base jumping
play

Base Jumping Attacking the GSM baseband and base station - PowerPoint PPT Presentation

Sep 29, 2023 •363 likes •1.07k views

Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com Tuesday, 20 July 2010 Overview GSM Base Station Base Band Conclusion 2 Tuesday, 20 July 2010 GSM: The Protocol 3 Tuesday, 20 July 2010 Documents

  1. Base Jumping Attacking the GSM baseband and base station grugq@coseinc.com Tuesday, 20 July 2010

  2. Overview ❖ GSM ❖ Base Station ❖ Base Band ❖ Conclusion 2 Tuesday, 20 July 2010

  3. GSM: The Protocol 3 Tuesday, 20 July 2010

  4. Documents ❖ Dozens of docs ❖ Thousands of pages ❖ Important one (defines L3) ❖ GSM 04 08 4 Tuesday, 20 July 2010

  5. 5 Tuesday, 20 July 2010

  6. 6 Tuesday, 20 July 2010

  7. Logical Channels Broadcast Channels ( BCH ) Broadcast Control Channel ( BCCH ) Frequency Correction Channel ( FCCH ) Synchronization Channel ( SCH ) Cell Broadcast Channel ( CBCH ) 7 Tuesday, 20 July 2010

  8. Logical Channels, cont. ❖ Common Control Channels ( CCCH ) Paging Channel ( PCH ) Random Access Channel ( RACH ) Access Grant Channel ( AGCH ) 8 Tuesday, 20 July 2010

  9. Logical Channels, cont. Standalone Dedicated Control Channel ( SDCCH ) Associated Control Channel ( ACCH ) Fast Associated Control Channel ( FACCH ) Slow Associated Control Channel ( SACCH ) 9 Tuesday, 20 July 2010

  10. GSM Channels ❖ Opening a channel is slow ❖ Can take seconds ❖ Specific channels for specific uses 10 Tuesday, 20 July 2010

  11. Opening a channel 11 Tuesday, 20 July 2010

  12. 12 Tuesday, 20 July 2010

  13. RACH 12 Tuesday, 20 July 2010

  14. RACH AGCH 12 Tuesday, 20 July 2010

  15. RACH AGCH LCH 12 Tuesday, 20 July 2010

  16. 13 Tuesday, 20 July 2010

  17. PCH 13 Tuesday, 20 July 2010

  18. PCH RACH 13 Tuesday, 20 July 2010

  19. PCH RACH AGCH 13 Tuesday, 20 July 2010

  20. PCH RACH AGCH LCH 13 Tuesday, 20 July 2010

  21. ARFCN MSC MS BSC BTS BTS 14 Tuesday, 20 July 2010

  22. Mobile Station MS Mobile Station Base Transceiver Base Station Controller Station Controller MSC BTS BSC Base Station Sub-System BSS 15 Tuesday, 20 July 2010

  23. VLR HLR MSC MS BSS 16 Tuesday, 20 July 2010

  24. Mobile Identifiers 17 Tuesday, 20 July 2010

  25. 18 Tuesday, 20 July 2010

  26. IMSI 18 Tuesday, 20 July 2010

  27. IMSI IMEI 18 Tuesday, 20 July 2010

  28. GSM Attacks 19 Tuesday, 20 July 2010

  29. 20 Tuesday, 20 July 2010

  30. RACHell ❖ Request channel allocation ❖ Flood the BSS with requests ❖ First announced by Dieter Spaar at DeepSec ❖ Prevent everyone from using that cell 21 Tuesday, 20 July 2010

  31. RACHell 22 Tuesday, 20 July 2010

  32. RACHell 22 Tuesday, 20 July 2010

  33. RACHell 22 Tuesday, 20 July 2010

  34. RACHell 22 Tuesday, 20 July 2010

  35. RACHell 22 Tuesday, 20 July 2010

  36. RACHell 22 Tuesday, 20 July 2010

  37. RACHell ? 22 Tuesday, 20 July 2010

  38. 23 Tuesday, 20 July 2010

  39. Our Target 23 Tuesday, 20 July 2010

  40. Demo - RACHell 24 Tuesday, 20 July 2010

  41. IMSI Flood ❖ Send IMSI ATTACH messages ❖ pre-authentication ❖ Overload the HLR/VLR infrastructure ❖ Prevent everyone using the network 25 Tuesday, 20 July 2010

  42. IMSI Flood 26 Tuesday, 20 July 2010

  43. IMSI Flood 26 Tuesday, 20 July 2010

  44. IMSI Flood 26 Tuesday, 20 July 2010

  45. IMSI Flood 26 Tuesday, 20 July 2010

  46. IMSI Flood 26 Tuesday, 20 July 2010

  47. IMSI Flood 26 Tuesday, 20 July 2010

  48. IMSI Flood 26 Tuesday, 20 July 2010

  49. How hard to get an IMSI? 27 Tuesday, 20 July 2010

  50. IMSI DETACH ❖ Send multiple Location Update Requests including a spoofed IMSI ❖ Unauthenticated ❖ Prevent SIM from receiving calls and SMS ❖ Discovered by Sylvain Munaut 28 Tuesday, 20 July 2010

