SlideShare a Scribd company logo

Root via sms. 4G security assessment

Download as PPTX, PDF
S
Sergey Gordeychik

Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network. And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier. Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.

Technology
1 of 87
#root via SMS 4G IP access security assesment
we are…
who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
3G/4G network
the Evil
4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
why?
why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
btw
not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
not enough?
the NET
the NET
thanks John http://www.shodanhq.com/
By devices
the NET
GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
Let’s scan all the Internets!
GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
So what?
Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
Example: GTP “Synflood” http://blog.ptsecurity.com/2013/09/inside-mobile-internet-security.html http://bit.ly/195ZYMR
We are good guys!
I’m inside
Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
Here There Be Tygers
DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
1990th  Your balance is insufficient  Connect to your favorite UDP VPN
Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
The Device
Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
Identification
Identification  Documentation  Google  Box  Google again  Internals
How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
Scan it
Sometimes you get lucky…
…other times you don’t
How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
web – trivial stuff CSRF Insufficient authenticationXSS
Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
DEMO
I need The Power!
“hidden” firmware upload
Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
Getting the shell
Finding “engineering tool”
I’ve got The Power
But whether it is?
Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
PWN - PWN
Profit!111
Sometimes you get lucky…
Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
Very specific case
It still in USB!
It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
Can I SMS keypress to your Laptop?
How to?  android_usb  sysfs  in memory patch
DEMO
Few words about the SIM cards
What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem

Recommended

LTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanLTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang Shan
Darren Pauli
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani
 
Signalling in EPC/LTE
Signalling in EPC/LTESignalling in EPC/LTE
Signalling in EPC/LTE
Leliwa
 
Huawei GSM Principles
Huawei GSM PrinciplesHuawei GSM Principles
Huawei GSM Principles
Achmad Fauzi
 
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - InnovileGPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
Ahmet Ozturk
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
Call flow in gsm
Call flow in gsmCall flow in gsm
Call flow in gsm
vish0110
 
Introducing to LAC-CI
Introducing to LAC-CIIntroducing to LAC-CI
Introducing to LAC-CI
Riswan
 

Recommended

LTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang ShanLTE Redirection attacks: Zhang Shan
LTE Redirection attacks: Zhang Shan
Darren Pauli
 
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
2G / 3G / 4G / IMS / 5G Overview with Focus on Core Network
Hamidreza Bolhasani
 
Signalling in EPC/LTE
Signalling in EPC/LTESignalling in EPC/LTE
Signalling in EPC/LTE
Leliwa
 
Huawei GSM Principles
Huawei GSM PrinciplesHuawei GSM Principles
Huawei GSM Principles
Achmad Fauzi
 
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - InnovileGPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
GPEH, PCHR, CHR, MR, SIG, CTUM, CELL TRACE, UETR Parsers - Innovile
Ahmet Ozturk
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
EC-Council
 
Call flow in gsm
Call flow in gsmCall flow in gsm
Call flow in gsm
vish0110
 
Introducing to LAC-CI
Introducing to LAC-CIIntroducing to LAC-CI
Introducing to LAC-CI
Riswan
 
Ericsson LTE Commands.pdf
Ericsson LTE Commands.pdfEricsson LTE Commands.pdf
Ericsson LTE Commands.pdf
MbBot
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
Justin MA (馬嘉昌)
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
virender123243
 
eMBMS for LTE
eMBMS for LTE eMBMS for LTE
eMBMS for LTE
Isybel Harto
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
Evolution of Core Networks
Evolution of Core NetworksEvolution of Core Networks
Evolution of Core Networks
Sarp Köksal
 
High-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G
3G4G
 
MIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
MIGRATION STRATEGY OF GSM TO MOBILE BROADBANDMIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
MIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
Sitha Sok
 
Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting
Assim Mubder
 
Gsm optimization
Gsm optimizationGsm optimization
Gsm optimization
Ahmed Ramadan
 
AIRCOM LTE Webinar 3 - LTE Carriers
AIRCOM LTE Webinar 3 - LTE CarriersAIRCOM LTE Webinar 3 - LTE Carriers
AIRCOM LTE Webinar 3 - LTE Carriers
AIRCOM International
 
Scheduling in umts
Scheduling in umtsScheduling in umts
Scheduling in umts
Hazamir Hamzah
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
Abhishek Shringi
 
Ubbp
UbbpUbbp
Ubbp
Ahmed Aam
 
volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained
Vikas Shokeen
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdf
RakhiJadav1
 
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTEAIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
AIRCOM International
 
3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)
3G4G
 
Lte most used command rev1
Lte most used command rev1Lte most used command rev1
Lte most used command rev1
Christofer Dinamiko
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
Positive Hack Days
 
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 

More Related Content

What's hot

Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
P1Security
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdf
RakhiJadav1
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
Positive Hack Days
 

