CNIT 128 Hacking Mobile Devices Basics GSMCDMA Well start with a standard carrier network using Global System for Mobile GSM or Code Division Multiple Access CDMA With these functions ID: 1021331
Download Presentation The PPT/PDF document "Ch 2: Hacking the Cellular Network" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Ch 2: Hacking the Cellular NetworkCNIT 128:Hacking Mobile Devices
2. Basics
3. GSM/CDMAWe'll start with a standard carrier network usingGlobal System for Mobile (GSM), orCode Division Multiple Access (CDMA)With these functionsPhone callsText messages via Short Message Service (SMS)Multimedia Messaging Service (MMS)Data connectivity via IP
4.
5. Basic Cellular Network Functionality
6. InteroperabilityDifferent carriers and connection methods can connect to one another seamlesslyA GSM phone can text or call a CDMA phone
7. Functions to TargetAll major cellular networks supportVoice callsVoice mail (VM)Short Message Service (SMS)Location-based Services (LBS)IP ConnectivityMost also supportBinary configuration messagesMultimedia messages (MMS)Faxing
8.
9. PlayersCustomer is on the leftKnown as Mobile Terminals (MTs) in GSMConnect to antennasCalled Base Transceiver Stations (BTS)The connection from a mobile device to a BTS is called an Um (U-channel mobile)
10. PlayersEach BTS connects to a base stationA rack of equipment that takes the signals the antenna receives and converts them to digital packetized dataBase station has two componentsBase Station Controller (BSC) for voice and controlPacket Control Unit (PCU) for forwarding IP packets and managing mobile IP
11. PlayersBase Station Subsystem (BSS)Includes BTS, BSC, and PCUCan be owned by people who are not part of a large carrier
12. Voice CallsTime Division Multiplexing (TDM)Tried-and-true method for dividing radio capacity among many devicesTime Division Multiple Access (TDMA)Each device gets time slotsVery successful for slow and medium bit ratesDevices 1, 2, and 3 might get these time slots123123
13. Control ChannelsTraffic channelsCarry voice dataControl channelsManage association, usage, handoff, and disconnectionCell phone jammerA loud, badly tuned, transmitterEasy to buildIllegal
14. The Broadcast Control Channel:Learning About the NetworkWhen a device first turns on, it listens on standard frequenciesFirst thing it hears will be BCCH (Broadcast Control Channel)Allows the device to synchronize and understand which network it is attaching toFeatures of the network the BTS (Base Transceiver Station) is serving
15. RACH (Random Access Channel)The mobile device then knows how to access the RACHThe first step in a GSM handshakeHow the mobile asks for informationMobile sends a cannel request via the RACHBTS tries to service the request
16. Standalone Dedicated Control Channel (SDDCH) &Access Granted Channel (AGCH)If the BTS has slots available, it assigns a control channel, called the Standalone Dedicated Control Channel (SDDCH) to the mobile deviceThe BTS tells the mobile about this assignment via the Access Granted Channel (AGCH)Once the mobile has received a SDCCH, it's a member of the network and can request a location update
17.
18. Location UpdateMobile device is telling the GSM network waat area it's inRequires authentication with the networkInforms the Home Location Register (HLR) Database of subscriber informationOf the mobile's geographic areaHence, which Mobile Switching Center (MSC) a device is located within
19. SleepOnce a mobile device has performed a location updateThe BSC tells the mobile to go to sleepBy deallocating the SDCCHThis maximizes reuse and capacity in dense cells
20. Authentication and A5/1, CAVE, and AKAA5/* ciphers are used in GSM networksCrackable – see link Ch 2aCAVE and AKA are used in CDMA
21. VoicemailTrivial hack: default passwordEnough to make a world of trouble for Rupert MurdochMany carriers use IP-based voicemailUsing IMAP servers (originally designed for email)
22. Short Message Service (SMS)Sent via control channelAn SMS flood could DoS voice service for a whole city from a single attacking deviceLink Ch 2b2
23. SMS ChannelsSMS messages are delivered over eitherSDCCH when a user is not on a callor the Slow Associated Control Channel (SACCH) if the user is talking at the timeReasonably achievable SMS floods wouldn't stop voice calls in practice
24. SMS Service Center (SMSC)SMSCs carry most of the SMS messages when SMS message storm happensIt's the hardest working piece of equipment in modern cellular provider networks
25. Other Uses for SMS MessagesJava implemented per-application messaging usingJava Mobile Information Device Profile (MIDP) and Connected Limited Device Configuration (CLDC), which use aUser Data Header (UDH) specifying a port to send the message toPorts are not UDP or TCP ports, but similar
