HackDig : Dig high-quality web security articles for hackers

Notes on Hijacking GSM/GPRS Connections

2016-07-17 22:05

As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Every SIM card has it’s own home network, which is encoded in the fist five (European standard) or six (North American standard) digits of its IMSI – International Subscriber Number. The first three digits are the MCC, the Mobile Country Code, the next two/three the MNC, Mobile Network Code. International network overview are publicly available and for example can be found >here<. For instance, Germany has the MCC 262 and Vodafone Germany uses MNC 02. So a SIM card with an IMSI starting with 26202 belongs to them.
Sticking to the settings in its own SIM card a device will always prefer to connect to it’s own home network above all others. If the home network is not available it will usually go for the strongest signal. To protect users from unnecessary costs, an operator will usually add certain rules to prevent the device from connecting to other networks in the same country. So if you’re an O2 customer in Germany, visit a shopping center and only have reception for a T-Mobile cell, your phone will not directly jump into this network, even though it’s the strongest signal source.

 

Basic Approach

When testing a device we have two very simple options: Swap the SIM card for our own or don’t. Usually, if our victim has a removable SIM card, we would use one of our TROOPERS SIM cards and run the network with our own MCC/MNC settings. This of course is the easiest approach as the device will connect to our network voluntarily and will also be rejected by all other networks around it.
But quite a few newer devices have embedded SIM cards. Although they come in a chip package, its just a plain SIM card soldered into the device. Of course, being the hardware guy, I’m happy to unsolder the chips and add a few fly-wires to attach a different SIM card, but sometimes it’s not feasible. In this situation we need a different approach:

  • Step 1: IMSI catching
    • We need to find out which MCC/MNC is configured onto the SIM card. To do so we start our network and make sure we are the ONLY one available to the device. This can be achieved by working in a shielded environment or by aggressively jamming other networks. When the device tries to connect our network, we see the device’s IMSI and can extract both the MCC and MNC.
  • Step 2: Reconfigure the network
    • We then reconfigure our own network so that we’re the device’s home network. This way we make sure that the device will connect directly to us. One might still need to keep other networks out, especially if the device wants to connect to a local network.

A Foreign SIM?

Very often one will notice that embedded devices use a SIM card from a foreign country. The reason for this is plain and simple. A manufacturer wants to sell a product into different countries and does not want to need a different contract with a different operator for every single location, especially if it’s a SIM card for something mobile like a car. Eventually the manufacturer will probably have chosen an operator with a good global deal offering roaming throughout various countries.
For us this means: We can easily set up a home network for our victim. Even if other local networks are available, the device will be preferring our spoofed home network above all the others, even if they have a better signal.

 

Malicious Intent

As described, working with foreign SIM cards is rather easy, as we can spoof their home networks. From a defensive point of view this results in quite a few risks. As a roaming SIM card will connect to the strongest network, malicious attackers do not need a lot of effort when hijacking their connections. We ourselves and maybe also some of you have seen this at TROOPERS15, where we ran an open GSM network. Open meaning every SIM card was allowed to attach (in contrast to 2016, where the network was locked down to our own SIM cards). Quite a few of our foreign Troopers entered the venue and nearly instantly roamed into our network and received the welcome SMS/text message. For those who don’t know the venue (you ought to check it out at TR17


Source: /snoitcennoc-srpgmsg-gnikcajih-no-seton/70/6102/ten.rotaunisni.www

Read:4108 | Comments:0 | Tags:Insecurity Security Uncategorized cellular gprs gsm hardware

“Notes on Hijacking GSM/GPRS Connections”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud