Telecom/Mobile Network Attacks
Main types of known Attacks :-
Rogue Base station Attacks
- GSM standards mandate authentication of mobile devices by the network but not vice-versa.
- Attackers run their own BSS with powerful radio antennas and using
proximity, fools a mobile device into attaching to itself instead of a
legitimate BSS.
- Base Station hardware and Open Source software (e.g. OpenBTS, OpenBSC) are available in public.
- Allows an attacker to intercept outbound voice, identify subscriber’s geo-location and capture a subscriber’s IMSI.
Track Location Attacks
- An attacker’s objective is to identify a subscriber’s geo-location.
- For attacking wider areas, MSC information can be leaked from HLR. For local area attacks, a rogue BSS can be used.
- Obfuscated MSC code is stored inside the HLR, each of which has mapping to a physical area.
- Rogue BSS can be used to launch active or passive attacks for the purpose of knowing subscriber’s geo-location
- Active Attack: a rogue BSS can send RRLP (Radio Resource Location
services Protocol) request and the phone will return the geo-location.
Also the BSS can force a handset into a higher power level and can
calculate the location from its electro-magnetic signature.
- Passive: by intercepting TA (Timing Advance) and Power Level data
send from mobile phone. In GSM, TA is the length of time a signal takes
to reach from a mobile device to the BSS. Each mobile device transmits
periodically less than 1/8th of the eight TDMA time slots. Since each
device is at a different distance and the signal travels at a finite
speed, the precise arrival time within a time slot allows BSS to
determine the distance of the device.
Attacks on Subscriber Information
- An attacker’s objective is to know the billing entity name for a given MSISDN number.
- Caller ID query on CNAM can reveal the organization, individual and business details.
- Caller ID databases are generally accessible through VoIP.
Encryption Attacks
- Mobile networks communicate with mobile devices with TMSI. A TMSI is mapped to MSISDN.
- An attacker’s objective is to find the MSISDN, then read the traffic and decrypt.
- TMSI can be discovered by a number of techniques. Two of the common known techniques are: Silent Paging and Silent SMS:
- Silent Paging: to Page a device silently, an adversary calls the
target MSISDN and hangs up before the BSS initiates the process to alert
the called device. Then the adversary scans the PCH (Paging Channel)
for incoming call broadcasts. From that, it retrieves the TMSI or IMSI.
- Silent SMS: the adversary sends a specially crafted silent SMS which
is acknowledged by the device without displaying it. This is possible
by changing the “data_coding” attribute of GSM 03.38 to ’0xC0′. When
the mobile device receives an SMS with data_coding set to the value, it
sends a delivery notification but discards the message and hence it is
never displayed. The adversary then scans the PCH and captures the TMSI
or IMSI.
- Knowing TMSI allows an adversary to monitor specific target MSISDN.
Then using cryptanalysis the adversary cracks the session key and
records the call content.
- The adversary typically requires a set of RF equipment and a cracking infrastructure:
- RF Equipments: Universal Software Radio Peripheral, Wide-band
receiver and low-cost mobile phone with custom firmware (e.g.
OsmocomBB).
- Cracking Infrastructure: FPGAs (Field Programmable Gate Arrays), low cost PCs and Rainbow table.
Attacks on Mobile Devices
- Compromising a targeted mobile device gives an adversary easy access to user information.
- Typically, the following types of attacks are known to be
successfully used: Baseband Attack, Messaging Attack, Application Attack
and a Mixed Attack.
- A Baseband Attack targets the underlying RTOS operating system of a
device. Most of them are written in C and Assembly language for which an
adversary has access to publicly available vulnerability information
and exploits. Many of the RTOS lack security features like stack
protection, address space layout randomization etc.
- A Messaging Attack targets protocol and/or architectural vulnerabilities and implementation vulnerabilities.
- WAP and OTA push enables delivering unsolicited data to mobiles.
This can be and had been the source of some attacks e.g. DoS attack
using malformed WAP payload (ref: MSL-2008-001).
- MMS Spoofing can be achieved for example, by using vulnerabilities
in a web application’s session management. The adversary attempts to
illegitimately charge a victim for MMS sent.
- A number of vulnerabilities occur due to faulty implementation of a
protocol or technology standard. Some of the known examples are iPhone
SMS attack (by Collin Mulliner and Charlie Miller), SMS curse of
silence (by Tobias Engel)
- With increasingly powerful smart phones, mobile applications are
becoming attack vectors (Pwn2Own attack on iPhone Safari browser by
Ralf- Philipp Weinmann and Vicenzo Lozzo)
- There are other types of known attacks e.g. iPhone PHP Perl
Compatibility Regular Expression vulnerability (for iPhone 1.x)
discovered by Charlie Miller.
Denial-of-Service Attacks
- DoS can be launched against network or a targeted mobile device.
- BSS has a limited number of control channels (RACH- Random Access
Channel). By flooding the channels, the services in an area can be
rendered unusable.
- IMSI Detach message is used to tear down a mobile device call from
the network. An adversary spoofs a detach message by using the IMSI of a
target device which will disconnect the device from the network making
the device useless for telephony activities.
Post a Comment
I'm certainly not an expert, but I'll try my hardest to explain what I do know and research what I don't know. Be sure to check back again , after moderation i do make every effort to reply to your comments .