femtocell: femtostep to the holy grail - troopers18 · pdf file⚛femtocell ☺usingit...
TRANSCRIPT
.
.. ..
.
.
Femtocell: Femtostep to the Holy Grail
Ravishankar Borgaonkar, Kévin Redon
Technische Universität Berlin, SecTravii/[email protected]
TROOPERS 2011, 30 March 2011
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
mobile telecommunication history
0G - 1950 : not so handy1G - 1980 : similar to 2G, but with analog voice (like in PSTN)2G - 1991 : GSM in Europe, CDMA in the USA. Very successful, ...and now broken2.5G : GPRS. Packet Switching capability3G - 2002 : UMTS in Europe, CDMA 2000 in the USA. Usable mobileInternet3.5G : HSDPA, faster download. 3.75G : HSUPA, faster upload.3.9G : LTE/WiMAX4G : LTE-Advanced, WiMAX 2 : Higher bandwidth, no CircuitSwitching
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 2 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
UMTS architecture (simplified)
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 3 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
UMTS architecture (complex)
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 4 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
cells
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 5 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
technology
What is a femtocell :it's an access point (sometimes called FAP)it connects the mobile phone to the 3G/UMTS networkcompatible with every UMTS capable mobile phonesmall cells, with a coverage of less than 20mlow power deviceeasy to install, you only have provide power and Internet accesstechnical name : Home Node B (HNB)
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 6 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
user advantages
advantages provided to the users :can be installed at home to provide coverage (if not available)provides high bandwidth (not shared with the public)can provide location based services (kids arrived at home)
but nothing Wifi can not provide for free, except you don't have toconfigure the phone.
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 7 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
operator advantages
advantages for the operator :extended coverage, near to the userstraffic offloads from their public infrastructurecheap hardware, that the user even has to buyno installation costno maintenance costnew revenue possibilitiesIP connectivity
conclusion : femtocells are a great opportunity for the operators.
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 8 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
HNB in UMTS network
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 9 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyond3G/UMTS femtocells HNB Subsystem (HNS)
HNB Subsystem
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 10 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondordering location verification final solution
requirements
How to get a femtocell:choose a country from the 12 which deploy themget an address and IP from this country, because usage in onlyallowed within the countryselect an operator from the 18 which offer themget a mobile phone subscription from this operator, required to getthe femtocell servicegently ask for a femtocellget it for free, one time payment, or monthly feeenjoy ☺
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 11 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondordering location verification final solution
requirements
Location verificationoperators have to verify where the femtocell is, for several reasons:
prevent you to avoid roaming costs in foreign countriesUMTS uses the 2.1 GHz freq. band, a licensed spectrum band. Theoperators own the radio licenses for the femtocell only for theircountrylocation of the users is required for lawful interception
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 12 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondordering location verification final solution
techniques
How to find were the femtocell is located:IP : geoIP, even knowing the ISP is enoughGNSS : GPSmacrocell : cells bacon county, network, and location information(MCC, MNC, LAC)
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 13 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondordering location verification final solution
attacks
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 14 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondordering location verification final solution
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 15 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
under the hood
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 16 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
network testing
first approach :sniffingonly DHCP,and NTP. Then everything goes over IPsecprobing ports (nmap)only port 80 is openlinux has been detected, but the source code is not publicweb interface availableprotected access, no documentation, even the customer servicewas unawareserial port found on PCBlogin prompt not enabled
First impression : the device is secure. ☹But the first impression is not the last impression. ☺
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 17 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
recovery mode and purpose
critical point : the recovery procedureremember :
keep femtocells cheapno maintenance costno local support
So if something does not work right, do a factory reset. For that, therecovery procedure has been created.