What's hot (20)

Ericsson LTE Commands.pdf
Ericsson LTE Commands.pdfEricsson LTE Commands.pdf
Ericsson LTE Commands.pdf
 
UMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFBUMTS/LTE/EPC Call Flows for CSFB
UMTS/LTE/EPC Call Flows for CSFB
 
Handover call_flow in GSM
Handover call_flow in GSM Handover call_flow in GSM
Handover call_flow in GSM
 
eMBMS for LTE
eMBMS for LTE eMBMS for LTE
eMBMS for LTE
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
Evolution of Core Networks
Evolution of Core NetworksEvolution of Core Networks
Evolution of Core Networks
 
High-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5GHigh-level architecture of Mobile Cellular Networks from 2G to 5G
High-level architecture of Mobile Cellular Networks from 2G to 5G
 
MIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
MIGRATION STRATEGY OF GSM TO MOBILE BROADBANDMIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
MIGRATION STRATEGY OF GSM TO MOBILE BROADBAND
 
Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting Call Setup Success Rate Definition and Troubleshooting
Call Setup Success Rate Definition and Troubleshooting
 
Gsm optimization
Gsm optimizationGsm optimization
Gsm optimization
 
AIRCOM LTE Webinar 3 - LTE Carriers
AIRCOM LTE Webinar 3 - LTE CarriersAIRCOM LTE Webinar 3 - LTE Carriers
AIRCOM LTE Webinar 3 - LTE Carriers
 
Scheduling in umts
Scheduling in umtsScheduling in umts
Scheduling in umts
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
 
Ubbp
UbbpUbbp
Ubbp
 
volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained volte ims network architecture tutorial - Explained
volte ims network architecture tutorial - Explained
 
VoLTE optimization.pdf
VoLTE optimization.pdfVoLTE optimization.pdf
VoLTE optimization.pdf
 
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTEAIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
AIRCOM LTE Webinar 6 - Comparison between GSM, UMTS & LTE
 
3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)3GPP SON Series: Mobility Load Balancing (MLB)
3GPP SON Series: Mobility Load Balancing (MLB)
 
Lte most used command rev1
Lte most used command rev1Lte most used command rev1
Lte most used command rev1
 
Mobile Network Attack Evolution
Mobile Network Attack EvolutionMobile Network Attack Evolution
Mobile Network Attack Evolution
 

Similar to Root via sms. 4G security assessment

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Sergey Gordeychik
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
qqlan
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
qqlan
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
DefconRussia
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
masoodnt10
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
Rishabh Mehan
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 

Similar to Root via sms. 4G security assessment (20)

Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
Root via SMS: 4G access level security assessment, Sergey Gordeychik, Alexand...
 
D1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via smsD1 t1 t. yunusov k. nesterov - bootkit via sms
D1 t1 t. yunusov k. nesterov - bootkit via sms
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
Alexander Timorin, Alexander Tlyapov - SCADA deep inside protocols, security ...
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Oss web application and network security
Oss web application and network securityOss web application and network security
Oss web application and network security
 
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
DIY Internet: Snappy, Secure Networking with MinimaLT (JSConf EU 2013)
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Firewall
FirewallFirewall
Firewall
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Wireshark Basics
Wireshark BasicsWireshark Basics
Wireshark Basics
 

More from Sergey Gordeychik

AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
Sergey Gordeychik
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
Sergey Gordeychik
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
Sergey Gordeychik
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
Sergey Gordeychik
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
Sergey Gordeychik
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
Sergey Gordeychik
 

More from Sergey Gordeychik (12)

Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELS
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Practical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart gridsPractical analysis of the cybersecurity of European smart grids
Practical analysis of the cybersecurity of European smart grids
 
SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018SD-WAN Internet Census, Zeronighst 2018
SD-WAN Internet Census, Zeronighst 2018
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation Recon: Hopeless relay protection for substation automation
Recon: Hopeless relay protection for substation automation
 
The Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and FuriousThe Great Train Robbery: Fast and Furious
The Great Train Robbery: Fast and Furious
 
Cybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systemsCybersecurity Assessment of Communication-Based Train Control systems
Cybersecurity Assessment of Communication-Based Train Control systems
 
Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016Greater China Cyber Threat Landscape - ISC 2016
Greater China Cyber Threat Landscape - ISC 2016
 
SCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European SmartgridSCADA StrangeLove Practical security assessment of European Smartgrid
SCADA StrangeLove Practical security assessment of European Smartgrid
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Root via sms. 4G security assessment