26. Other SMS MessagesSMS is used not just between usersBut between network elements, like configuration serversFor peer-to-peer Java appsUDH features
27. SMS Lacks Security ControlsSMS messages have No authenticationNo integrity checkingNo confidentialitySo apps shouldn't trust what they get too much
28. SMS Origin SpoofingiOS displays the number in the "reply-to" field in the SMS header as the origin of an SMS messageInstead of the actual origin numberSo it's easy to send SMS messages that appear to come from someone elseLink Ch 2c
29. Fake SMS MessagesOn Android, a malicious app can fool your device into displaying a fake SMS messageLink Ch 2d
30. Attacks and Countermeasures
31. Hacking Mobile VoicemailMNOs often configure voicemail accounts insecurelyNo authentication required if the user's own phone is used to fetch the messagesWith a PBX sever like Asterisk, anyone can easily spoof any caller ID valueAll they need is your phone number
32. Internet Spoofing ServicesLink Ch 2f
33. Countermeasures for Mobile Voicemail HacksSet a voicemail passwordConfigure access so that entering the password is required from all phones, including yours
34. Rogue Mobile DevicesAn evil phone could attack the mobile network (theoretical attack only)Phone OS is not hard to understand, basicallyiOS is BSDAndroid is LinuxA modified phone could jam or modify broadcast signals from a BTSBut it would only affect a small area
35. Rogue Mobile Device CountermeasuresThe cellular network is carved up into many small partsRadio earshot is only a few hundred yards in a city, or a few miles on flat terrainJust a normal radio jammer would be more effective
36. Early Rogue Station AttacksUntil recently, carriers assumed that attackers lacked the skill to build a base station, soNetwork required authentication from the phone, butPhone didn't require authentication from the networkSo it was simple to emulate a cellular network
37. Attacking in the 1990s
38.
39. Base Station HardwareA normal cell phone could act as a base station with only a software changeA phone in "engineering mode" could sniff radio traffic on all bands at the same timePackets can be logged via RS232You get voice and SMS trafficFlash phone via USB cable
40. Legal WarningThis was all fantastically illegal, of courseWiretapping laws are scaryWe will be careful in this class only to capture our own phone signals
41. Hacking in 2002Rhode & Schwartz sold test gear for SMS networks, including BTS emulationCost was six figures
42. Rogue Base Station CountermeasuresIt's up to the carriers to authenticate their networksThere's nothing an end-user can do
43. Rogue Femtocell AttacksOpenBTS: free software that can be used to make a fake base station for about $1500 in 2009Femtocells are even simpler
44.
45. FemtocellA tiny box with connectors for antenna, power, and EthernetGeneric Linux distribution running several specialized appsLoads a couple of driversIncludes some simple radios
46. Femtocell FunctionsControl signaling Call setup and teardown and SMS messagingConverting normal voice calls into real-time protocol streamsAssociated SIP setupBackhaul link uses IPsec connections to special security gateways on the mobile network operator side
47. Information DisclosureFemtocells receive raw secrets used to authenticate devices from carriersThey are encrypted in transit with IPsec, but they are present in the femtocell's software and hardwareHacking AT&T Femtocell (link Ch 2g)Hacking a Vodaphone Femtocell (link Ch 2h)
48.
49. Femtocell MembershipCarriers could limit membership to a few cell phones for a single femtocellBut why not let everyone in? That expands their coverage for free!But it also means customers are using untrustworthy devices and they have no way to know that
50. Countermeasures for Rogue FemtocellsFemtocells should be more limited in functionNetworks need to authenticate themselves to the handsets reliablySIP and IPsec allow for strong authenticationWe just need new standards that use them
51. The Brave New World of IP
52. IMS (IP Multimedia Subsystem)Carriers are moving to an IP-only systemNo morePacketized voiceLoss of data service while on a phone callLow-speed data linksEverything will use a baseband that connects to a high-speed IP network
53. Changes to Services
54. IMS Architecture
55. Long-Term Evolution (LTE)Devices connect via IP networks to services, protected by gatewaysAs networks move from GSM or CDMA to LTE, these changes occur:Unified bearer protocol—IPIMS network can service any IP client, including PC, laptop, tablet, smartphoneAll these devices could interoperate and replace one another, someday