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 18 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
process overview
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 19 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
flaws and exploits ➀
flaws :recovery image is downloaded over HTTPcredentials are in plain textnormally the image is encrypted, but modified URL will returnunencrypted versionimage is still signed. it can't be altered, but viewed
exploit : the recovery process can be analyzed
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 20 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
flaws and exploits ➂
flaws :integrity of parameter and image list relies only on HTTPSfile is not signedHTTPS uses authentication, but not mutual
exploit : you can provide your own lists
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 21 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
flaws and exploits ➄
flaws :real name of the files are in the image listencryption keys are in the image list
exploit : you can get an decrypt the images
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 22 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
reconfigure
the parameter list contains some interesting values :the login prompt for the serial port can be enabledthe root password is the same then in the recovery image, storedin md5the public key used to verify the signatures is in thereit's possible to clone femtocells (except the SIM)
[General]pcbid=P04S...imei=357539...mac=00:1B:67:...hwflag=2serial=P04S...
[BootSigning]pubkey=EE:17:C5:F2:...
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 23 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
reflash
you can provide your own image list :the URLs, encryption keys and signatures are in thereyour can provide your own imagesyour can use the previously obtained images, and modify themnow it's possible to install anything
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 24 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondblind dating recovery to failure customizing
web interface
found while analyzing the images :credentials for web interface are in a local databasethe previously discovered interface is provided by the operator. itonly contains the status and subscriber lista hidden web interface is provided by the vendor. it contains thecomplete configurationthe hidden web pages can be accessed without authentication
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 25 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondlook around play locally
HNS services
use the femtocell to explore behind the security gateway :Performance Measurement server : stores the femtocell activityOAM server : used to update the femtocellHMS server : used to configure and provision the femtocell
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 26 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondlook around play locally
Reconfiguration
you can change the femtocell settings :disable macrocell sniffingadd phone to the subscriber listprovide own security gatewaychange cell configuration
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 27 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
significance of the attacks
privacy threats - recording phone calls, SMS..
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 28 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
significance of the attacks
eavesdroppingaccessing infrastructural elements
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 29 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
threat list
Attacks, effects, and impact are documented in the 3GPP femtocellstandard (TR 33.820)
group threat impactHarmful
up to disastrous
Extremely harmfulMis-configuration of HNB Irritating to harmful
Irritating to harmful
Very Harmful
Extremely harmfulManipulation of external time source HarmfulThreat of HNB network access Harmful
Harmful
Annoying
Harmful
Compromise of HNBCredentials
Compromise of HNB authenticationtoken by local physical intrusion
Physical attacks on aHNB
Booting HNB with fraudulent software(“re-flashing”)
Configuration attackson a HNB
Fraudulent software update /configuration changes
Mis-configuration of access control list(ACL) or compromise of the accesscontrol list
Protocol attacks on aHNB
Man-in-the-middle attacks on HNB firstnetwork accessCompromise of an HNB by exploitingweaknesses of active network services
Attacks on the corenetwork, including HNBlocation-based attacks
Changing of the HNB location withoutreportingMisconfiguration of the firewall in themodem/routerHNB announcing incorrect location tothe network
User Data and identityprivacy attacks
User’s network ID revealed to Home(e)NodeB owner
Breaking usersprivacy
It also includes recommendations and countermeasuresR. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 30 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
conclusion and opening
femtocells is an effective technology in terms of offloading thetraffic and of new business casesbut... the operators need to do their homeworkfollow the specifications, secure the device and network accesssome serious threats (ongoing work):
re-use the telecom infrastructure elementsbuild a MitM, to be used during communications
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 31 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
Thanks
Thanks to :Nico Golde, TU BerlinCollin Mulliner, TU BerlinProf. Jean-Pierre Seifert, TU BerlinBenjamin Michéle, TU Berlin
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 32 / 33
⚛ femtocell ☺ using it ☠ owning it ☢ abusing it ⚔ and far beyondpast future present
questions
Danke
Questions ?
R. Borgaonkar, K. Redon Femtocell: Femtostep to the Holy Grail 33 / 33