  • 1. #root via SMS 4G IP access security assesment
  • 3. who we are Sergey Gordeychik @phdays architect @scadasl captain Alex Zaitsev @arbitrarycode executor @phdays goon
  • 4. behind the scenes Dmity Sklarov Alexey @GiftsUngiven Osipov Kirill Nesterov Timur @a66at Yunusov http://scadasl.org
  • 7. 4G access level  Branded mobile equipment security checks  3G/4G USB Modems  Routers / Wireless Access Point  Smartphones/Femtocell/Branded applications  (U)SIM cards  Radio/IP access network  Radio access network  IP access (GGSN, Routers, GRX)  Related Infrastructure  Additional services/VAS (TV, Games, etc)
  • 9. why?  we use it every day  Internet  social network  to hack stuff  IT use it everyday  ATM  IoT  SCADA
  • 10. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R bullet train interlocking http://en.wikipedia.org/wiki/European_Rail_Traffic_Management_System
  • 11. Plain Line Station Computer Based Interlocking to peripherals: signals, point machines, etc. RBC Fixed Eurobalise RBC MMI Fixed Eurobalise GSM-R GSM-R Onboard ETCS Onboard Data GSM-R GSM-R
  • 12. radio access network • Well researched by community – http://security.osmocom.org/trac/ • Special thanks to – Sylvain Munaut/Alexander Chemeris/Karsten Nohl/et. al. http://security.osmocom.org/trac/
  • 13. btw
  • 14. not so quick  EN 50159:2010  RBC-RBC Safe Communication Interface Subset- 098  VPN over GSM
  • 21. GPRS Tunnelling Protocol  Subset of protocols for GPRS communications  SGSN <-> GGSN signaling (PDP context, QoS, etc)  IP tunneling  Roaming (GRX)  Charging data exchange  GTP-C UDP/2123  GTP-U UDP/2152  GTP' TCP/UDP/3386 http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
  • 22. Let’s scan all the Internets!
  • 23. GPRS Tunnelling Protocol  GTP-echo responses  207401  No answer for PDP context request  199544  U r welcome  548  Management ports  DNS (.gprs .3gppnetwork.org)
  • 24. Brazil 228 China 162 India 34 Colombia 14 USA 13 Japan 13 Malaysia 10 Kuwait 9 Germany 9 UAE 7
  • 26. Attacks  GGSN PWN  GPRS attacks  DoS  Information leakage  Fraud
  • 28. We are good guys!
  • 30. Guter Weg um ist nie krumm  All old IP stuff  traces 1.1.1.1/10.1.1.1  IP source routing  Management ports  All new IP stuff  IPv6  MPTCP  Telco specific (GTP, SCTP M3UA, DIAMETER etc) http://ubm.io/11K3yLT https://www.thc.org/thc-ipv6/
  • 31. Here There Be Tygers
  • 32. DNS  In most cases it internal DNS server  Sometimes it uses company’s FQDN and address space  Bruteforce/Zone Transfer and other information leakage  .gprs .3gppnetwork.org  APIPA IP address reuse  local.COMPANY.com have A-record to 10.X.X.X  Attacker publishes link to local.COMPANY.com on same address  Victims form 10.Х network will transfer cookies to attacker http://lab.onsec.ru/2013/07/insecure-dns-records-in-top-web-projects.html
  • 33. 1990th  Your balance is insufficient  Connect to your favorite UDP VPN
  • 34. Resume  For telcos  Please scan all your Internets!  Your subscribers network is not your internal network  For auditors  Check all states  online/blocked/roaming  Check all subscribers  APN’s, subscribers plans  Don’t hack other subscribers http://www.slideshare.net/qqlan/how-to-hack-a-telecom-and-stay-alive/32
  • 36. Who is mister USB-modem?  Rebranded hardware platform  Linux/Android/BusyBox onboard  Multifunctional  Storage  CWID USB SCSI CD-ROM USB Device  MMC Storage USB Device (MicroSD Card Reader)  Local management  COM-Port (UI, AT commands)  Network  Remote NDIS based Internet Sharing Device  WiFi
  • 37. Cet animal est très méchant  Well researched  «Unlock»  «Firmware customization»  «Dashboard customization»  Some security researches  http://threatpost.com/using-usb-modems-to-phish-and-send-malicious-sms-messages  http://www.slideshare.net/RahulSasi2/fuzzing-usb-modems-rahusasi  http://2014.phdays.com/program/business/37688/  https://media.blackhat.com/eu-13/briefings/Tarakanov/bh-eu-13-from-china-with-love- tarakanov-slides.pdf
  • 38. Quand on l'attaque il se défend  Developers answer  Device «Hardening»  Disabling of local interfaces (COM)  Web-dashboards
  • 40. Identification  Documentation  Google  Box  Google again  Internals
  • 41. How it works New Ethernet adapter DHCP client DHCP server DNS Web dashboard Routing/NAT Broadbandconnection
  • 43. Sometimes you get lucky…
  • 45. How to hack device remotely?  telnet?  Internal interface only  Blocked by browsers  http?  Attack via browser (CSRF)  broadband  ?
  • 46. web – trivial stuff CSRF Insufficient authenticationXSS
