded vehicle connections.
There are wide range of applications that will benefit from 5G ultra fast networks and real time responsiveness of the network.These properties of 5G technology are very important for many applications of IOT e.g self driven cars , intelligent transportation which demands very low latency .This will be a great boom for interactive mobile gaming which is bandwidth hungry application. 5G technology enables us to control more devices remotely in various applications where real time network performance is critical, like remote control of vehicles. It focuses on worker safety as well as monitoring environment. 5G technology is not focusing on improving speed , but this will prove best in evolution of business etc. IOT in 5G have excelled in connecting number of phones , tablets and other devices, however connecting cars , meters, sensors require more advanced business models.
This document provides an overview of GPON (Gigabit-capable Passive Optical Network) technology. It discusses the basic concepts and working principles of PON networks, comparing GPON to other PON standards like EPON. The document also analyzes key GPON standards and specifications, describes the GPON network model reference, and reviews basic GPON performance parameters and network protection modes.
The document discusses open-source hardware for a basic GSM base station. It describes UmTRX, an open-source transceiver designed for low-cost, mid-range, power-efficient GSM base stations. The transceiver works with open-source GSM software like OpenBTS and OpenBSC. The presentation also outlines the Mayotte project, which aims to build an affordable, low-cost GSM network for the island of Mayotte using open technology.
This document provides an overview of 3G technology, including:
- The development of 3G standards including WCDMA, CDMA2000, and TD-SCDMA to meet demands for high-speed data and multimedia services.
- Key aspects of 3G including universal frequency bands, high spectral efficiency, quality of service, and support for data rates up to 2Mbps.
- An overview of the WCDMA system architecture including its radio access network components like Node B and RNC, and core network evolution from R99 to R5 specifications.
This document provides an overview of Orthogonal Frequency Division Multiplexing (OFDM). It discusses how OFDM works by dividing a high bit rate stream into several parallel low bit rate streams. It also explains how OFDM is robust against frequency selective fading due to multipath propagation. Key aspects of OFDM like guard intervals, cyclic prefixes, and bit loading are described to mitigate issues like intersymbol interference and intercarrier interference. Common OFDM applications like WiFi, WiMax, DAB, and HDTV are listed.
This document discusses traditional time-division multiplexing (TDM) voice networks. It describes the basic components of TDM voice networks including analog phones, digital phones, fax machines, private branch exchanges (PBXs), and the public switched telephone network (PSTN). It also covers traditional voice signaling protocols like loop start signaling, ground start signaling, channel associated signaling (CAS), and common channel signaling (CCS) protocols like ISDN PRI and SS7. The document provides an overview of how traditional TDM voice networks were structured and operated.
The document describes the hardware structure and features of the Huawei BTS3900 base station system. The BTS3900 system includes a BBU3900 unit, MRFU units, and an indoor cabinet. The BBU3900 processes signals and manages resources, and contains boards like the GTMU, WMPT, WBBP, and UPEU. The system supports GSM, dual-mode GSM/UMTS, and UMTS networks and provides functions such as high capacity, transmission sharing, and flexible clock synchronization.
This document discusses UMTS signaling trace and analysis from Huawei Technologies. It provides an overview of standard trace operations including tracing by IMSI, MSISDN, IMEI, or TMSI. It also discusses debug trace, cell trace, trace on M2000 equipment, and trace review methods. Additionally, it covers basic concepts like typical network topology and interfaces. Finally, it provides examples of using trace analysis to investigate a VIP complaint and locate a network issue related to inter-RAT handover success rate.
This document provides an overview of GSM principles and network structure. It discusses key aspects of the GSM system including frequency reuse, multiple access techniques, network components, numbering plans and identifiers. The objectives are to understand the GSM system, its structure, protocols, channel combinations, radio techniques and the introduction of GPRS and EDGE. It contains detailed descriptions and illustrations of concepts such as cells, frequency division duplexing, time division multiple access, frequency planning and network interfaces.
This document provides instructions on basic GPON configuration, including provisioning PONs, ONT software management, ONT provisioning, ONT card provisioning, and ONT Ethernet port provisioning. The key steps covered are preparing the system to accept HiCAP boards, PON provisioning using TL1 and CLI, downloading ONT software to the AMS server and NE, provisioning ONTs using serial number or SLID both while connected and pre-provisioned, provisioning ONT cards and their port types, and bringing ONT Ethernet ports into service. The document includes screenshots and commands for completing each provisioning task in the GPON network management system.
