DOCSLIB.ORG

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems Altaf Shaik∗, Ravishankar Borgaonkary, N. Asokanz, Valtteri Niemix and Jean-Pierre Seifert∗ ∗Technische Universitat¨ Berlin and Telekom Innovation Laboratories Email: (altaf329, jpseifert) @sec.t-labs.tu-berlin.de yAalto University Email: ravishankar.borgaonkar@aalto.fi zAalto University and University of Helsinki Email: [email protected] xUniversity of Helsinki Email: valtteri.niemi@helsinki.fi Abstract—Mobile communication systems are now an essential communication is an important cornerstone in the lives of the part of life throughout the world. Fourth generation “Long vast majority of people and societies on this planet. The latest Term Evolution” (LTE) mobile communication networks are generation in this evolution, the fourth generation “Long Term being deployed. The LTE suite of specifications is considered Evolution” (4G/LTE) systems are being deployed widely. By to be significantly better than its predecessors not only in terms the end of 2015 the worldwide LTE subscriber base is expected of functionality but also with respect to security and privacy to be around 1.37 billion [1]. for subscribers. We carefully analyzed LTE access network protocol specifications and uncovered several vulnerabilities. Early 2G systems were known to have several vulnera- Using commercial LTE mobile devices in real LTE networks, bilities. For example, lack of mutual authentication between we demonstrate inexpensive, and practical attacks exploiting these vulnerabilities. Our first class of attacks consists of three mobile users and the network implied that it was possible for different ways of making an LTE device leak its location: In an attacker to set up fake base stations and convince legitimate our experiments, a semi-passive attacker can locate an LTE mobile devices to connect to it. In order to minimize exposure device within a 2 km2 area in a city whereas an active attacker of user identifiers (known as International Mobile Subscriber can precisely locate an LTE device using GPS co-ordinates Identifier or IMSI) in over-the-air signaling messages, 2G or trilateration via cell-tower signal strength information. Our systems introduced the use of temporary mobile subscriber second class of attacks can persistently deny some or all services identifiers. However, in the absence of mutual authentication, to a target LTE device. To the best of our knowledge, our work fake base stations were used as “IMSI catchers” to harvest constitutes the first publicly reported practical attacks against LTE IMSIs and to track movements of users. access network protocols. We present several countermeasures to resist our specific The evolution of these mobile communication systems attacks. We also discuss possible trade-off considerations that may specified by 3GPP (Third Generation Partnership Project) explain why these vulnerabilities exist. We argue that justification have not only incorporated improvements in functionality but for these trade-offs may no longer valid. We recommend that also strengthened security. 3G specifications introduced mutual safety margins introduced into future specifications to address authentication and the use of stronger and well-analyzed cryp- such trade-offs should incorporate greater agility to accommodate tographic algorithms. LTE specifications further strengthened subsequent changes in the trade-off equilibrium. signaling protocols by requiring authentication and encryption (referred to as “ciphering” in 3GPP terminology) in more arXiv:1510.07563v3 [cs.CR] 7 Aug 2017 I. INTRODUCTION situations than was previously required. Consequently, there is a general belief that LTE specifications provide strong privacy During the past two decades, mobile devices such as and availability guarantees to mobile users. Previously known smartphones have become ubiquitous. The reach of mobile attacks, such as the ability to track user movement were communication systems, starting from the second generation thought to be difficult in LTE. Global System for Mobile Communications (2G/GSM) and the third generation Universal Mobile Telecommunication Systems In this paper, we demonstrate the first practical attacks (3G/UMTS), has extended to every corner in the world. Mobile against LTE access network protocols. Our attacks are based on vulnerabilities we discovered during a careful analysis of LTE access network protocol specifications. They fall into two Permission to freely reproduce all or part of this paper for noncommercial classes: location leaks and denial of service. In the first class, purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited we describe three different attacks that can force an LTE without the prior written consent of the Internet Society, the first-named author device (User Equipment or UE in 3GPP terminology) into (for reproduction of an