  51. IMSI DETACH 29 Tuesday, 20 July 2010

  52. IMSI DETACH 29 Tuesday, 20 July 2010

  53. IMSI DETACH 29 Tuesday, 20 July 2010

  54. IMSI DETACH 29 Tuesday, 20 July 2010

  55. IMSI DETACH 29 Tuesday, 20 July 2010

  56. IMSI DETACH 29 Tuesday, 20 July 2010

  57. IMSI DETACH 29 Tuesday, 20 July 2010

  58. Baseband Fuzzing 30 Tuesday, 20 July 2010

  59. How to make a smartphone + = 31 Tuesday, 20 July 2010

  60. Two separate computers 32 Tuesday, 20 July 2010

  61. Two separate computers 32 Tuesday, 20 July 2010

  62. Baseband ❖ Controls the radio ❖ Separate CPU and code base ❖ RTOS ❖ Written in C ❖ Typically legacy code base (decades) 33 Tuesday, 20 July 2010

  63. Coseinc GSM FuzzFarm ❖ OpenBTS based fuzzer delivery engine ❖ Targetting ❖ iPhone ❖ HTC (Android) ❖ Palm Pre ❖ Blackberry ❖ Nokia 34 Tuesday, 20 July 2010

  64. 35 Tuesday, 20 July 2010

  65. Conclusion 36 Tuesday, 20 July 2010

  66. GSM Trouble ❖ GSM is no longer a walled garden ❖ GSM spec has security problems ❖ Expect many more issues as OSS reduces costs for entry 37 Tuesday, 20 July 2010

  67. Future work ❖ More GSM stack fuzzing ❖ Next gen protocol stacks 38 Tuesday, 20 July 2010

  68. Thanks to Harald Walte, Osmocom-bb & OpenBTS 39 Tuesday, 20 July 2010

  69. Questions? 40 Tuesday, 20 July 2010

Recommend

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July

Extreme Sliding Base Jumping with the Radix 2/10 Binary/Decimal Slide Rule C Tombeur, July 2014 What is in a scale? This article describes the inspiration, design and operation of the Radix 2/10 System Leibniz slide rule, and the

403 views • 24 slides
Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim

Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim

Running and Jumping PE | Year 1 | Outdoor | Running and Jumping | Changing Gears | Lesson 1 Aim Aim To move at different speeds. Success Criteria Success Criteria Statement 1 Lorem ipsum dolor sit amet, consectetur adipiscing elit. I

539 views • 18 slides
Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so

Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so

Prof. Dr. Annette R. Hofmann Women Challenge the IOC in Court: The Case of Ski Jumping 1 Why do women have to struggle so much to get acknowledged in ski jumping? Why did women ski jumpers not make it into the Olympic program for

288 views • 26 slides
ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1.

ACTIVE 1. WELCOME and JUMPING IN LEARNING 1. WHAT IS ACTIVE LEARNING? la Carte 1. CONSTRUCTING our TEACHING CHALLENGES in a low tech 1. ORCHESTRATION environment 1. SHOW-AND-TELL Selma Hamdani Psychology / DALC / Neuroscience

836 views • 50 slides
Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In

Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In

Data Visualization in R May 15, 2017 Data Visualization in R May 15, 2017 1 / 40 Jumping In Lets get started right away by the loading ggplot2 package and reading in our dataset. ### Install packages if you don't have them yet ### Typical

1.13k views • 40 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

387 views • 17 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

1.13k views • 18 slides
Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific

Using MVC with Swing Components Jumping Ahead a Bit... Were going to cover a specific architectural approach to building UI components Model-View-Controller Classic architecture from Smalltalk 80 Model: data structures that

477 views • 15 slides
Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a

Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a

Zero-Base Budget Overview State of Maine What is Zero-Base Budgeting? Zero-base budgeting is a planning and budgeting tool that uses cost-benefit analysis of programs and activities to improve the allocation of funds and staff resources in an

412 views • 8 slides
ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call

ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call

ESNZ JUMPING AGM 6 TH JULY 7 TH JULY 2019 2 WELCOME Mandy Illston Roll call Apologies Obituaries Rhonda Goddard, Ray Burmester, Bob Lilburne, Murray Thompson Approve minutes of previous meeting Matters arising

809 views • 56 slides
Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free

Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free

Financial Aid 101 Jumping Through the Hoops What Is Financial Aid? Gift Aid- Free Money Grants- Need Based Scholarships- Merit Based Self-Help Aid Loans- Need and Non-Need Based Employment Opportunities

594 views • 20 slides
What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do

What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do

What is this thing? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do they eat? Crouching Chameleon - Jumping Fly p. 1/1 What is this thing? What do they eat? How do they get food? Crouching Chameleon - Jumping

418 views • 30 slides
PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING Consider the problem of

PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING Consider the problem of