Accelerating MIPI Interface Development and Validation - Introspect TechnologyJean-Marc Robillard
Modern MIPI interfaces enable remarkable user experiences through the deployment of highly innovative electrical signaling and protocol technologies. Extending well beyond mobile, these interfaces are finding use in autonomous driving systems, augmented reality systems, and rugged or embedded computing applications. Understanding the various interactions between the multitude of physical and protocol layers is critical to achieving successful design and validation of MIPI links, especially when conceived as part of larger system contexts.
The document discusses SDH/SONET alarms and performance monitoring. It begins with an introduction to relevant standards bodies and then covers:
- Alarm types like LOF, AIS, and RDI found in different sections of the SDH frame including the regenerator, multiplex, and path overhead areas.
- Defect naming conventions and how defects are correlated to avoid unnecessary alarms.
- Performance monitoring parameters and what different path levels in the SDH hierarchy represent.
- Examples of how circuits like DS1 and DS3 are carried by SONET through different layers.
The document discusses procedures for configuring NodeB data in a wireless network. It describes configuring physical equipment such as boards, subracks, and peripheral devices. It then covers configuring transport links over ATM, including adding physical links like UNI links, IMA groups, and IMA links to establish connectivity between the NodeB and RNC. The overall goal is to master the procedure for NodeB data configuration using the CME tool to initially configure or modify radio network data.
The document describes an eNodeB LTE base station product. It discusses the functions of an eNodeB including radio resource management and scheduling. It then explains the logical structure of an eNodeB including components like the BBU and RF units. Finally, it covers topics like the subsystems of an eNodeB involved in control, transport, baseband processing and reliability measures.
The document discusses OpenBTS, an open source software that implements a GSM cellular network using software-defined radio (SDR) technology. It can be used to provide cellular coverage in rural areas at a lower cost than traditional networks. The document outlines OpenBTS' capabilities, how it works using SDR hardware and software, potential customers, and the group's progress and future plans to implement a multi-cell system with additional technologies like GPRS and EDGE.
LTE (Long Term Evolution) is a wireless communication standard that provides higher peak data rates, improved spectral efficiency, and reduced latency compared to previous standards. It utilizes technologies like OFDMA, MIMO, and flexible bandwidths between 1.4-20MHz. LTE is developed by 3GPP and supports both FDD and TDD duplexing schemes across various licensed frequency bands for cellular networks worldwide. It provides theoretical data rates up to 300Mbps downlink and 170Mbps uplink.
Opti x rtn 910950980 hardware description windnctgayaranga
The OptiX RTN 910/950 is a split microwave transmission system that provides TDM and hybrid microwave solutions. It consists of an indoor unit (IDU), outdoor unit (ODU), antenna, and other optional components. The IDU supports multiple interface boards and protection schemes. The ODU performs signal conversion and amplification. Adaptive modulation and other functions provide flexibility. The system supports both legacy TDM services and new packet-based Ethernet services.
The document describes the Codan 8800 Series Digital Microwave Radio (DMR). Key features include its split indoor and outdoor unit configuration, robust modulation scheme, redundancy options like 1+1 hot standby and space diversity, flexible data interface units supporting Ethernet and TDM, and compliance with international standards. The DMR provides reliable point-to-point wireless connectivity over long distances.
This document provides an overview of Huawei's NodeB equipment configurations for UMTS networks. It describes the main components of macro indoor and outdoor NodeBs including the BTS3812E, as well as distributed NodeBs and components like the BBU3806. It explains the principles of NodeB configuration for macro and distributed network scenarios.
The document discusses Synchronous Digital Hierarchy (SDH) and provides details on:
1. SDH frame structure including section overhead, path overhead, pointer, and information payload areas.
2. SDH multiplexing methods allowing lower rate signals like E1, E3, E4 to be mapped and multiplexed into higher rate SDH frames like STM-1, STM-4.
3. Overhead bytes including framing bytes A1/A2, data communications channel bytes D1-D12, orderwire bytes E1/E2, parity check bytes B1/B2, and remote error indication byte M1.
5g technology is a unique combination of high speed internet access , low latency , high reliability & seamless coverage which will support no. of vehicles & transport infrastructure. 5G platform will impact many industries like automotive , entertainment, agriculture , manufacturing and IT. As per the research forecast “IOT will account for one quarter of the global 41 million 5G connections in 2024”, out of these ¾ of the devices will be auto industry via embedded vehicle connections.