entire paper only), and the author’s employer if the revealing its location. The first two allow a passive or semi- paper was prepared within the scope of employment. passive attacker to localize the target user within about a 2 NDSS ’16, 21-24 February 2016, San Diego, CA, USA 2 Copyright 2016 Internet Society, ISBN 1-891562-41-X km area in an urban setting which is a much finer granularity http://dx.doi.org/10.14722/ndss.2016.23236 than previously reported location leak attacks [2] against 2G devices, while still using similar techniques. Notably, we show II. OVERVIEW OF LTE ARCHITECTURE how popular social network messaging applications (e.g., Face- book messenger [3] and WhatsApp [4]) can be used in such We briefly describe LTE infrastructure as well as security attacks. Our third attack allows an active attacker exploiting and paging mechanisms to assist readers in understanding the vulnerabilities in the specification and implementation of LTE vulnerabilities and attacks we present in this paper. Radio Resource Control (RRC) protocol [5] to accurately pinpoint the target user via GPS co-ordinates or trilateration A. LTE infrastructure using base station signal strengths as observed by that UE. We We consider a simplified LTE architecture involving com- believe that all LTE devices in the market are vulnerable to ponents required to set up access network protocols between this attack. a base station and mobile devices. We hide other details of In the second class, we describe three further attacks where the architecture which are not relevant from the point of view an active attacker can cause persistent denial of service against of understanding our attacks. Figure 1 depicts this simplified a target UE. In the first, the target UE will be forced into using architecture which contains three main components: User 2G or 3G networks rather than LTE networks, which can then Equipment (UE), Evolved Universal Terrestrial Radio Access make it possible to mount 2G/3G-specific attacks against that Network (E-UTRAN), and Evolved Packet Core (EPC). All UE. In the second, the target UE will be denied access to all three components are collectively referred to as Evolved Packet networks. In the last attack, the attacker can selectively limit a System (EPS) according to 3GPP terminology. In the interest UE only to some types of services (e.g., no voice calls). The of simplicity, throughout this paper we refer to the whole attacks are persistent and silent: devices require explicit user system as LTE. The three components are described below action (such as rebooting the device) to recover. (A list of common acronyms related to LTE appear in the full version of this paper [6]). We have implemented all our attacks (except one) and confirmed their effectiveness using commercial LTE devices from several vendors and real LTE networks of several carriers. The equipment needed for the attacks is inexpensive and readily available. We reported our attacks to the manufacturers and carriers concerned as well as to the standardization body (3GPP). Remedial actions are under way while writing. Specification of a large system like LTE is a complex endeavor involving many trade-offs among conflicting require- ments. Rather than merely report on LTE vulnerabilities and attacks, we also discuss possible considerations that may have led to the vulnerabilities in the first place. Based on this we suggest some general guidelines for future standardization as Fig. 1. LTE system architecture well as specific fixes for our attacks. User Equipment: UE refers to the actual communication • Fine-grained location leaks: New passive and active device which can be, for example, a smartphone . A UE techniques to link users’ real identities to LTE tem- contains a USIM (Universal Subscriber Identity Module)[7], porary identities assigned to them and to track user which represents the IMSI and stores the corresponding au- locations and movements to much higher levels thentication credentials [8]. This IMSI is used to identify an of granularity than was previously thought possible. LTE user (generally referred to as “subscriber” in 3GPP ter- (Section V) minology) uniquely. The USIM participates in LTE subscriber • Denial-of-Service (DoS) Attacks: New active DoS authentication protocol and generates cryptographic keys that attacks that can silently and persistently down- form the basis for the key hierarchy subsequently used to grade LTE devices by preventing their access to protect signaling and user data communication between the LTE networks (limiting them to less
Load more

Recommended publications
  • Running a Basic Osmocom GSM Network