08 08 2015 PARALLEL AND DISTRIBUTED ALGORITHMS BY DEBDEEP MUKHOPADHYAY AND ABHISHEK SOMANI http://cse.iitkgp.ac.in/~debdeep/courses_iitkgp/PAlgo/index.htm PRAM ALGORITHMS: POINTER JUMPING 2 1 08 08 2015 LIST RANKING

333 views • 16 slides
Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation

Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation

Jumping on the Climate Change Bandwagon? Explaining variation in inter-governmental organisation behaviour Nina Hall Post-Doctoral Fellow, Hertie School of Governance Research Questions Why do international organizations bandwagon on the

387 views • 17 slides
Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty

Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty

Jumping on Board How Gamification and Family Travel Can Be Combined to Build Customer Loyalty We help businesses and organizations to better connect with their audience and customers through virtual worlds,

380 views • 14 slides
MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks

MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks

MQ Jumping . . . . Or, move to the front of the queue, pass go and collect 200 Martyn Ruks DEFCON 15 2007-08-03 One Year Ago Last year I talked about IBM Networking attacks and said I was going to continue with my research. But

829 views • 58 slides
Jumping loci and finiteness properties of groups Alexander I. Suciu (joint work with Alexandru

Jumping loci and finiteness properties of groups Alexander I. Suciu (joint work with Alexandru

Jumping loci and finiteness properties of groups Alexander I. Suciu (joint work with Alexandru Dimca, Stefan Papadima) This is an extended abstract of a talk given on the first day of the Mini-Workshop. In the first part, we give a quick

415 views • 4 slides
Jumping into conversational AI - Alexa Name: Suchi Garg Online: gargsuchi Who I work for:

Jumping into conversational AI - Alexa Name: Suchi Garg Online: gargsuchi Who I work for:

Jumping into conversational AI - Alexa Name: Suchi Garg Online: gargsuchi Who I work for: Accenture Slides: http://tiny.cc/gargsuchi Please preface all your questions with Q: Thank you. Agenda Introduction to conversational AI

1.43k views • 27 slides
Whole Numbers Jumping Jack Snap Game (numeral Cluedo Numerals! cards 0 to 20) Tell your child

Whole Numbers Jumping Jack Snap Game (numeral Cluedo Numerals! cards 0 to 20) Tell your child

1 Hougang Primary School Mathematics Workshop (P2) Make Maths Fun @ Home Whole Numbers Jumping Jack Snap Game (numeral Cluedo Numerals! cards 0 to 20) Tell your child you are thinking Draw on butcher paper numbers from one to twenty in

329 views • 4 slides
CPSC 490 DP and Range Queries Part 5: Binary Jumping, LCA; Part 1: Intro, Prefix Sums, Fenwick

CPSC 490 DP and Range Queries Part 5: Binary Jumping, LCA; Part 1: Intro, Prefix Sums, Fenwick

CPSC 490 DP and Range Queries Part 5: Binary Jumping, LCA; Part 1: Intro, Prefix Sums, Fenwick Trees Lucca Siaudzionis and Jack Spalding-Jamieson 2020/02/04 University of British Columbia Announcements Reminder: The upsolver for A1 is up.

828 views • 41 slides
A Jumping 5 3 WK Automata Model Radim Kocman Benedek Nagy Zbyn ek K rivka

A Jumping 5 3 WK Automata Model Radim Kocman Benedek Nagy Zbyn ek K rivka

A Jumping 5 3 WK Automata Model Radim Kocman Benedek Nagy Zbyn ek K rivka Alexander Meduna Centre of Excellence IT4Innovations, Faculty of Information Technology, Brno University of Technology, Bo zet echova 2, Brno

702 views • 29 slides
Fundamental Movement Skills Agility Agility Balance Co-ordination Running Jumping Extra:

Fundamental Movement Skills Agility Agility Balance Co-ordination Running Jumping Extra:

Fundamental Movement Skills Agility Agility Balance Co-ordination Running Jumping Extra: Tricks of the Trade STEP PRINCIPAL SPACE: How could you change the space to make an activity any harder or easier.

922 views • 32 slides
Playing Inside Inside play consists of climbing, jumping, obstacle courses and other gross motor

Playing Inside Inside play consists of climbing, jumping, obstacle courses and other gross motor

Playing Inside Inside play consists of climbing, jumping, obstacle courses and other gross motor movement. We love climbing on boxes, sliding down ramps, and following each other as we each discover new ways to move! Stacking rings, foam

641 views • 9 slides
Baserunner Responsibilities Legal & Illegal Slides Jumping, Hurdling, Diving Copied from

Baserunner Responsibilities Legal & Illegal Slides Jumping, Hurdling, Diving Copied from

Baserunner Responsibilities Legal & Illegal Slides Jumping, Hurdling, Diving Copied from NFHS Powerpoint Presentation Baserunners responsibilities Legal Runners are never required to slide, but if a runner elects to slide, it must be

295 views • 12 slides

More recommend