  • 47.
  • 48. Basic impact  Info disclosure  Change settings  DNS (intercept traffic)  SMS Center (intercept SMS)  Manipulate (Set/Get)  SMS  Contacts  USSD  WiFi networks
  • 49. Advanced impact  Self-service portal access  XSS (SMS) to “pwn” browser  CSRF to send “password reset” USSD  XSS to transfer password to attacker  “Brick”  PIN/PUK “bruteforce”  Wrong IP settings
  • 50. DEMO
  • 51. I need The Power!
  • 53. Cute, but…  You need to have firmware  Sometimes you get lucky…  …other times you don’t  Integrity control  At least should be…
  • 54. dig deeper…  Direct shell calls  awk to calculate Content-Length  Other trivial RCE
  • 57. I’ve got The Power
  • 59. Cute, but…  Get firmware?  Yes it nice, but…  Find more bugs?  We have enough…  Get SMS, send USSD?  Can be done via CSRF/XSS…  PWN the subscriber?
  • 60.
  • 63. Sometimes you get lucky…
  • 64. Details  Dashboard install webserver on localhost  Host diagnostics (ipconfig, traces…)  Windows “shell” script based!  Very “secure”!  Interacts with USB modem webserver  Don’t care about origin (you don’t need even XSS)
  • 66. It still in USB!
  • 67. It still in (bad)USB! https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf
  • 68. Can I SMS keypress to your Laptop?
  • 69. How to?  android_usb  sysfs  in memory patch
  • 70. DEMO
  • 71. Few words about the SIM cards
  • 72. What has Karsten taught us?  Not all TARs are equally secure  If you are lucky enough you could find something to bruteforce  If you are even more lucky you can crack some keys  Or some TARs would accept commands without any crypto at all
  • 73. Getting the keys  Either using rainbow tables or by plain old DES cracking  We've chosen DES  Existing solutions were too slow for us  So why not to build something new?
  • 74. Getting the keys  Bitcoin mining business made another twist  Which resulted in a number of affordable FPGAs on the market  Here's our cruncher: (add tech specs and pics!!!)
  • 75. Now what?  So you either got the keys or didn’t need them, what’s next?  Send random commands to TARs that accept them  Send commands to known pre-defined TARs
  • 76. Now what?  Send random commands to TARs that accept them  Good manuals or intelligent fuzzing needed  Or you'll end up with nothing: not knowing what you send and receive
  • 77. Now what?  Send commands to known pre-defined TARs  Card manager (TAR 00 00 00)  File system (TARs B0 00 00 - B0 FF FF)  …
  • 78. Now what?  Card manager (TAR 00 00 00)  Holy grail  Install & load applets and jump off the JCVM  Not enough technical details  No successful POC publicly available  But someone have done it for sure…
  • 79. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Simple well documented APDU commands (SELECT, GET RESPONSE, READ BINARY, etc.)  Plain tree structure  Has it's own access conditions (READ, UPDATE, ACTIVATE, DEACTIVATE | CHV1, CHV2, ADM)
  • 80. Now what?  File system (TARs B0 00 00 - B0 FF FF)  Stores such things as phonebook, SMS etc.  Protected by CHV1 (eq PIN code)  Stores much more interesting stuff: TMSI, Kc  Protected by the same CHV1!
  • 81. Attack?  No fun in sending APDUs through card reader  Let's do it over the air!  Wrap file system access APDUs in binary SMS  Can be done with osmocom, some gsm modems or SMSC gateway
  • 82. Attack?  Wait! What about access conditions?  We still need a PIN to read interesting stuff  Often PIN is set to 0000 by operator and is never changed  Otherwise needs bruteforcing
  • 83. Attack?  PIN bruteforce  Only 3 attempts until PIN is blocked  Needs a wide range of victims to get appropriate success rate  Provides some obvious possibilities…
  • 84. Attack?  Byproduct attack – subscriber DoS  Try 3 wrong PINs  PIN is locked, PUK(CHV2) requested  Try 3 wrong PUKs  PUK is locked  Subscriber is locked out of GSM network - needs to replace SIM card
  • 85. Attack?  Assuming we were lucky enough  We do have the OTA key either don’t need one  We’ve got the PIN either don’t need one  All we need is to read two elementary files  MF/DF/EF/Kc and MF/DF/EF/loci
  • 86. Attack?  Assuming we were lucky enough  We now got TMSI and Kc and don't need to rely on Kraken anymore  Collect some GSM traffic with your SDR of choice  Decrypt it using obtained Kc  Profit!
  • 87. Resume  For telcos  All your 3/4G modems/routers are 5/>< belong to us  For everybody  Please don’t plug computers into your USB  Even if it your harmless network printer 4G modem