lte redirection
play

LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network - PowerPoint PPT Presentation

May 18, 2023 •547 likes •937 views

360UnicornTeam LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam 1 LTE Redirection LTE and IMSI catcher myths In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar,

  1. 360UnicornTeam LTE Redirection Forcing Targeted LTE Cellphone into Unsafe Network Qing Yang@360 UnicornTeam Wanqiao Zhang @360 UnicornTeam 1 LTE Redirection

  2. LTE and IMSI catcher myths • In Nov. 2015, BlackHat EU, Ravishankar Borgaonkar, and Altaf Shaik etc. introduced the LTE IMSI catcher and DoS attack. 2 LTE Redirection

  3. IMSI Catcher Once a cellphone goes through the fake network coverage area, its IMSI will be reported to the fake network. 3 LTE Redirection

  4. DoS Attack DoS message examples:  You are an illegal cellphone!  Here is NO network available. You could shut down your 4G/3G/2G modem. 4 LTE Redirection

  5. Redirection Attack Malicious LTE: “Hello cellphone, come into my GSM network…” 5 LTE Redirection

  6. Demo Fake GSM Network USRPs Fake LTE Network 6 LTE Redirection

  7. Demo Video

  8. Risk • If forced into fake network • The cellphone will have no service (DoS). • The fake GSM network can make malicious call and SMS. • If forced into rogue network • All the traffic (voice and data) can be eavesdropped. 8 LTE Redirection

  9. LTE Basic Procedure • (Power on) • Cell search, MIB, SIB1, SIB2 and other SIBs • PRACH preamble Unauthorized area • RACH response Attack Space! • RRC Connection Request • RRC Connection Setup • RRC Connection Setup Complete + NAS: Attach request + ESM: PDN connectivity request • RRC: DL info transfer + NAS: Authentication request • RRC: UL info transfer + NAS: Authentication response • RRC: DL info transfer + NAS: Security mode command • RRC: UL info transfer + NAS: Security mode completer • …… 9 LTE Redirection

  10. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI! 10 LTE Redirection

  11. Procedure of IMSI Catcher If you send Identity request at the same state, you can also get the cellphone’s IMSI! Identity Request 11 LTE Redirection

  12. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone. 12 LTE Redirection

  13. Procedure of Redirection Attack RRC Release message can bring the cell info which it can let cellphone re-direct to. 13 LTE Redirection

  14. How to Build Fake LTE Network • Computer + USRP 14 LTE Redirection

  15. How to Build Fake LTE Network • There are some popular open source LTE projects: • (1)Open Air Interface by Eurecom • http://www.openairinterface.org/ • The most completed and open source LTE software • Support connecting cellphone to Internet • But have complicated software architecture Advanced Technology of Fake Base Station by Seeker 15 LTE Redirection

  16. How to Build Fake LTE Network • There are some popular open source LTE projects: • (2)OpenLTE by Ben Wojtowicz OpenLTE • http://openlte.sourceforge.net/ • Haven’t achieved stable LTE data connection but functional enough for fake LTE network • Beautiful code architecture • More popular in security researchers 16 LTE Redirection

  17. Procedure of IMSI Catcher Firstly send a TAU reject, then cellphone will send Attach Request, with its IMSI! LTE Redirection 17

  18. Procedure of IMSI Catcher If you send Identity request at the same state, you can also get the cellphone’s IMSI! Identity Request 18 LTE Redirection

  19. OpenLTE Source Code (1/3) • In current OpenLTE release, the TAU request isn’t handled. • But TAU reject msg packing function is available. 19 LTE Redirection

  20. OpenLTE Source Code (1/3) Set the mme procedure as TAU REQUET Call the TAU reject message packing module *Refer to Attach reject module 20 LTE Redirection

  21. Procedure of IMSI Catcher Network Optimization Master 21 LTE Redirection

  22. Procedure of IMSI Catcher Identity Request Identity response 22 LTE Redirection

  23. OpenLTE Souce Code (2/3) DoS attack can directly utilize the cause setting in Attach Reject message. 23 LTE Redirection

  24. Procedure of DoS Attack Attach Reject message can bring reject cause. Some special causes result in NO service on cellphone. 24 LTE Redirection

  25. OpenLTE Source Code (3/3) redirectCarrierInfo can be inserted into RRC Connection Release message. 25 LTE Redirection

  26. OpenLTE Source Code (3/3) 26 LTE Redirection

  27. OpenLTE Source Code (3/3) 27 LTE Redirection

  28. Think from the other side Attacker Defender Why is RRC redirection message not encrypted? 28 LTE Redirection

  29. Is This a New Problem? • "Security Vulnerabilities in the E-RRC Control Plane", 3GPP TSG-RAN WG2/RAN WG3/SA WG3 joint meeting, R3- 060032, 9-13 January 2006 • This document introduced a ‘Forced handover’ attack: 29 LTE Redirection

  30. 3GPP’s Decision • “Reply LS on assumptions for security procedures”, 3GPP TSG SA WG3 meeting #45, S3-060833, 31st Oct - 3rd Nov 2006 30 LTE Redirection

  31. Why 3GPP Made Such Decision • In special cases, e.g. earthquake, disaster, hot events • Too many people try to access one base station then make this base station overloaded. • To let network load balanced, this base station can ask the new coming cellphone to redirect to another base station. • If you don’t tell cellphones which base station is light-loaded, the cellphones will blindly and inefficiently search one by one, and then increase the whole network load. Overloaded Base station Light-loaded Base station Overloaded Overloaded Base station Base station 31 LTE Redirection

  32. Network Availability vs.. Privacy • Global roaming • IMSI Catcher e.g. Wifi MAC addr tracking • Energy saving • DoS Attack VS. • Load balance • Redirection Attack Basic requirement High level requirement 32 LTE Redirection

  33. Countermeasures (1/2) • Cellphone manufacture – smart response • Scheme 1: Don’t follow the redirection command, but auto-search other available base station. • Scheme 2: Follow the redirection command, but raise an alert to cellphone user: Warning! You are downgraded to low security network. 33 LTE Redirection

  34. Countermeasures (2/2) • Standardization effort • Fix the weak security of legacy network: GSM • 3GPP TSG SA WG3 (Security) Meeting #83, S3-160702, 9-13 May 2016 Legacy Security Issues and Mitigation Proposals, Liaison Statement from GSMA. • Refuse one-way authentication • Disabling compromised encryption in mobile 34 LTE Redirection

  35. Acknowledgements • Huawei • Peter Wesley (Security expert) • GUO Yi (3GPP RAN standardization expert) • CHEN Jing (3GPP SA3 standardization expert) • Qualcomm • GE Renwei (security expert) • Apple • Apple product security team 35 LTE Redirection

  36. Any question? • huanglin-it@360.cn • zhangwanqiao@360.cn 36 LTE Redirection

  37. Thank you ! 37 LTE Redirection

Recommend

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS

.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS

.kr DNS Redirection 28. Oct, 2009 Korea Internet & Security Agency Contents 1. DNS Redirection 2. Use of .kr DNS direction 3. Web-Navigation System 4. Market share of web browser in Korea 5. .kr DNS Redirection status 6. Query status for

164 views • 12 slides
Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison

Prohibiting Redirection & Synthesized DNS Responses June 2009 Ram Mohan SSAC Board Liaison Redirection of DNS Responses Redirection of DNS Responses Issue Issue Wildcarding of DNS records Provides valid address and routing

217 views • 6 slides
GridFTP redirection Currently, all GridFTP requests are streamed through the Head node

GridFTP redirection Currently, all GridFTP requests are streamed through the Head node

GridFTP redirection Currently, all GridFTP requests are streamed through the Head node Same for PUT This is obviously not ideal 1. GET /SFN 2. Fetch via RFIO Client Head Disk 3. Serve file GridFTP redirection Based on the

263 views • 13 slides
More Linux Piping and Redirection Fundamentals of Computer Science Outline File and

More Linux Piping and Redirection Fundamentals of Computer Science Outline File and

More Linux Piping and Redirection Fundamentals of Computer Science Outline File and Directory Permissions File Content Finding Files Sorting Files File Compression Processes Pipes Input/Output Redirection

562 views • 21 slides
COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline

COMP 2718: Redirection By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Redirection Chapter 6 of TLCL Standard Input, Standard Output, and Standard Error Redirecting Standard Output File Desriptors

578 views • 29 slides
Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning

Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning

Redirection and Logical Consequences New Hire Orientation 2018 Office of Teaching & Learning 1 Redirection and Logical Consequences New Hire Orientation 2018 Please complete DO NOW on page 1 of your notes 2 Objective We will work to:

592 views • 31 slides
I/O redirection Most of the time, programs display their output (stdout) to the monitor and

I/O redirection Most of the time, programs display their output (stdout) to the monitor and

I/O redirection Most of the time, programs display their output (stdout) to the monitor and take their input (stdin) from the keyboard There is also an error stream (stderr) that some programs take advantage of From the command line,

329 views • 6 slides
A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr

A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr

A double-pushout approach for modeling pointer redirection Dominique Duval, Rachid Echahed, Fr ed eric Prost University of Grenoble IFIP WG1.3 meeting, Sierra Nevada, January 18., 2008 Outline Introduction Basic examples The

733 views • 49 slides
Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy

Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy

Synergies of Robotic Asteroid Redirection Technologies and Human Space Exploration John R. Brophy , Jet Propulsion Laboratory, Caltech Louis Friedman ,Executive Director Emeritus, The Planetary Society Nathan J. Strange, Jet Propulsion

196 views • 15 slides
05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2]

05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2]

05 Git, Chaining, Piping & Redirection CS 2043: Unix Tools and Scripting, Spring 2019 [2] Matthew Milano February 1, 2019 Cornell University 1 Table of Contents 1. As always: Everybody! ssh to wash.cs.cornell.edu 3. Lets Git back

430 views • 24 slides
Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for

Media redirection for Spice remote computing solution Optimizing media stream processing for media players and VoIP clients in virtual desktop infrastructures Lyakhov F.A., Mazur E.S., Kuzin A.M., Semenov S.K. 1 Common media processing

599 views • 17 slides
Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies

Understanding OpenDaylight VTN and the Redirection Function Shreyansh Jain NEC Technologies India Pvt. Ltd. shreyansh.jain@{nectechnologies.in, gmail.com} Next 45 Minutes A brief introduction to OpenDaylight VTN OpenDaylight

811 views • 44 slides
Why Tria riage in Stroke? 3 1 2/27/2020 MI and STEMI As A Stroke Comparison 4 Stroke:

Why Tria riage in Stroke? 3 1 2/27/2020 MI and STEMI As A Stroke Comparison 4 Stroke:

2/27/2020 Acute Stroke Bypass & Redirection Protocol: Champlain Region Grant Stotts, MD, FRCPC Medical Director, CRSN Mathieu Grenier Acting Deputy Chief, Clinical Programs County of Renfrew Paramedic Service March 4, 2020 1 1.

380 views • 14 slides
Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line

Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line

Lecture 3 Log into Linux Questions about Homework 1? Reminder: Additional on-line references Thursday, September 2 CS 375 UNIX System Programming - Lecture 3 1 Outline Filesystems BASH - Bourne Again SHell Redirection

520 views • 27 slides
Content Distribution Networks explicit transparent (hijacking connections) Outline

Content Distribution Networks explicit transparent (hijacking connections) Outline

Design Space Caching Content Distribution Networks explicit transparent (hijacking connections) Outline Replication Implementation Techniques server farms Hashing Schemes Redirection Strategies geographically

237 views • 6 slides
Changelog Changes made in this version not seen in fjrst lecture: 6 September: fjx stray @s on

Changelog Changes made in this version not seen in fjrst lecture: 6 September: fjx stray @s on

Changelog Changes made in this version not seen in fjrst lecture: 6 September: fjx stray @s on implementing fjle descriptors in xv6 slide 6 September: typical pattern with redirection: hilite parts of code more sensibly 6 September: exec

912 views • 77 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval

AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval

AIRWeb 2009 The Potential for Research and Development in Adversarial Information Retrieval Brian D. Davison Computer Science and Engr., Lehigh University 2 AIRWeb after 5 years Self-examination natural Redirection possibilities

681 views • 39 slides
Anthony Kougkas, Hariharan Devarajan, Xian-He Sun akougkas@hawk.iit.edu Department of Computer

Anthony Kougkas, Hariharan Devarajan, Xian-He Sun akougkas@hawk.iit.edu Department of Computer

IRIS: I/O Redirection via Integrated Storage Anthony Kougkas, Hariharan Devarajan, Xian-He Sun akougkas@hawk.iit.edu Department of Computer Science Special thanks to Dr. Shuibing He Illinois Institute of Technology ICS18, Beijing, China who

338 views • 29 slides
A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web

Stephan Chenette Principal Security Researcher Websense Labs FIRESHARK A TOOL TO LINK THE MALICIOUS WEB Agenda Introduction Fireshark Details Web Communities Malicious Web Communities Mass Injection Analysis Redirection

1.49k views • 99 slides
Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine

Background and The Problem State-of-the-Art Our Approach: Data Space Traveling Conclusion Space Traveling across VM Automatically Bridging the Semantic-Gap in Virtual Machine Introspection via Online Kernel Data Redirection Yangchun Fu, and

926 views • 66 slides
Managing Shell I/O Andrew Mallett LINUX AUTHOR AND CONSULTANT @theurbanpenguin

Managing Shell I/O Andrew Mallett LINUX AUTHOR AND CONSULTANT @theurbanpenguin

Managing Shell I/O Andrew Mallett LINUX AUTHOR AND CONSULTANT @theurbanpenguin www.theurbanpenguin.com Redirect STDOUT and STDERR to a Module single location Overview Redirect complete blocks The power of exec in redirection Working with

650 views • 17 slides
The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March,

The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March,

Processes Run as Root Piping and Redirection Useful TUI/CLI software Managing software SSH Version control Backup Epilogue The Console Toolkit - Part 2 Alexander Schoch TheAlternative, SSC | ETHZ and UZH 29 th of March, 2019 Alexander

913 views • 42 slides

More recommend