Adventures in Femtoland: 350 Yuan for Invaluable Fun

Black Hat USA 2015

Presented by: Alexey Osipov, Alexander Zaitsev
Date: Wednesday August 05, 2015
Time: 13:50 - 14:40
Location: Mandalay Bay BCD

GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.

But who cares about 2G? Those who are concerned switched off of 2G. AT&T; is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.

Alexey Osipov

Alexey Osipov is a Specialist of Web Application Security Team. He is an active participant in the development of the international forum on practical security Positive Hack Days and in 2012 he was the Winner of PHDays $natch competition. In his spare time, Alexey is a security tools developer and a club-mate addict.

Alexander Zaitsev

Alexander Zaitsev is a full-time infosec consulting enthusiast. He is a self-motivated security researcher. He is also a part-time member of SCADA Strange Love (http://scadasl.org) and a team member of PHDays (http://phdays.com).


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats