DOCSLIB.ORG

Putting LTE Security Functions to the Test: a Framework to Evaluate Implementation Correctness

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Putting LTE Security Functions to the Test: a Framework to Evaluate Implementation Correctness Putting LTE Security Functions to the Test: A Framework to Evaluate Implementation Correctness David Rupprecht Kai Jansen Horst Gortz¨ Institute for IT-Security Horst Gortz¨ Institute for IT-Security Ruhr-University Bochum, Germany Ruhr-University Bochum, Germany [email protected] [email protected] Christina Popper¨ New York University Abu Dhabi [email protected] Abstract promise of users as well as service providers. Security- related changes need to be carefully evaluated in order to Long Term Evolution (LTE) is the most recent generation maintain strong protection, especially since LTE is con- of mobile communications promising increased transfer sidered as the communication technology for, e. g., criti- rates and enhanced security features. It is todays commu- cal infrastructures, emergency services, and law enforce- nication technology for mobile Internet as well as con- ment [12]. The increasing dependency on LTE makes it sidered for the use in critical infrastructure, making it an an attractive subject to a wide range of attacks and any attractive target to a wide range of attacks. We evalu- vulnerability could have serious impact on the underly- ate the implementation correctness of LTE security func- ing services. tions that should protect personal data from compromise. By addressing several security issues of the previ- In this paper, we focus on two security aspects: user ous mobile communication specifications, in particular data encryption and network authentication. We de- Global System for Mobile Communications (GSM) and velop a framework to analyze various LTE devices with Universal Mobile Telecommunications System (UMTS), respect to the implementations of their security-related LTE raises the bar in terms of security and applies, e. g., functions. Using our framework, we identify several se- mutual authentication, longer encryption keys, extended curity flaws partially violating the LTE specification. In key hierarchies, and a public review of the used en- particular, we show that i) an LTE network can enforce cryption algorithms. However, individual deployments to use no encryption and ii) none of the tested devices in- across different manufactures can lead to gaps between forms the user when user data is sent unencrypted. Fur- specification and implementation. These implementation thermore, we present iii) a Man-in-the-Middle (MitM) flaws can be exploited by an adversary circumventing se- attack against an LTE device that does not fulfill the net- curity features defined in the specification. All these at- work authentication requirements. The discovered secu- tack vectors need to be examined carefully to evaluate rity flaws undermine the data protection objective of LTE the actual security of LTE devices. and represent a threat to the users of mobile communica- Prior work has addressed several aspects in this land- tion. We outline several countermeasures to cope with scape. For instance, in 2016 Shaik et al. [28] presented these vulnerabilities and make proposals for a long-term attacks against the location privacy of mobile subscribers solution. and the availability of the network based on vulnerabili- ties in the LTE specification. Further security flaws ma- 1 Introduction nipulating the firmware of the baseband chip were iden- tified by Komaromy and Golde [9, 31]. Similar work Mobile communication has become an integral part of has been done by Broek et al. [30] introducing a test- our daily life. Most applications running on today’s ing framework solely focusing on implementations of the smartphones or tablets are based on the ability to wire- SMS layer of GSM. The latter attacks directly focus on lessly communicate with the surrounding network infras- the implementation rather than the specification—an ap- tructure. Long Term Evolution (LTE) is the latest mobile proach that we leverage on in this work by developing a communication standard and predicted to comprise about framework that analyzes implementation correctness. To 2:3 billion subscribers by 2019 [29]. date, there is no testing framework openly available for The security of today’s mobile communication is es- investigating the security of LTE devices. sential for the protection of personal data to prevent com- We develop such a testing framework and focus on a 1 testing approach with two main security aspects: (i) user E-UTRAN EPC data encryption and (ii) network authentication. We use Internet the gained insights to develop a test framework for LTE HSS devices that enables us to semi-automatically test LTE devices on implementation flaws in their security func- tions. As we will show, all tested devices violate the UE eNodeB specification with respect to security-relevant ciphering S1 indication. Furthermore, implementations of common MME AS LTE devices differ to the extent that network authenti- NAS cation can be broken by a new MitM attack. In summary, our work provides the following contri- Figure 1: The LTE architecture at least comprises an butions: eNodeB, an MME, and an HSS. An LTE-capable UE can communicate with the network. • We identify which parts of the LTE specification are susceptible to implementation flaws. We narrow down our investigations to security-critical func- 2.1 LTE Architecture tions, in particular user data encryption and network authentication. The LTE infrastructure is a combination of several com- • We develop a lost-cost framework for testing mod- ponents and their interconnections. We briefly introduce ern off-the-shelf LTE devices to identify implemen- the functionality of the network entities and highlight se- tation flaws for about 1200 e. The framework curity properties. Notably, we confine this list to compo- is based on commercially available Software De- nents that are of interest in our security analysis. fined Radios (SDRs) [10] and the OpenAirInterface User Equipment (UE). The UE provides applica- project [11]. To the best of our knowledge, this is tions and services to the user and is responsible for the the first testing environment for the LTE protocol data transmission to and from the network. The UE stack available for academic purposes. holds a Universal Subscriber Identity Module (USIM), • We tested a total of 10 devices from six different which stores the International Mobile Subscriber Iden- manufacturers. Our test results reveal an exploitable tity (IMSI) uniquely identifying each user. Moreover, a attack vector. As a proof of concept, we launch pre-shared key K is stored on the USIM to derive further a MitM attack against one particular LTE device. keys used during the authentication procedure. With this attack it is possible to intercept the data Evolved NodeB (eNodeB). The deployed base stations traffic and violate the user privacy. that realize radio-level access points to LTE networks are • We outline countermeasures to reinforce the secu- called eNodeB. Furthermore, each eNodeB is involved rity and the protection of user privacy. Moreover, in the process of radio management data encryption and we suggest to make changes in the selection of secu- integrity protection as well as user data encryption. rity algorithms for upcoming generations of mobile Mobility Management Entity (MME). The MME han- communication. dles the establishment of new connections and the au- We plan to make our framework publicly available thentication process. It is assigned to manage mobility once the review process is finished to enable comprehen- data of connected UEs, where it applies encryption and sive tests on the security of available LTE equipment. We integrity protection. have also informed the manufacturer of the vulnerable Home Subscriber Server (HSS). The HSS stores the LTE device who created CVE-2016-3676 [18] and fixed authentication information of the mobile subscribers. the issue. Thus, it plays a central role during the initial authen- tication procedure of an unconnected UE providing the MME with security-related user information. An overview including the interconnections of the 2 LTE Background individual components is depicted in Figure 1. The LTE architecture can be divided into two logical do- In this section, we introduce the LTE system architecture mains. The Evolved UMTS Terrestrial Radio Access which is often technically referred to as Evolved Packet Network (E-UTRAN) encompasses connected UEs and System (EPS). In the remainder of this paper, we mainly the eNodeB base stations, whereas the Evolved Packet use the more common term LTE. Contrary to GSM and Core (EPC) contains, e. g., the MME and the HSS, UMTS, LTE is based on packet switching rather than cir- among other components. The two domains are con- cuit switching. nected via the S1 interface. Furthermore, there are two 2 A special entity of both algorithm sets is EIA0 and Table 1: Security algorithm options, according to [3, EEA0. These algorithms are void operations leaving the 9.9.3.23 NAS security algorithms]. data unencrypted and/or provide no integrity protection. Encoding Integrity Ciphering Algorithm According to the LTE specification, EIA0 is only allowed when emergency bearers are established. The choice of X000X000 EIA0 EEA0 NULL an actual instantiation for the encryption and the integrity X001X001 128-EIA1 128-EEA1 SNOW 3G protection algorithm is up to the network provider and X010X010 128-EIA2 128-EEA2 AES can be based on territorial affiliation. EIA3/EEA3 (ZUC) X011X011 128-EIA3 128-EEA3 ZUC has been designed in China and is the only allowed algo- rithm for LTE in China [25]. important logical connections between the network com- 2.2.2 Security Procedures ponents, which are specified as follows. In order to fulfill important security objectives including Access Stratum (AS). The AS represents the direct con- confidentiality and integrity protection, security proce- nection between UEs and eNodeBs and comprises all dures are implemented. Several entities of the LTE ar- messages, i. e., user data that are exchanged on the ra- chitecture are involved in the process, e. g., UE, eNodeB, dio layer to physically access an LTE network. MME, and HSS. In the following, we describe the Non-Access Stratum (NAS).
Load more

Recommended publications
  • Running a Basic Osmocom GSM Network
    Running a basic Osmocom GSM network Harald Welte <[email protected]> What this talk is about Implementing GSM/GPRS network elements as FOSS Applied Protocol Archaeology Doing all of that on top of Linux (in userspace) Running your own Internet-style network use off-the-shelf hardware (x86, Ethernet card) use any random Linux distribution configure Linux kernel TCP/IP network stack enjoy fancy features like netfilter/iproute2/tc use apache/lighttpd/nginx on the server use Firefox/chromium/konqueor/lynx on the client do whatever modification/optimization on any part of the stack Running your own GSM network Until 2009 the situation looked like this: go to Ericsson/Huawei/ZTE/Nokia/Alcatel/… spend lots of time convincing them that you’re an eligible customer spend a six-digit figure for even the most basic full network end up with black boxes you can neither study nor improve WTF? I’ve grown up with FOSS and the Internet. I know a better world. Why no cellular FOSS? both cellular (2G/3G/4G) and TCP/IP/HTTP protocol specs are publicly available for decades. Can you believe it? Internet protocol stacks have lots of FOSS implementations cellular protocol stacks have no FOSS implementations for the first almost 20 years of their existence? it’s the classic conflict classic circuit-switched telco vs. the BBS community ITU-T/OSI/ISO vs. Arpanet and TCP/IP Enter Osmocom In 2008, some people (most present in this room) started to write FOSS for GSM to boldly go where no FOSS hacker has gone before where protocol stacks are deep and acronyms are
    [Show full text]
  • Openairinterface: Democratizing Innovation in the 5G Era
    Computer Networks 176 (2020) 107284 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet OpenAirInterface: Democratizing innovation in the 5G Era Florian Kaltenberger a,∗, Aloizio P. Silva b,c, Abhimanyu Gosain b, Luhan Wang d, Tien-Thinh Nguyen a a Eurecom, France b Northeastern University, Massachusetts, United States c US Ignite Inc. PAWR Project Office, Washington DC, United States d Beijing University of Posts and Telecommunications, Beijing, China a r t i c l e i n f o a b s t r a c t 2019 MSC: OpenAirInterface TM (OAI) is an open-source project that implements the 3rd Generation Partnership Project 00-01 (3GPP) technology on general purpose x86 computing hardware and Off-The-Shelf (COTS) Software Defined 99-00, Radio (SDR) cards like the Universal Software Radio Peripheral (USRP). It makes it possible to deploy and operate Keywords: a 4G Long-Term Evolution (LTE) network today and 5G New Radio (NR) networks in the future at a very low Open Air Interface cost. Moreover, the open-source code can be adapted to different use cases and deployment and new functionality 5G can be implemented, making it an ideal platform for both industrial and academic research. The OAI Software New radio technology Alliance (OSA) is a non-profit consortium fostering a community of industrial as well as research contributors. Network softwarization It also developed the OAI public license which is an open source license that allows contributors to implement LTE their own patented technology without having to relinquish their intellectual property rights.
    [Show full text]
  • Etsi Tr 121 905 V11.2.0 (2012-10)
    ETSI TR 121 905 V11.2.0 (2012-10) Technical Report Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Vocabulary for 3GPP Specifications (3GPP TR 21.905 version 11.2.0 Release 11) 3GPP TR 21.905 version 11.2.0 Release 11 1 ETSI TR 121 905 V11.2.0 (2012-10) Reference RTR/TSGS-0021905vb20 Keywords GSM,LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Osmobsc VTY Reference I
    OsmoBSC VTY Reference i OsmoBSC VTY Reference OsmoBSC VTY Reference ii Copyright © 2012-2019 This work is copyright by sysmocom - s.f.m.c. GmbH. All rights reserved. OsmoBSC VTY Reference iii COLLABORATORS TITLE : OsmoBSC VTY Reference ACTION NAME DATE SIGNATURE WRITTEN BY September 28, 2021 REVISION HISTORY NUMBER DATE DESCRIPTION NAME v1 13th August 2012 Initial hf v2 5th March 2014 Update to match osmo-bsc version 0.13.0-305 hf v3 6th June 2019 Update to match osmo-bsc version 1.4.0.84-3f1f dw OsmoBSC VTY Reference iv Contents 1 VTY reference 1 1.1 Common Commands . .1 1.1.1 end . .2 1.1.2 exit . .2 1.1.3 help . .2 1.1.4 list [with-flags] . .2 1.1.5 show running-config . .3 1.1.6 show vty-attributes . .3 1.1.7 show vty-attributes (application|library|global) . .3 1.1.8 write . .4 1.1.9 write file [PATH] . .4 1.1.10 write memory . .4 1.1.11 write terminal . .4 1.2 view..........................................................5 1.2.1 enable [expert-mode] . .5 1.2.2 logging color (0|1) . .5 1.2.3 logging disable . .5 1.2.4 logging enable . .6 1.2.5 logging filter all (0|1) . .6 1.2.6 logging filter imsi IMSI . .6 1.2.7 logging level (rll|mm|rr|rsl|nm|pag|meas|msc|ho|hodec|ref|ctrl|filter|pcu|lcls|c... .7 1.2.8 logging level force-all (debug|info|notice|error|fatal) . 10 1.2.9 logging level set-all (debug|info|notice|error|fatal) .
    [Show full text]
  • UMTS); Radio Interface Protocol Architecture (3GPP TS 25.301 Version 3.8.0 Release 1999)
    ETSI TS 125 301 V3.8.0 (2001-06) Technical Specification Universal Mobile Telecommunications System (UMTS); Radio Interface Protocol Architecture (3GPP TS 25.301 version 3.8.0 Release 1999) 3GPP TS 25.301 version 3.8.0 Release 1999 1 ETSI TS 125 301 V3.8.0 (2001-06) Reference RTS/TSGR-0225301UR5 Keywords UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2001.
    [Show full text]
  • Communications Technology Assessment for the Unmanned Aircraft System (UAS) Control and Non-Payload Communications (CNPC) Link
    NASA/CR—2014-216675 Communications Technology Assessment for the Unmanned Aircraft System (UAS) Control and Non-Payload Communications (CNPC) Link Steven C. Bretmersky MTI Systems, Inc., Cleveland, Ohio William D. Bishop Verizon Federal Network Systems, LLC., Arlington, Virginia Justin E. Dailey MTI Systems, Inc., Cleveland, Ohio Christine T. Chevalier Vantage Partners, LLC, Brook Park, Ohio June 2014 NASA STI Program . in Profi le Since its founding, NASA has been dedicated to the • CONFERENCE PUBLICATION. Collected advancement of aeronautics and space science. The papers from scientifi c and technical NASA Scientifi c and Technical Information (STI) conferences, symposia, seminars, or other program plays a key part in helping NASA maintain meetings sponsored or cosponsored by NASA. this important role. • SPECIAL PUBLICATION. Scientifi c, The NASA STI Program operates under the auspices technical, or historical information from of the Agency Chief Information Offi cer. It collects, NASA programs, projects, and missions, often organizes, provides for archiving, and disseminates concerned with subjects having substantial NASA’s STI. The NASA STI program provides access public interest. to the NASA Aeronautics and Space Database and its public interface, the NASA Technical Reports • TECHNICAL TRANSLATION. English- Server, thus providing one of the largest collections language translations of foreign scientifi c and of aeronautical and space science STI in the world. technical material pertinent to NASA’s mission. Results are published in both non-NASA channels and by NASA in the NASA STI Report Series, which Specialized services also include creating custom includes the following report types: thesauri, building customized databases, organizing and publishing research results. • TECHNICAL PUBLICATION.
