Link to this headingTelecommunication

https://github.com/W00t3k/Awesome-Cellular-Hacking

  • 2G is also known as GSM
    • Direct Connection Communication
    • GPRS is an extension of GSM for packet biased messaging
    • EDGE is an extension of GSM for packet biased messaging
  • 3G is also known as UMTS
    • Direct Connection Communication
  • 4G is also known as LTE
    • Packet based Communication
    • VoLTE (Voice Over) is an extension to have Direct communication to LTE
  • 5G
    • Short Range High bandwidth
    • Can not use IMSI Catchers

Program to trace SIM Card messages and responses
Pentesting Scripts for GSM

Link to this headingGSM (2G)

Osmocom with LimeSDR

SIM: Subscriber Identity Module. The smart card
IMSI: International Mobile Subscriber Identity. Unique ID for the smart card
TMSI: Temporary Mobile Subscriber Identity. Temp ID for the phone to know the smart card
MSC: Mobile Switching Center. The current cell tower you are connected to.
HLR: Home Location Register. The main database of cellphone information from your provider
VLR: Visitor Location Register. The current database for the MSC. This might not be on the same carrier.

Both the HLR and the SIM contain the same 128-bit Authorization Key (Ki).
The SIM stores the Authorization key (Ki), IMSI, TMSI, current 64-bit encryption key.

Control Channel:
Phones are most of the time in standby mode waiting for a signal from the base station. When this is true they are listing to the a Control Channel until a Paging Request is sent to the phone.

Paging Requests:
Message sent by base station to tell the phone that there is a message that needs to be sent to the phone.
Then the phone sets ups a dedicated channel with the base station.

Link to this headingEncryption

https://www.blackhillsinfosec.com/gsm-traffic-and-encryption-a5-1-stream-cipher/

Schemes:

  • A3:
  • A5:
    • A5/0: No Encryption
    • A5/1: involving three linear feedback shift registers irregularly clocked
    • A5/2:
    • A5/3: block cipher KASUMI with 64 bit key
    • A5/3: block cipher KASUMI with 128 bit key
  • A8:

Has 22-bits for the Frame (Packet) ID. The encryption scheme uses the frame ID to generate a frame key.

Link to this headingAuthorization

Uses A3(Ki, RAND) for Authorization
Uses A8(Ki, RAND) for the Encryption Key (Kc)

Link to this headingTraffic Channel

When the phone receives a message from the Control Channel and then sets up a Dedicated channel to the base station. If the message is a phone call then a the phone switches to a traffic channel.

There are two types of channels

  • TCH - Full Rate: Better Bitrate audio
  • TCH - Half Rate: More subscribers

Time Devision Multiple Access (TDMA): The basestation tells the hone what timeslot the phone can respond to the message

Link to this headingMessages

Location Update Request: Phone send location request to Base station

Link to this headingAttacks

  • No Mutual Authentication
    • Easy to use false Base stations attacks
  • No Integrity Protection
  • Crypto is bad
  • Mobile Base Stations can force Cellphones to revert TMSI to IMSI. They can do this unencrypted/unauthenticated. This was fixed in Universal Mobile Telecommunication System (UMTS)
    • Can use IMSI and IMEI Catchers

Link to this headingGPRS (2.5G)

  • Uses a mix of Packet Switched and Circuit Switched
  • Introduces MMS, Push to talk

Link to this headingSecurity

  • Mutual Auth between packet switched info
  • Auth between the Device and the SGSN (Switching Global Network)
  • Some Ciphering

Link to this headingAttacks

Link to this headingUMTS (3G)

  • Mixed Packet and Circuit Protocol

Link to this headingAttacks

  • Weak Mutual Authentication
    • Still possible to make False Base stations
  • Can use IMSI and IMEI Catchers
  • Vulnerable to Downgrade attacks

Link to this headingLTE (3.95G)

  • All IP biased
  • VoLTE (Voice over LTE)

Link to this headingSecurity

  • AES Baised Encryption

Link to this headingAttacks

  • LTEinspector
    • Auth Replay attacks
    • Paging Channel Hijacking Attack
    • Send Custom Broadcast messages (like amber alerts)
  • Can use IMSI Catchers
  • Also can use downgrade attacks
  • Vulnerable to Downgrade, DoS and Location Tracking Attacks

Eavesdropping Encrypted LTE Calls With ReVoLTE:

  • This attack allows the same keystream to be used for two different calls from the same base station.
    • This happens because of nonce reuse

Link to this headingLTE-Advanced (4G)

  • Introduces ipv6
  • Carrier Aggregation
  • IP Multimedia Subsystem

O2 VoLTE: locating any customer with a phone call

Link to this headingSecurity

  • All Radio data must be encrypted
  • Mutual auth between the phone and core network

Link to this headingAttacks

  • IMSI Catchers

Link to this heading5G

  • Network Slices
  • Network Function Virtualization
  • Uses SUCI instead of IMSI. Uses SUPI instead of IMEI

Tools:
openairinterface5G works with LimeSDR
https://github.com/free5gc/free5gc

Link to this headingSecurity

  • No more IMSI now SUCI (Subscription Concealed Identifier ) and SUPI (Subscription Permanent Identifier)
  • 256 bit keys supported

Link to this headingAttacks

  • NOT Vulnerable to Downgrade, DoS and Location Tracking Attacks
  • Same Algorithms used in 4G
  • Attack to see if a subscriber is in the same tower as you
  • Celular message can force the phone into a higher power mode to recive messages. draining battery 5x faster than normal