There are wide range of applications that will benefit from 5G ultra fast networks and real time responsiveness of the network.These properties of 5G technology are very important for many applications of IOT e.g self driven cars , intelligent transportation which demands very low latency .This will be a great boom for interactive mobile gaming which is bandwidth hungry application. 5G technology enables us to control more devices remotely in various applications where real time network performance is critical, like remote control of vehicles. It focuses on worker safety as well as monitoring environment. 5G technology is not focusing on improving speed , but this will prove best in evolution of business etc. IOT in 5G have excelled in connecting number of phones , tablets and other devices, however connecting cars , meters, sensors require more advanced business models.
This document provides an overview of GPON (Gigabit-capable Passive Optical Network) technology. It discusses the basic concepts and working principles of PON networks, comparing GPON to other PON standards like EPON. The document also analyzes key GPON standards and specifications, describes the GPON network model reference, and reviews basic GPON performance parameters and network protection modes.
The document discusses open-source hardware for a basic GSM base station. It describes UmTRX, an open-source transceiver designed for low-cost, mid-range, power-efficient GSM base stations. The transceiver works with open-source GSM software like OpenBTS and OpenBSC. The presentation also outlines the Mayotte project, which aims to build an affordable, low-cost GSM network for the island of Mayotte using open technology.
This document summarizes the evolution of attacks against mobile networks and industry responses. It discusses past attacks against SIM cards, including cracking DES keys using error responses. More advanced SIMs are fully programmable computers running Java with various security layers, but some still have crackable cryptographic keys. The talk will cover SIM attacks, GSM intercept techniques, and efforts to ensure network operator honesty.
Estandard de comunicaciones LTE (Long term evolution)Sebas Escobar
This document contains a sumary of the history of the LTE, a description of te LTE standard, the operation of the LTE tecnology,the frecuencies and velocities used to work with LTE and some diferencies between LTE and WIMAX (the most neraby competition to LTE).
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
Quick overview of some case studies about: IMSI-Catcher (Stingray phone tracker), tracking phones, GPRS sniffing, GSM-R catching and DoS, POS, gambling machines, etc.
Перехват беспроводных гаджетов — от квадрокоптеров до мышекPositive Hack Days
Автор: Артур Гарипов
Доклад посвящен общим аспектам применения SDR (software-defined radio) в анализе радиоэфира. Ведущий покажет, как происходят поиск и определение беспроводных устройств, анализ протоколов и их спуфинг, перехват управления беспроводным оборудованием, атака Mousejack.
Introduction to Packet Radio, covering keyboard to keyboard QSOs, unproto mode, nodes, routing, digipeaters, packet via the ISS, APRS and WinLink.
Covers hardware TNCs as well as software soundmodems like UZ7HO and Direwolf
The document describes BLOSMM, a system developed by AhlTek Entree Wireless to provide beyond line-of-sight mobile mesh networking capabilities. It consists of a communication payload that can be installed on small tactical UAVs to extend network connectivity to forward-deployed teams. The payload uses electronically-steered antenna technology and works with existing radios to relay voice, video and data between teams over long ranges. It is intended for both military and disaster relief applications to provide bandwidth where it is most needed.
The document summarizes a review of the Nanoxx 9600 IP satellite receiver. It has a network interface that allows for software updates and future personal video recording functionality. The receiver has a clear display, supports various languages and formats, and performed well in tests. Its channel list and transponder data could use updating, and playing recordings from the PC is not yet implemented. Overall the receiver provides full functionality with reliability.
This document provides instructions for installing and configuring OpenBTS software to create an open source GSM network. It describes the necessary hardware including a computer, USRP software defined radio, and antennas. It also outlines installing GNU Radio, Boost libraries, and OpenBTS software. The configuration section explains setting parameters such as the mobile country code, network code, frequency band, and channel in the OpenBTS configuration file.
The document provides installation and configuration instructions for OpenBTS, an open-source GSM base station. It outlines the required hardware including a computer, USRP software defined radio, and daughterboards. It also lists the necessary software including GNU Radio, OpenBTS, and Asterisk. The steps provided explain how to install and configure these components, set parameters in the OpenBTS configuration file like the mobile country code and channel number, and test that the system is functioning correctly.