    [Show full text]
  • TR 101 865 V1.1.1 (2001-07) Technical Report
    ETSI TR 101 865 V1.1.1 (2001-07) Technical Report Satellite Earth Stations and Systems (SES); Satellite component of UMTS/IMT-2000; General aspects and principles 2 ETSI TR 101 865 V1.1.1 (2001-07) Reference DTR/SES-00054 Keywords satellite, UMTS, IMT-2000, 3GPP ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2001. All rights reserved. ETSI 3 ETSI TR 101
    [Show full text]
  • E3 - Gsgsn 121 3
    US008279831 B2 (12) United States Patent (10) Patent No.: US 8.279,831 B2 Sengupta et al. (45) Date of Patent: Oct. 2, 2012 (54) SYSTEM, METHOD, AND 2005/0159.153 A1 7/2005 Mousseau et al. COMPUTER-READABLE MEDIUM FOR 2005/02491.61 A1 11/2005 Carlton 2006, OO25151 A1 2/2006 Karaoguz et al. SELECTING ANETWORK FOR 2007/0014281 A1 1/2007 Kant ............................. 370,352 CONNECTIVITY AND HANDOVER BASED 2007/0032239 A1 2/2007 Shaheen et al. ON APPLICATION REQUIREMENTS 2007/0115899 A1 5/2007 Ovadia et al. 2007/0173283 A1* 7, 2007 Livet et al. ................. 455,552.1 (75) Inventors: Chaitali Sengupta, Richardson, TX (US); Yuan Kang Lee, San Diego, CA FOREIGN PATENT DOCUMENTS (US) WO WO O2, 19736 A2 3, 2002 WO WO 2004/100452 A1 11, 2004 (73) Assignee: SNRLab Corporation, Richardson, TX W. W. 3988, A: (39. OTHER PUBLICATIONS (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 PCT International Preliminary Examining Authority—European U.S.C. 154(b) by 1059 days Patent Office, PCT Notification of Transmittal of the International M YW- Preliminary Report on Patentability mailed Feb. 6, 2009, Interna (21) Appl. No.: 11/929,066 tional Application No. PCT/US2007/083129, filed Oct. 31, 2007, 11 pages, NL-2280 HV Rijswijk. 1-1. 3GPP SA WG2, 3rd Generation Partnership Project: Technical (22) Filed: Oct. 30, 2007 Specification Group Services and Architecture; Feasibility Study on O O Multimedia Session Continuity; Stage 2: (Release 8), 3GPP TR (65) Prior Publication Data 23.893 (Oct. 2007), 3GPP Technical Recommendation, Oct.
    [Show full text]
  • Method of Handling Non-Access Stratum Message and Related Communication Device
    (19) TZZ Z_T (11) EP 2 704 456 A1 (12) EUROPEAN PATENT APPLICATION (43) Date of publication: (51) Int Cl.: 05.03.2014 Bulletin 2014/10 H04W 4/00 (2009.01) H04W 76/02 (2009.01) (21) Application number: 13181635.7 (22) Date of filing: 25.08.2013 (84) Designated Contracting States: (71) Applicant: HTC Corporation AL AT BE BG CH CY CZ DE DK EE ES FI FR GB Taoyuan County 330 (TW) GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR (72) Inventor: Liao, Ching-Yu Designated Extension States: 330 Taoyuan City (TW) BA ME (74) Representative: Konkonen, Tomi-Matti Juhani (30) Priority: 29.08.2012 US 201261694276 P Murgitroyd & Company 22.08.2013 US 201313974005 Scotland House 165-169 Scotland Street Glasgow G5 8PL (GB) (54) Method of Handling Non-Access Stratum Message and Related Communication Device (57) Amethod ofhandling non- accessstratum (NAS) level to a network in the wireless communication system, mobility management (MM) messages for a user equip- and storing a priority indicator indicating the first priority ment in a wireless communication system when the user level in a nonvolatile memory if the user equipment re- equipment is configured for dual priority includes sending ceives a NAS MM reject message with a mobility man- a first NAS MM request message containing a first priority agement back-off (MMBK) timer from the network. EP 2 704 456 A1 Printed by Jouve, 75001 PARIS (FR) 1 EP 2 704 456 A1 2 Description the clear of the PPF, the core network cannot page the UE during the period of the implicit detach timer.
