23/05/2014 Disclaimer Mobile Insecuri5es Steve Glass “First, do no harm!” [email protected] @sm_dg_ Outline 1 2 3 4 Smartphone Design Mobile Device Basics Ac5ve Threats Running Your Own Base Sta5on Passive Eavesdropping Baseband Basics Device Baseband Processpor RTOS iPhone 2G Infineon S-‐Gold 2 (ARM 926) Nucleus PLUS iPhone 3G/3GS Infineon X-‐Gold 608 (ARM 926) Nucleus PLUS iPhone 4 Infineon X-‐Gold 618 (ARM 1176) ThreadX (Express Logic) iPhone 4s Qualcomm MDM6610 (ARM 1136) REX on SeL4 (Qualcomm) iPhone 5 Qualcomm MDM9615M (Hexagon DSP) BLAST/QuRT Applica5on Baseband • User experience • Sensi5ve user data • Data communica5ons • Handles BlueTooth, WiFi, GPS and NF • Varying levels of protec5on • Proprietary chipset • Proprietary RTOS • Handles “phone” stack – 2G, 3G and 4G • SIM card access Network Infrastructure 1 23/05/2014 Network Infrastructure “Phoning Home” Source: Gamma Group “Phoning Home” Security Threats • Spoofed messages – Paging Races – RACHell akack • Rogue Femtocells • Fake base sta5ons – Ac5ve Eavesdropping – Baseband Akacks – SIM Akacks – Blind/Silent Call – Loca5on Tracking • Passive Eavesdropping Source: Krsten Nohl Source: bbc.co.uk Paging Paging Races 1: Paging Request (PCH) 2: Ini5al Channel Request (RACH) 3: Immediate Assignment (AGCH) 4: Paging Response (SDCCH) 5-‐: Authen5ca5on, Ciphering, Service Delivery Source: Nico Golde 2 23/05/2014 Rogue Femtocell Fake Base Sta5on • Femtocell handles all radio behaviours – Encoding/Decoding – Encryp5on/Decryp5on – Not going to get into trouble just for running one • Man-‐at-‐the-‐base-‐sta5on akack – DePerry and Riker, I can hear you now!, BH 2013 Source: Gamma Group OpenBTS Ac5ve Eavesdropping Source: OpenBTS Project Source: NSA Source: NSA Conducted Testbed Cheapskate Testbed 20dB 20dB ANT TX 1 2 RX 3 20dB Source: Jonathan Guerin 3 23/05/2014 Baseband Akacks SIM Akacks • Ralph Philip Weinmann fuzzed Qualcomm – Unchecked memcpys – Lifecycle issues – Unini5alized variables – Protocol stuff-‐ups • Exploits? – Yes J • Defences? – No Source: Karsten Nohl Passive Eavesdropping Acquisi5on Demodula5on Decoding Decryp5on Aussie GSM900 Frequencies Telstra Optus Finding Transmissions ACMA Database Vodaphone 935MHz – 943.4MHz 943.4MHz – 951.8MHz 951.8MHz – 960.0MHz 890.0MHz – 898.4MHz 898.4MHz – 906.8MHz 906.8MHz – 915.0MHz 4 23/05/2014 Signal Acquisi5on Hardware Downlink • Lots of op5ons: – DVB-‐T – RTL-‐SDR/Funcube – HackRF – Osmocom-‐BB – BladeRF – USRP – UmTRX Kalibrate [19993]>kal -s GSM900 -A TX/RX! linux; GNU C++ version 4.8.2; Boost_105400; UHD_003.005.004-140gfb32ed16! ! -- Opening a USRP2/N-Series device...! -- Current recv frame size: 1472 bytes! -- Current send frame size: 1472 bytes! ! UHD Warning:! The hardware does not support the requested RX sample rate:! Target sample rate: 0.270833 MSps! Actual sample rate: 0.271739 MSps! kal: Scanning for GSM-900 base stations.! chan: 19 (938.8MHz + 1.344kHz) power: 1984.07 chan: 25 (940.0MHz + 1.358kHz) power: 8199.57 chan: 30 (941.0MHz + 1.368kHz) power: 2329.09 chan: 45 (944.0MHz + 1.365kHz) power: 460.65 …! Uplink Signal Acquisi5on Hardware ! ! ! ! AirProbe Decrypt Decode Demodulate 5 23/05/2014 Airprobe Osmocom/BB Source: Karsten Nohl Voice Ciphers A5/0 • Null encryp5on A5/1 • 64 bit key • Flawed A5/2 A5/3 • Deliberately weakened • Real-‐5me cracking • Kasumi • Limited use • Not that strong Source: Mike Myers, “Aus5n Powers” Release the Kraken! Ques5ons? • First prac%cal akack agains A5/1 – Released at 26C3 • Rainbow table based cracker – Relies on presence of known plaintext – Recovers keystream – Codebook akack to discover cipher state • To speed search a TMTO is used • Rainbow tables with dis5nguished points • 1.7TB tables crack < 1 min – Tables available on BitTorrent (1.7TB of them!) 6
© Copyright 2024 ExpyDoc