    Running a basic Osmocom GSM network Harald Welte <[email protected]> What this talk is about Implementing GSM/GPRS network elements as FOSS Applied Protocol Archaeology Doing all of that on top of Linux (in userspace) Running your own Internet-style network use off-the-shelf hardware (x86, Ethernet card) use any random Linux distribution configure Linux kernel TCP/IP network stack enjoy fancy features like netfilter/iproute2/tc use apache/lighttpd/nginx on the server use Firefox/chromium/konqueor/lynx on the client do whatever modification/optimization on any part of the stack Running your own GSM network Until 2009 the situation looked like this: go to Ericsson/Huawei/ZTE/Nokia/Alcatel/… spend lots of time convincing them that you’re an eligible customer spend a six-digit figure for even the most basic full network end up with black boxes you can neither study nor improve WTF? I’ve grown up with FOSS and the Internet. I know a better world. Why no cellular FOSS? both cellular (2G/3G/4G) and TCP/IP/HTTP protocol specs are publicly available for decades. Can you believe it? Internet protocol stacks have lots of FOSS implementations cellular protocol stacks have no FOSS implementations for the first almost 20 years of their existence? it’s the classic conflict classic circuit-switched telco vs. the BBS community ITU-T/OSI/ISO vs. Arpanet and TCP/IP Enter Osmocom In 2008, some people (most present in this room) started to write FOSS for GSM to boldly go where no FOSS hacker has gone before where protocol stacks are deep and acronyms are
    [Show full text]
  • Openairinterface: Democratizing Innovation in the 5G Era
    Computer Networks 176 (2020) 107284 Contents lists available at ScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet OpenAirInterface: Democratizing innovation in the 5G Era Florian Kaltenberger a,∗, Aloizio P. Silva b,c, Abhimanyu Gosain b, Luhan Wang d, Tien-Thinh Nguyen a a Eurecom, France b Northeastern University, Massachusetts, United States c US Ignite Inc. PAWR Project Office, Washington DC, United States d Beijing University of Posts and Telecommunications, Beijing, China a r t i c l e i n f o a b s t r a c t 2019 MSC: OpenAirInterface TM (OAI) is an open-source project that implements the 3rd Generation Partnership Project 00-01 (3GPP) technology on general purpose x86 computing hardware and Off-The-Shelf (COTS) Software Defined 99-00, Radio (SDR) cards like the Universal Software Radio Peripheral (USRP). It makes it possible to deploy and operate Keywords: a 4G Long-Term Evolution (LTE) network today and 5G New Radio (NR) networks in the future at a very low Open Air Interface cost. Moreover, the open-source code can be adapted to different use cases and deployment and new functionality 5G can be implemented, making it an ideal platform for both industrial and academic research. The OAI Software New radio technology Alliance (OSA) is a non-profit consortium fostering a community of industrial as well as research contributors. Network softwarization It also developed the OAI public license which is an open source license that allows contributors to implement LTE their own patented technology without having to relinquish their intellectual property rights.
    [Show full text]
  • Etsi Tr 121 905 V11.2.0 (2012-10)
    ETSI TR 121 905 V11.2.0 (2012-10) Technical Report Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); LTE; Vocabulary for 3GPP Specifications (3GPP TR 21.905 version 11.2.0 Release 11) 3GPP TR 21.905 version 11.2.0 Release 11 1 ETSI TR 121 905 V11.2.0 (2012-10) Reference RTR/TSGS-0021905vb20 Keywords GSM,LTE,UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http://portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission.
    [Show full text]
  • Osmobsc VTY Reference I
    OsmoBSC VTY Reference i OsmoBSC VTY Reference OsmoBSC VTY Reference ii Copyright © 2012-2019 This work is copyright by sysmocom - s.f.m.c. GmbH. All rights reserved. OsmoBSC VTY Reference iii COLLABORATORS TITLE : OsmoBSC VTY Reference ACTION NAME DATE SIGNATURE WRITTEN BY September 28, 2021 REVISION HISTORY NUMBER DATE DESCRIPTION NAME v1 13th August 2012 Initial hf v2 5th March 2014 Update to match osmo-bsc version 0.13.0-305 hf v3 6th June 2019 Update to match osmo-bsc version 1.4.0.84-3f1f dw OsmoBSC VTY Reference iv Contents 1 VTY reference 1 1.1 Common Commands . .1 1.1.1 end . .2 1.1.2 exit . .2 1.1.3 help . .2 1.1.4 list [with-flags] . .2 1.1.5 show running-config . .3 1.1.6 show vty-attributes . .3 1.1.7 show vty-attributes (application|library|global) . .3 1.1.8 write . .4 1.1.9 write file [PATH] . .4 1.1.10 write memory . .4 1.1.11 write terminal . .4 1.2 view..........................................................5 1.2.1 enable [expert-mode] . .5 1.2.2 logging color (0|1) . .5 1.2.3 logging disable . .5 1.2.4 logging enable . .6 1.2.5 logging filter all (0|1) . .6 1.2.6 logging filter imsi IMSI . .6 1.2.7 logging level (rll|mm|rr|rsl|nm|pag|meas|msc|ho|hodec|ref|ctrl|filter|pcu|lcls|c... .7 1.2.8 logging level force-all (debug|info|notice|error|fatal) . 10 1.2.9 logging level set-all (debug|info|notice|error|fatal) .