Exploring LTE security and protocol exploits with open source software and lo...EC-Council
The security flaws of legacy GSM networks, which lack of mutual authentication and implement an outdated encryption algorithm, are well understood among the technology community and have been extensively discussed for years. However, my smartphone’s settings do not provide the means to shut down the GSM radio to prevent my phone from connecting to a potentially insecure GSM access point. Instead, I have the option to turn off LTE, the fastest mobile network.
This is not the only confusing aspect of mobile network security. Given LTE’s mutual authentication and strong encryption scheme result, there is a general assumption that LTE rogue base stations are not possible. However, before the connection authentication step, any mobile device implicitly trusts (and exchanges a substantial amount of messages with) any LTE base station, legitimate or not, that advertises itself with the right parameters. Such implicit trust and unprotected messages can be exploited to block mobile devices and track their location.
Finally, it is generally assumed that Stingrays and IMSI catchers are expensive equipment that require downgrading the connection of mobile devices to GSM. However, a basic fully-LTE IMSI catcher can be implemented by means of low-cost software radio and slight modification of a well known open-source implementation of the LTE stack.
This talk will present an exploration of the security of LTE networks, as well as experimentation results of passive eavesdropping threats, LTE protocol exploits to block mobile devices and a location leak that allows tracking mobile devices as the connection is handed off from tower to tower.
Dean Bubley's Presentation at Emerging Communication Conference & Awards 2009...eCommConf
This document summarizes a presentation given by Dean Bubley at the eComm Europe 2009 conference about issues with supporting voice services on LTE networks. It notes that 3GPP has standardized IMS voice (MMTel) and circuit switched fallback for LTE, but both have significant drawbacks. IMS voice has not gained traction, while circuit switched fallback requires extra network components and drops the data connection. Supporting SMS on LTE was also an afterthought and led to interoperability problems. As a result, the document argues that LTE networks may not be ready to fully replace 3G networks for providing voice and messaging services until these issues are resolved.
Philippe Langlois - 3G and LTE insecurity from the radio to the core network ...DefconRussia
This document discusses telecom signaling attacks on 3G and LTE networks. It begins with an overview of SS7 and its role in international interconnection. It then covers the evolution to IP-based signaling standards like SIGTRAN, Diameter, and SIP. The document outlines current research areas like scanning open SS7 and GTP interfaces, exploiting femtocell vulnerabilities, and attacking core network elements over SIGTRAN. It emphasizes that each telecom environment has unique security challenges due to legacy systems.
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
Telecom security is way more than SIP-breaking some peripheral PBXs and raking a few thousands of dollars of free calls. From the formerly closed garden of SS7 to new all-IP telecom protocols such as Diameter and LTE protocols, the telecom domain faces now both the challenges of availability -one minute of downtime costs literally millions- and signaling vulnerabilities cutting down entire countries, causing massive frauds and the all new networking protocols. These new telecom protocols are rolled out in IP-centric fashion, with its myriad of standard IP security pitfalls and vulnerabilities, as well as very specific telecom vulnerabilities. The HLR is not only using TCP/IP for OAM and business workflow, but also now being named an HSS, it uses IP-only protocols such as Diameter for its Core Network signaling operations. That means that now telecom are facing new security risks both in term of exposure and threats, with its Core Network being exposed to unsophisticated IP-centered attackers, and the continuous waves of telecom-centered defrauders. In this presentation, we'll demo the new technologies of 3G and LTE networks and how to attack and defend them. We'll also show what kind of exposure one telecom companies, Mobile Network Operators and SS7 providers shows to external attackers.
Introduction To Cellular And Wireless NetworksYoram Orzach
This document provides an overview of cellular and wireless networks. It discusses the history and evolution of 1G to 4G cellular networks, including the development of technologies like GSM, CDMA, UMTS, HSPA and LTE. It also covers the basics of wireless local area networks (WiFi) and describes the IEEE 802.11 standards including 802.11b, 802.11g and 802.11n. Finally, it discusses future trends in both cellular and wireless networks.
The document summarizes the history of mobile communication from 1G to 4G technologies. It discusses the evolution from early analog 1G systems developed in the 1970s-80s to 2G digital GSM networks in the 1980s-90s capable of voice and limited data. 3G systems launched in the late 1990s provided improved voice quality and higher speed data up to 2Mbps. Emerging 4G technologies are expected to offer data rates from 20-100Mbps. The document also provides an overview of the fundamental principles of cellular networks and discusses GSM as the most widely used 2G digital standard globally.
