Skip to content

Telecommunication

Telecommunication

https://github.com/W00t3k/Awesome-Cellular-Hacking
- 2G is also known as GSM
- Direct Connection Communication
- GPRS is an extension of GSM for packet biased messaging
- EDGE is an extension of GSM for packet biased messaging
- 3G is also known as UMTS
- Direct Connection Communication
- 4G is also known as LTE
- Packet based Communication
- VoLTE (Voice Over) is an extension to have Direct communication to LTE
- 5G
- Short Range High bandwidth
- Can not use IMSI Catchers

Program to trace SIM Card messages and responses
Pentesting Scripts for GSM

GSM (2G)

Osmocom with LimeSDR

SIM: Subscriber Identity Module. The smart card
IMSI: International Mobile Subscriber Identity. Unique ID for the smart card
TMSI: Temporary Mobile Subscriber Identity. Temp ID for the phone to know the smart card
MSC: Mobile Switching Center. The current cell tower you are connected to.
HLR: Home Location Register. The main database of cellphone information from your provider
VLR: Visitor Location Register. The current database for the MSC. This might not be on the same carrier.

Both the HLR and the SIM contain the same 128-bit Authorization Key (Ki).
The SIM stores the Authorization key (Ki), IMSI, TMSI, current 64-bit encryption key.

Control Channel:
Phones are most of the time in standby mode waiting for a signal from the base station. When this is true they are listing to the a Control Channel until a Paging Request is sent to the phone.

Paging Requests:
Message sent by base station to tell the phone that there is a message that needs to be sent to the phone.
Then the phone sets ups a dedicated channel with the base station.

Encryption

https://www.blackhillsinfosec.com/gsm-traffic-and-encryption-a5-1-stream-cipher/

Schemes:
- A3:
- A5:
- A5/0: No Encryption
- A5/1: involving three linear feedback shift registers irregularly clocked
- A5/2:
- A5/3: block cipher KASUMI with 64 bit key
- A5/3: block cipher KASUMI with 128 bit key
- A8:

Has 22-bits for the Frame (Packet) ID. The encryption scheme uses the frame ID to generate a frame key.

Authorization

Uses A3(Ki, RAND) for Authorization
Uses A8(Ki, RAND) for the Encryption Key (Kc)

Traffic Channel

When the phone receives a message from the Control Channel and then sets up a Dedicated channel to the base station. If the message is a phone call then a the phone switches to a traffic channel.

There are two types of channels
- TCH - Full Rate: Better Bitrate audio
- TCH - Half Rate: More subscribers

Time Devision Multiple Access (TDMA): The basestation tells the hone what timeslot the phone can respond to the message

Messages

Location Update Request: Phone send location request to Base station

Attacks

  • No Mutual Authentication
    • Easy to use false Base stations attacks
  • No Integrity Protection
  • Crypto is bad
  • Mobile Base Stations can force Cellphones to revert TMSI to IMSI. They can do this unencrypted/unauthenticated. This was fixed in Universal Mobile Telecommunication System (UMTS)
    • Can use IMSI and IMEI Catchers

GPRS (2.5G)

  • Uses a mix of Packet Switched and Circuit Switched
  • Introduces MMS, Push to talk

Security

  • Mutual Auth between packet switched info
  • Auth between the Device and the SGSN (Switching Global Network)
  • Some Ciphering

Attacks

UMTS (3G)

  • Mixed Packet and Circuit Protocol

Attacks

  • Weak Mutual Authentication
    • Still possible to make False Base stations
  • Can use IMSI and IMEI Catchers
  • Vulnerable to Downgrade attacks

LTE (3.95G)

  • All IP biased
  • VoLTE (Voice over LTE)

Security

  • AES Baised Encryption

Attacks

  • LTEinspector
    • Auth Replay attacks
    • Paging Channel Hijacking Attack
    • Send Custom Broadcast messages (like amber alerts)
  • Can use IMSI Catchers
  • Also can use downgrade attacks
  • Vulnerable to Downgrade, DoS and Location Tracking Attacks

Eavesdropping Encrypted LTE Calls With ReVoLTE:
- This attack allows the same keystream to be used for two different calls from the same base station.
- This happens because of nonce reuse

LTE-Advanced (4G)

  • Introduces ipv6
  • Carrier Aggregation
  • IP Multimedia Subsystem

Security

  • All Radio data must be encrypted
  • Mutual auth between the phone and core network

Attacks

- IMSI Catchers

5G

  • Network Slices
  • Network Function Virtualization
  • Uses SUCI instead of IMSI. Uses SUPI instead of IMEI

Tools:
openairinterface5G works with LimeSDR
https://github.com/free5gc/free5gc

Security

  • No more IMSI now SUCI (Subscription Concealed Identifier ) and SUPI (Subscription Permanent Identifier)
  • 256 bit keys supported

Attacks

  • NOT Vulnerable to Downgrade, DoS and Location Tracking Attacks
  • Same Algorithms used in 4G
  • Attack to see if a subscriber is in the same tower as you
  • Celular message can force the phone into a higher power mode to recive messages. draining battery 5x faster than normal