    [Show full text]
  • UMTS); Radio Interface Protocol Architecture (3GPP TS 25.301 Version 3.8.0 Release 1999)
    ETSI TS 125 301 V3.8.0 (2001-06) Technical Specification Universal Mobile Telecommunications System (UMTS); Radio Interface Protocol Architecture (3GPP TS 25.301 version 3.8.0 Release 1999) 3GPP TS 25.301 version 3.8.0 Release 1999 1 ETSI TS 125 301 V3.8.0 (2001-06) Reference RTS/TSGR-0225301UR5 Keywords UMTS ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2001.
    [Show full text]
  • Communications Technology Assessment for the Unmanned Aircraft System (UAS) Control and Non-Payload Communications (CNPC) Link
    NASA/CR—2014-216675 Communications Technology Assessment for the Unmanned Aircraft System (UAS) Control and Non-Payload Communications (CNPC) Link Steven C. Bretmersky MTI Systems, Inc., Cleveland, Ohio William D. Bishop Verizon Federal Network Systems, LLC., Arlington, Virginia Justin E. Dailey MTI Systems, Inc., Cleveland, Ohio Christine T. Chevalier Vantage Partners, LLC, Brook Park, Ohio June 2014 NASA STI Program . in Profi le Since its founding, NASA has been dedicated to the • CONFERENCE PUBLICATION. Collected advancement of aeronautics and space science. The papers from scientifi c and technical NASA Scientifi c and Technical Information (STI) conferences, symposia, seminars, or other program plays a key part in helping NASA maintain meetings sponsored or cosponsored by NASA. this important role. • SPECIAL PUBLICATION. Scientifi c, The NASA STI Program operates under the auspices technical, or historical information from of the Agency Chief Information Offi cer. It collects, NASA programs, projects, and missions, often organizes, provides for archiving, and disseminates concerned with subjects having substantial NASA’s STI. The NASA STI program provides access public interest. to the NASA Aeronautics and Space Database and its public interface, the NASA Technical Reports • TECHNICAL TRANSLATION. English- Server, thus providing one of the largest collections language translations of foreign scientifi c and of aeronautical and space science STI in the world. technical material pertinent to NASA’s mission. Results are published in both non-NASA channels and by NASA in the NASA STI Report Series, which Specialized services also include creating custom includes the following report types: thesauri, building customized databases, organizing and publishing research results. • TECHNICAL PUBLICATION.