There was a time when mobile phones were of the size of a shoe and had no features other than calling and sms and at that time I used to play the game - Snake on my dads phone :p Now as the time has passed we have reached the age of smart phones which are capable of doing lot of stuff and world wide web of application causing serious concern where an attacker can use this platform to steal data. This issue of CHMag is dedicated Mobile/Telecom Hacking and Security.
The coverpage of this December issue was released at ClubHack 2011, India’s Pioneer International Hacking Conference held last week. Talking about ClubHack Conference, if you missed ClubHack here are the presentations available at - http://www.slideshare.net/clubhack and videos at http://www.clubhack.tv/event/2011/
We recently released CHMag's Collector's Edition Volume II. If you wish to buy the Collectors Editions (vol1 – from issue 1 to 10 & vol2- from issue 11 to 20), please write back to us: info@chmag.in. As of now its on demand printing.
Like the game - Snake, I have played lots of other games too which have reflected in the previous coverpages I have designed and yes I promise another awesome coverpage based on a game on the theme of android security which would be the theme for an upcoming issue, for which send in your articles to info@chmag.in
The document discusses the Telecommunications Technical Interest Group (TIG) at Georgia Tech, which focuses on digital communications. It provides an overview of undergraduate and graduate coursework in physical layer communications and networking. Examples are also given of research conducted at Georgia Tech on topics such as optical data storage, satellite communications using adaptive antennas, and high-speed wireless network prototypes.
This document provides an overview and review of installing and using Enigma alternative firmware on AB IPBox HD satellite receivers. It discusses why alternative firmware was more useful in the past for advanced features and unlocked potential. Installing Enigma firmware requires downloading the image file and transferring it to the receiver via USB. Some additional configuration is required to set up channels and satellites not included by default. The review finds the automatic channel scanning to be slow and additional work still needed to fully support configuring and editing the satellite lineup.
M2M, IOT, Device Managment: COAP/LWM2M to rule them all?Julien Vermillard
M2M is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M).
Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics.
We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
The document provides an overview of the history and architecture of GSM cellular networks. It discusses the evolution from analog 1G networks to digital 2G and 2.5G networks. The key components of GSM architecture include the BTS, BSC, MSC, HLR, VLR, and AuC. GSM uses TDMA and FDMA to allow multiple users to share the frequency spectrum. It also relies on the SS7 protocol for signaling communication between network components to enable features like roaming.
The document provides an overview of the history and architecture of GSM cellular networks. It discusses the evolution from analog 1G networks to digital 2G and 2.5G networks. The key components of GSM architecture include the BTS, BSC, MSC, HLR, VLR, and AuC. GSM uses TDMA and FDMA to allow multiple users to share the frequency spectrum. It also relies on the SS7 protocol for signaling communication between network components to enable features like roaming.
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
1. Основные понятия и определения: продукт, пакет, связи между ними.
2. Как узнать, какие изменения произошли в продукте?
3. Проблемы changelog и release note.
4. Решение: инструмент ChangelogBuilder для автоматической подготовки Release Notes
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
1. Обзор Windows Docker (кратко)
2. Как мы построили систему билда приложений в Docker (Visual Studio\Mongo\Posgresql\etc)
3. Примеры Dockerfile (выложенные на github)
4. Отличия процессов DockerWindows от DockerLinux (Долгий билд, баги, remote-регистр.)
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
1. Проблемы в построении CI процессов в компании
2. Структура типовой сборки
3. Пример реализации типовой сборки
4. Плюсы и минусы от использования типовой сборки
1. Что такое BI. Зачем он нужен.
2. Что такое Qlik View / Sense
3. Способ интеграции. Как это работает.
4. Метрики, KPI, планирование ресурсов команд, ретроспектива релиза продукта, тренды.
5. Подключение внешних источников данных (Excel, БД СКУД, переговорные комнаты).
Approof — статический анализатор кода для проверки веб-приложений на наличие уязвимых компонентов. В своей работе анализатор основывается на правилах, хранящих сигнатуры искомых компонентов. В докладе рассматривается базовая структура правила для Approof и процесс автоматизации его создания.
Задумывались ли вы когда-нибудь о том, как устроены современные механизмы защиты приложений? Какая теория стоит за реализацией WAF и SAST? Каковы пределы их возможностей? Насколько их можно подвинуть за счет более широкого взгляда на проблематику безопасности приложений?