    [Show full text]
  • 3G UMTS Femtocell
    3G UMTS Femtocell BRKAGG-2002 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Introduction to Femtocell Market Drivers Femtocell Architecture Key Femto Features Standards Update Femto Integration ummary BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Introduction to Femtocell BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 In-Home Picocell Microcell Macrocell Focus of this topic is Femtocell In-house coverage Compare and contrast with Macrocell, Microcell or Picocell Femto provides in fill for Macro, Micro and Pico BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 What Is a Femtocell? Tiny 3G Home Access Point Gives 3G signal inside the home Operator Very low RF power. Management & Licensed Services Spectrum Standalone or integrated into Node-B home gateway. Cellular Network Standard 3G Works with all standard Handset Wireless Core handsets. (MSC, SGSN) Connects to the Core Network Femto Home Uses home broadband Security Node-B Gateway Licensed Gateway connection for backhaul Spectrum (contrast: Dedicated backhaul Internet Femto Home Requires Wireless Security Broadband Node-B Residential GW Connection Gateway for protection (<5mW) (4 calls in 200kbps) Standard Connectivity to Core Femto Cellular Network Connectivity from Femto network to Core similar to Macro network BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Market Drivers BRKAGG-2002_c1 © 2009 Cisco Systems, Inc.
    [Show full text]
  • Osmohnbgw User Manual I
    OsmoHNBGW User Manual i sysmocom - s.f.m.c. GmbH OsmoHNBGW User Manual by Harald Welte Copyright © 2019 sysmocom - s.f.m.c.DRAFT GmbH Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just ’Foreword’, ’Acknowledgements’ and ’Preface’, with no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The Asciidoc source code of this manual can be found at http://git.osmocom.org/osmo-hnbgw/ and of the common chapters at http://git.osmocom.org/osmo-gsm-manuals/ DRAFT 0.7.0-4-g1f6c, 2021-Feb-23 OsmoHNBGW User Manual ii HISTORY NUMBER DATE DESCRIPTION NAME 1 November 30th, Initial version HW 2019 Copyright © 2019 sysmocom - s.f.m.c. GmbH DRAFT 0.7.0-4-g1f6c, 2021-Feb-23 OsmoHNBGW User Manual iii Contents 1 Foreword 1 1.1 Acknowledgements..................................................1 1.2 Endorsements.....................................................2 2 Preface 2 2.1 FOSS lives by contribution!..............................................2 2.2 Osmocom and sysmocom...............................................2 2.3 Corrections......................................................3 2.4 Legal disclaimers...................................................3 2.4.1 Spectrum License...............................................3 2.4.2 Software License...............................................3
    [Show full text]
  • Exploiting Broadcast Information in Cellular Networks
    Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, Kévin Redon, and Jean-Pierre Seifert, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, K´evin Redon, Jean-Pierre Seifert Technische Universitat¨ Berlin and Deutsche Telekom Innovation Laboratories {nico, kredon, jpseifert}@sec.t-labs.tu-berlin.de Abstract comBB [20, 25, 45]. These open source projects consti- tute the long sought and yet publicly available counter- Mobile telecommunication has become an important part parts of the previously closed radio stacks. Although all of our daily lives. Yet, industry standards such as GSM of them are still constrained to 2G network handling, re- often exclude scenarios with active attackers. Devices cent research provides open source software to tamper participating in communication are seen as trusted and with certain 3G base stations [24]. Needless to say that non-malicious. By implementing our own baseband those projects initiated a whole new class of so far uncon- firmware based on OsmocomBB, we violate this trust sidered and practical security investigations within the and are able to evaluate the impact of a rogue device with cellular communication research, [28, 30, 34]. regard to the usage of broadcast information. Through our analysis we show two new attacks based on the pag- Despite the recent roll-out of 4G networks, GSM re- ing procedure used in cellular networks.
    [Show full text]