    [Show full text]
  • TR 101 865 V1.1.1 (2001-07) Technical Report
    ETSI TR 101 865 V1.1.1 (2001-07) Technical Report Satellite Earth Stations and Systems (SES); Satellite component of UMTS/IMT-2000; General aspects and principles 2 ETSI TR 101 865 V1.1.1 (2001-07) Reference DTR/SES-00054 Keywords satellite, UMTS, IMT-2000, 3GPP ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.:+33492944200 Fax:+33493654716 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice Individual copies of the present document can be downloaded from: http://www.etsi.org The present document may be made available in more than one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http://www.etsi.org/tb/status/ If you find errors in the present document, send your comment to: [email protected] Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. © European Telecommunications Standards Institute 2001. All rights reserved. ETSI 3 ETSI TR 101
    [Show full text]
  • E3 - Gsgsn 121 3
    US008279831 B2 (12) United States Patent (10) Patent No.: US 8.279,831 B2 Sengupta et al. (45) Date of Patent: Oct. 2, 2012 (54) SYSTEM, METHOD, AND 2005/0159.153 A1 7/2005 Mousseau et al. COMPUTER-READABLE MEDIUM FOR 2005/02491.61 A1 11/2005 Carlton 2006, OO25151 A1 2/2006 Karaoguz et al. SELECTING ANETWORK FOR 2007/0014281 A1 1/2007 Kant ............................. 370,352 CONNECTIVITY AND HANDOVER BASED 2007/0032239 A1 2/2007 Shaheen et al. ON APPLICATION REQUIREMENTS 2007/0115899 A1 5/2007 Ovadia et al. 2007/0173283 A1* 7, 2007 Livet et al. ................. 455,552.1 (75) Inventors: Chaitali Sengupta, Richardson, TX (US); Yuan Kang Lee, San Diego, CA FOREIGN PATENT DOCUMENTS (US) WO WO O2, 19736 A2 3, 2002 WO WO 2004/100452 A1 11, 2004 (73) Assignee: SNRLab Corporation, Richardson, TX W. W. 3988, A: (39. OTHER PUBLICATIONS (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 PCT International Preliminary Examining Authority—European U.S.C. 154(b) by 1059 days Patent Office, PCT Notification of Transmittal of the International M YW- Preliminary Report on Patentability mailed Feb. 6, 2009, Interna (21) Appl. No.: 11/929,066 tional Application No. PCT/US2007/083129, filed Oct. 31, 2007, 11 pages, NL-2280 HV Rijswijk. 1-1. 3GPP SA WG2, 3rd Generation Partnership Project: Technical (22) Filed: Oct. 30, 2007 Specification Group Services and Architecture; Feasibility Study on O O Multimedia Session Continuity; Stage 2: (Release 8), 3GPP TR (65) Prior Publication Data 23.893 (Oct. 2007), 3GPP Technical Recommendation, Oct.
    [Show full text]
  • Method of Handling Non-Access Stratum Message and Related Communication Device
    (19) TZZ Z_T (11) EP 2 704 456 A1 (12) EUROPEAN PATENT APPLICATION (43) Date of publication: (51) Int Cl.: 05.03.2014 Bulletin 2014/10 H04W 4/00 (2009.01) H04W 76/02 (2009.01) (21) Application number: 13181635.7 (22) Date of filing: 25.08.2013 (84) Designated Contracting States: (71) Applicant: HTC Corporation AL AT BE BG CH CY CZ DE DK EE ES FI FR GB Taoyuan County 330 (TW) GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR (72) Inventor: Liao, Ching-Yu Designated Extension States: 330 Taoyuan City (TW) BA ME (74) Representative: Konkonen, Tomi-Matti Juhani (30) Priority: 29.08.2012 US 201261694276 P Murgitroyd & Company 22.08.2013 US 201313974005 Scotland House 165-169 Scotland Street Glasgow G5 8PL (GB) (54) Method of Handling Non-Access Stratum Message and Related Communication Device (57) Amethod ofhandling non- accessstratum (NAS) level to a network in the wireless communication system, mobility management (MM) messages for a user equip- and storing a priority indicator indicating the first priority ment in a wireless communication system when the user level in a nonvolatile memory if the user equipment re- equipment is configured for dual priority includes sending ceives a NAS MM reject message with a mobility man- a first NAS MM request message containing a first priority agement back-off (MMBK) timer from the network. EP 2 704 456 A1 Printed by Jouve, 75001 PARIS (FR) 1 EP 2 704 456 A1 2 Description the clear of the PPF, the core network cannot page the UE during the period of the implicit detach timer.