На мастер-классе будут рассмотрены основные методы и алгоритмы двух основополагающих технологий защиты приложений — межсетевого экранирования уровня приложения и статического анализа кода. На примерах конкретных инструментов с открытым исходным кодом, разработанных специально для этого мастер-класса, будут рассмотрены проблемы, возникающие на пути у разработчиков средств защиты приложений, и возможные пути их решения, а также даны ответы на все упомянутые вопросы.
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
Разработка наукоемкого программного обеспечения отличается тем, что нет ни четкой постановки задачи, ни понимания, что получится в результате. Однако даже этом надо программировать то, что надо, и как надо. Докладчик расскажет о том, как ее команда успешно разработала и вывела в промышленную эксплуатацию несколько наукоемких продуктов, пройдя непростой путь от эксперимента, результатом которого был прототип, до промышленных версий, которые успешно продаются как на российском, так и на зарубежном рынках. Этот путь был насыщен сложностями и качественными управленческими решениями, которыми поделится докладчик
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
Немногие разработчики закладывают безопасность в архитектуру приложения на этапе проектирования. Часто для этого нет ни денег, ни времени. Еще меньше — понимания моделей нарушителя и моделей угроз. Защита приложения выходит на передний план, когда уязвимости начинают стоить денег. К этому времени приложение уже работает и внесение существенных изменений в код становится нелегкой задачей.
К счастью, разработчики тоже люди, и в коде разных приложений можно встретить однотипные недостатки. В докладе речь пойдет об опасных ошибках, которые чаще всего допускают разработчики Android-приложений. Затрагиваются особенности ОС Android, приводятся примеры реальных приложений и уязвимостей в них, описываются способы устранения.
Разработка любого софта так или иначе базируется на требованиях. Полный перечень составляют бизнес-цели приложения, различные ограничения и ожидания по качеству (их еще называют NFR). Требования к безопасности ПО относятся к последнему пункту. В ходе доклада будут рассматриваться появление этих требований, управление ими и выбор наиболее важных.
Отдельно будут освещены принципы построения архитектуры приложения, при наличии таких требований и без, и продемонстрировано, как современные (и хорошо известные) подходы к проектированию приложения помогают лучше строить архитектуру приложения для минимизации ландшафта угроз.
Доклад посвящен разработке корректного программного обеспечения с применением одного из видов статического анализа кода. Будут освещены вопросы применения подобных методов, их слабые стороны и ограничения, а также рассмотрены результаты, которые они могут дать. На конкретных примерах будет продемонстрировано, как выглядят разработка спецификаций для кода на языке Си и доказательство соответствия кода спецификациям.
The document discusses preventing attacks in ASP.NET Core. It provides an overview of topics like preventing open redirect attacks, cross-site request forgery (CSRF), cross-site scripting (XSS) attacks, using and architecture of cookies, data protection, session management, and content security policy (CSP). The speaker is an independent developer and consultant who will discuss built-in mechanisms in ASP.NET Core for addressing these security issues.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Abusing Calypso Phones
1. Introduction GSM background Passive Listening Work In Progress Conclusion
Abusing Calypso phones
Sylvain Munaut
PHDays, May 30/31, 2012
Sylvain Munaut Abusing Calypso phones
2. Introduction GSM background Passive Listening Work In Progress Conclusion
About the speaker
Linux and free software ”geek” since 1999
M.Sc. in C.S. + some E.E.
General orientation towards low level
Embedded, Kernel, Drivers and such.
Hardware (Digital stuff, FPGA, RF, ...)
Interest in GSM projects for about 3 years
OpenBTS, OpenBSC, Airprobe, Osmocom-BB, ...
27C3 GSM Intercept demo
Mostly in my spare time
Sylvain Munaut Abusing Calypso phones
3. Introduction GSM background Passive Listening Work In Progress Conclusion
Outline
1 Introduction
2 GSM background
3 Passive Listening
4 Work In Progress
5 Conclusion
Sylvain Munaut Abusing Calypso phones
4. Introduction GSM background Passive Listening Work In Progress Conclusion
Motivation
Modify a phone to make it do what we want rather than what it
was designed to.
Why ?
Gain access to lower layers of the communication stack
Other projects paved the way for GSM (OpenBTS, OpenBSC,
Osmocom-BB, ...)
