Breaking

VoLTE Security Analysis, part 2

In our talk IMSEcure – Attacking VoLTE Brian and me presented some theoretical and practical attacks against IP Multimedia Subsystems (IMS). Some of the attacks already have been introduced in a former blogpost and Ahmad continued with a deeper analysis of the Flooding and targeted DoS scenario. But still, there are some open topics I’d like to continue with now. The methods I am demonstrating here also help to get a better understanding of VoLTE/IMS and how it is implemented on modern smartphones.
Continue reading “VoLTE Security Analysis, part 2”

Continue reading
Breaking

Denial of Service attacks on VoLTE

Some weeks ago Hendrik explained in his blogpost Security Analysis of VoLTE, Part 1 some attack vectors for Voice over LTE (VoLTE). One attack vector introduced was Denial of Service (DoS), which I also discussed in my Masterthesis “Evaluation of IMS security and Developing penetration tests of IMS”.

In general, DoS attacks aim to prevent a system or a network from efficiently providing its service to legitimate users . The impact of such attacks can vary from a big degradation of quality to total blockage. DoS can occur on users level, where a user or a group of users cannot use the service. But the common conception of DoS is on the service level, where the whole service is broken, unstable or totally down. This blog post is about targeting DoS of the whole VoLTE service by attacking IMS.
Continue reading “Denial of Service attacks on VoLTE”

Continue reading
Breaking

Security Analysis of VoLTE, Part 1

Hello everybody,
this time I’d like to share some thoughts and results about our telco research last year. We gathered a lot of information out of some projects we’d like to share and discuss with you. The following sections also provide an idea of the upcoming Telecommunication Security Workshop I will give with Kevin Redon at Troopers (click). The workshop will be about Radio Network Security (covered by Kevin) and security aspects of the Core Network (covered by myself), mainly focusing on Voice over LTE (VoLTE). That’s also the topic of today’s post.
Continue reading “Security Analysis of VoLTE, Part 1”

Continue reading
Breaking

Telco Research 2015

Hello and a happy new year 2015 to everybody!

As follow up of our 2014 talk “LTE vs. Darwin” I want to inform you about our telco research in 2015. We are currently dealing with the so called IP Multimedia Subsystem (IMS), which handles the call and media logic of 4G telecommunication networks. This network part provides functions like VoIP (or VoLTE) and takes care of the interconnection to other call or media related networks.
Continue reading “Telco Research 2015”

Continue reading
Events

LTE vs. Darwin @ Hackers to Hackers Conference 11

Hello Everybody and greetings from Sao Paulo,

 
We’re currently enjoying the Brazilian sunshine, waiting for H2H2 11’s closing remarks and decided to give you a few details on the past three days. The conference was opened by a short welcome by our fellow Trooper Rodrigo Rubira Branco and stuffed with loads of great talks. This year’s keynotes came from Daniel J. Bernstein and Halvar Flake and gave yet another insight into the ever changing world of InfoSec. The international lineup also included Travis Goodspeed, Sergej Bratus and Fernando Gont. H2HC was a great chance for us to talk to various Hackers from around the world and share our opinions and knowledge. Continue reading “LTE vs. Darwin @ Hackers to Hackers Conference 11”

Continue reading
Breaking

New Tool: s1ap_enum

As we continue our research in the 3GPP protocol world, there is a new tool for you to play with. It is called s1ap_enum and thats also what it does  😉

The tool itself is written in erlang, as i found no other free ASN.1 parser that is able to parse those fancy 3GPP protocol specs. It connects to an MME on sctp/36412 and tries to initiate a S1AP session by sending an S1SetupRequest PDU. To establish a S1AP session with an MME the right MCC and MNC are needed in the PLMNIdentity. The tool tries to guess the right MCC/MNC combinations. It comes with a preset of known MCC/MNC pairs from mcc-mnc.com, but can try all other combinations as well.

Download

Continue reading “New Tool: s1ap_enum”

Continue reading
Events

Hackito Ergo Sum 2014

Greetings from Heidelberg to Paris,

and thanks for a great time at HES14! A nice venue (a museum), sweet talks and stacks of spirit carried us through the three day con. It all set off with a keynote byTROOPERs veteran Edmond ‘bigezy’ Rogers, who stuck to a quite simple principle: “People do stupid things” and I guess every single one of you has quite a few examples for that on offer. Next to every speaker referenced that statement at some point during her/his talk. Furthermore we presented an updated version of our talk LTE vs. Darwin, covering our research of security in LTE networks and potential upcoming problems.

For those who missed HES2014, we prepared a short summary of some of the talks that inspired us.

Continue reading “Hackito Ergo Sum 2014”

Continue reading
Events

LTE@ShmooCon, a Summary

Hey guys,
as some of you may have noticed, just recently at ShmooCon we gave our talk “LTE vs. Darwin” (Slides here). There we presented some results of our research in 4G telco network security. Some of those originate from our research contribution to ASMONIA, but we expanded the scope and also took a look at the air interface. Both the air interface and the backend links & protocols must be secured appropriately; otherwise communication may be eavesdropped or sensitive information may be compromised. In the following we want to provide an overview of LTE main components and potential attack vectors.
Continue reading “LTE@ShmooCon, a Summary”

Continue reading