    [Show full text]
  • 3G UMTS Femtocell
    3G UMTS Femtocell BRKAGG-2002 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Introduction to Femtocell Market Drivers Femtocell Architecture Key Femto Features Standards Update Femto Integration ummary BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 Introduction to Femtocell BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 In-Home Picocell Microcell Macrocell Focus of this topic is Femtocell In-house coverage Compare and contrast with Macrocell, Microcell or Picocell Femto provides in fill for Macro, Micro and Pico BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 What Is a Femtocell? Tiny 3G Home Access Point Gives 3G signal inside the home Operator Very low RF power. Management & Licensed Services Spectrum Standalone or integrated into Node-B home gateway. Cellular Network Standard 3G Works with all standard Handset Wireless Core handsets. (MSC, SGSN) Connects to the Core Network Femto Home Uses home broadband Security Node-B Gateway Licensed Gateway connection for backhaul Spectrum (contrast: Dedicated backhaul Internet Femto Home Requires Wireless Security Broadband Node-B Residential GW Connection Gateway for protection (<5mW) (4 calls in 200kbps) Standard Connectivity to Core Femto Cellular Network Connectivity from Femto network to Core similar to Macro network BRKAGG-2002_c1 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Market Drivers BRKAGG-2002_c1 © 2009 Cisco Systems, Inc.
    [Show full text]
  • Osmohnbgw User Manual I
    OsmoHNBGW User Manual i sysmocom - s.f.m.c. GmbH OsmoHNBGW User Manual by Harald Welte Copyright © 2019 sysmocom - s.f.m.c.DRAFT GmbH Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with the Invariant Sections being just ’Foreword’, ’Acknowledgements’ and ’Preface’, with no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". The Asciidoc source code of this manual can be found at http://git.osmocom.org/osmo-hnbgw/ and of the common chapters at http://git.osmocom.org/osmo-gsm-manuals/ DRAFT 0.7.0-4-g1f6c, 2021-Feb-23 OsmoHNBGW User Manual ii HISTORY NUMBER DATE DESCRIPTION NAME 1 November 30th, Initial version HW 2019 Copyright © 2019 sysmocom - s.f.m.c. GmbH DRAFT 0.7.0-4-g1f6c, 2021-Feb-23 OsmoHNBGW User Manual iii Contents 1 Foreword 1 1.1 Acknowledgements..................................................1 1.2 Endorsements.....................................................2 2 Preface 2 2.1 FOSS lives by contribution!..............................................2 2.2 Osmocom and sysmocom...............................................2 2.3 Corrections......................................................3 2.4 Legal disclaimers...................................................3 2.4.1 Spectrum License...............................................3 2.4.2 Software License...............................................3
    [Show full text]
  • Exploiting Broadcast Information in Cellular Networks
    Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, Kévin Redon, and Jean-Pierre Seifert, Technische Universität Berlin and Deutsche Telekom Innovation Laboratories This paper is included in the Proceedings of the 22nd USENIX Security Symposium. August 14–16, 2013 • Washington, D.C., USA ISBN 978-1-931971-03-4 Open access to the Proceedings of the 22nd USENIX Security Symposium is sponsored by USENIX Let Me Answer That For You: Exploiting Broadcast Information in Cellular Networks Nico Golde, K´evin Redon, Jean-Pierre Seifert Technische Universitat¨ Berlin and Deutsche Telekom Innovation Laboratories {nico, kredon, jpseifert}@sec.t-labs.tu-berlin.de Abstract comBB [20, 25, 45]. These open source projects consti- tute the long sought and yet publicly available counter- Mobile telecommunication has become an important part parts of the previously closed radio stacks. Although all of our daily lives. Yet, industry standards such as GSM of them are still constrained to 2G network handling, re- often exclude scenarios with active attackers. Devices cent research provides open source software to tamper participating in communication are seen as trusted and with certain 3G base stations [24]. Needless to say that non-malicious. By implementing our own baseband those projects initiated a whole new class of so far uncon- firmware based on OsmocomBB, we violate this trust sidered and practical security investigations within the and are able to evaluate the impact of a rogue device with cellular communication research, [28, 30, 34]. regard to the usage of broadcast information. Through our analysis we show two new attacks based on the pag- Despite the recent roll-out of 4G networks, GSM re- ing procedure used in cellular networks.
    [Show full text]