However they don’t all allow to go down to L1 and some
depend on expensive hardware
Create the tool allowing security research
Just for fun: Usefulness is overrated anyway
Sylvain Munaut Abusing Calypso phones
5. Introduction GSM background Passive Listening Work In Progress Conclusion
Today’s target
Target hardware: Motorola C123
Supported by Osmocom-BB
Classic TI Calypso design
Lots of alternative platforms if needed
Some leaked sources and documentation
available
Cheap (20 EUR new, down to 1 EUR on ebay)
Readily available
Sylvain Munaut Abusing Calypso phones
6. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM background
Sylvain Munaut Abusing Calypso phones
7. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM
Network overview
We’ll be focusing on the GSM Air Interface: Um.
Sylvain Munaut Abusing Calypso phones
8. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
Frequencies
Several bands
GSM-850, EGSM-900, DCS1800, PCS1900, ...
http://en.wikipedia.org/wiki/GSM_frequency_bands
Each band has two frequency range (FDD)
Downlink, from Network to MS (e.g. DCS1800: 1710.2 to
1784.8 MHz)
Uplink, from MS to Network (e.g. DCS1800: 1805.2 to 1879.8
MHz)
ARFCN = Absolute Radio-Frequency Channel Number
maps to a given frequency pair (UL/DL)
200 kHz spacing
Sylvain Munaut Abusing Calypso phones
9. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
TDMA
Fully synchronous
Described as a TDMA nightmare
Each frame in multi-frame has a specific purpose
1 frame = 8 timeslots (bursts)
Physical channel = 1 timeslot on 1 ARFCN
Sylvain Munaut Abusing Calypso phones
10. Introduction GSM background Passive Listening Work In Progress Conclusion
GSM Um: Layer 1
Bursts
4 types of bursts :
Normal burst: Used to carry ”real” data traffic.
Frequency correction burst: (FCCH) Allow MS to sync its
clock and coarse TDMA
Synchronization burst: (SCH) Allow MS to preicsely sync to
TDMA
Access burst: (RACH) Used by the MS to request a dedicated
channel
Sylvain Munaut Abusing Calypso phones
11. Introduction GSM background Passive Listening Work In Progress Conclusion
Passive Listening
Sylvain Munaut Abusing Calypso phones
12. Introduction GSM background Passive Listening Work In Progress Conclusion
A bit of history
Osmocom-BB is an Free Software GSM Baseband implementation.
Early timeline (2010):
Early February: Osmocom-BB is initiated
Late February: Osmocom-BB is announced publicly
BCCH reception mostly
March-July: Progressive work to get TX, SDCCH, LUR, ...
August: First phone call
Already a big advance
Full L2 & L3 control on the MS side
But I wanted more ;)
Sylvain Munaut Abusing Calypso phones
13. Introduction GSM background Passive Listening Work In Progress Conclusion
Goal
Turn a phone into a passive listener
Raw bursts data
Uplink and Downlink
Frequency Hopping
Timeline
Work started almost directly after Osmocom-BB was initiated
First prototype in Q3 2010
Shown at Deepsec 2010 & 27C3
Sylvain Munaut Abusing Calypso phones
14. Introduction GSM background Passive Listening Work In Progress Conclusion
Typical RX path
Antenna: not an issue, can be replaced if needed
RX filter: not an issue for lab tests, can be removed if needed
RF mixer: tests shows it works just fine tuning at UL/DL
Analog baseband: not an issue
DSP core: ROM based and limited. Need a solution.
ARM core: firmware under our control thanks to osmocom-bb
Host interface: serial can be made fast enough
Sylvain Munaut Abusing Calypso phones
15. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
The problem
ROM based firmware
But supports executing code from RAM
Official firmwares load ’patches’ somehow (fix bugs, ...)
The ARM schedules ”tasks” to be executed by the DSP
No existing tasks does what we want
DSP converts from L2 packets to L1 bursts internally
Need to patch it
Dump ROM
Analyze it and figure how patching works
Write custom ”tasks” to do what we want
Sylvain Munaut Abusing Calypso phones
16. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (1)
Architecture
Distinct program, data & IO address space
Different instructions to access them
Some zones mapped in both program and data space
Communicates with the ARM by shared memory zone
Called API RAM
Mapped in both program and data address space
ROM Bootloader
Leaked TSM30 sources hinted at ROM bootloader
TI documention for similar DSP provided the details
Allows to download custom code/data and jump to it
Reading ROM
Upload custom stub to copy chunk of ROM to API RAM
But it didn’t work ... only read 0xffff
Security feature: code executing from RAM can’t read ROM
Sylvain Munaut Abusing Calypso phones
17. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (2)
If we can’t read the ROM from code executing from RAM, we’ll
have to read it from code executing from ROM ...
There has to be a memcpy equivalent somewhere
Look at known DSP code for this architecture
Often inlined, so only part will be usable
Looking for:
mvdd *AR?, *AR? for data space
reada *AR? for program space
Bruteforce it
1 Use bootloader to launch stub
2 Setup registers with a ’guess’
3 Jump to a location
4 Halt the DSP from the ARM a bit later
5 Check for result in API RAM
6 Retry ...
Sylvain Munaut Abusing Calypso phones
18. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Dumping (3)
Program space
Data space
The ret instructions are added bonuses
Sylvain Munaut Abusing Calypso phones
19. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Analyzing (1)
CPU supported by IDA Pro Advanced
Added support for IO port definitions and memory mappings
Now in mainline
Entry point is known
Mix of C and hand-crafted assembly
No clear conventions
Lots of indirect calls
Using function pointers in RAM copied from ROM at startup
We can replace those by our own !
This is how to add custom tasks, extend the DSP, ...
Screws a bit with IDA autoanalysis
Several different tables and call mechanisms
Sylvain Munaut Abusing Calypso phones
20. Introduction GSM background Passive Listening Work In Progress Conclusion
DSP
Analyzing (2)
Use interrupts and IO access to trace important functions
Frame interrupt: Tasks
DMA interrupt: IQ samples buffer and demodulation
A5 unit IO: Cipher setup
DMA unit IO: Burst RX setup
RIF unit IO: Burst TX buffer
And finally write custom task to do what we want ...
Sylvain Munaut Abusing Calypso phones
21. Introduction GSM background Passive Listening Work In Progress Conclusion
Work In Progress
Sylvain Munaut Abusing Calypso phones
22. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Goal
Attempt to convert a phone into a working BTS
Not full featured, not compliant with specs, ...
Provide minimal service
Motivation
Another cheap tool for GSM research
Fuzz cell phones
Portable fake BTS
Just prove it’s doable
First post on the mailing list about this about 2 years ago
Only the base idea, not real work done
First very rough work at CCCamp 11
Idea popped up again at OsmoDevCon 2012
Sylvain Munaut Abusing Calypso phones
23. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Differences between MS & BTS
What does a BTS do that a phone doesn’t ?
Layer 1:
Uplink / Downlink frequencies
Simultaneous RX & TX
Continuous C0 beacon to allow phone to ’find’ the cell
MS usually TX 3 timeslots after RX
Transmit FCCH / SCH
Receive RACH
Clock master
Layer 2 & 3: Role swapped
Sylvain Munaut Abusing Calypso phones
24. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Typical TX & RX path
Sylvain Munaut Abusing Calypso phones
25. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Proof of concept
DSP patch
FCCH, SCH, NB & Dummy TX
Multi slot TX
RACH detection (detect with power and send IQ samples to
host)
Use OpenBTS
Already split between main OpenBTS and actual radio
interface
Replace the transceiver
Attempt half duplex operation
Timeslot layout: Tt R ttt
Use commercial cell as timing reference
Sylvain Munaut Abusing Calypso phones
26. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Spectrum view
Multiframe
Zoom
Sylvain Munaut Abusing Calypso phones
27. Introduction GSM background Passive Listening Work In Progress Conclusion
Phone as a BTS
Demonstration
Hopefully, it’ll work ...
Keep in mind :
Just a proof of concept
Long time to go to clean up and make it usable and reliable
Sylvain Munaut Abusing Calypso phones
28. Introduction GSM background Passive Listening Work In Progress Conclusion
Thanks
Thanks to anyone contributing to the various Open Source GSM /
GSM security projects. Most notably here :
Harald ”LaF0rge” Welte
Dieter Spaar
David Burgess and his team at KestrelSP
Andreas ”jolly” Eversberg
Steve ”steve-m” Markgraf
And of course, thanks to the PHDays team for having me here.
Sylvain Munaut Abusing Calypso phones
29. Introduction GSM background Passive Listening Work In Progress Conclusion
Further reading
Airprobe http://airprobe.org/
OsmocomBB http://bb.osmocom.org/
OpenBSC http://openbsc.osmocom.org/
OpenBTS http://openbts.sourceforge.net/
GSM Specs http://webapp.etsi.org/key/queryform.asp
Sylvain Munaut Abusing Calypso phones