Breaking

Notes on Hijacking GSM/GPRS Connections

As shown in previous blogposts we regularly work with GSM/GPRS basestations for testing devices with cellular uplinks or to simply run a private network during TROOPERS. Here the core difference between a random TROOPERS attendee and a device we want to hack is the will to join our network, or not! While at the conference we hand out own SIM cards which accept the TROOERPS GSM network as their “home network” some device need to be pushed a little bit.
Every SIM card has it’s own home network, which is encoded in the fist five (European standard) or six (North American standard) digits of its IMSI – International Subscriber Number. The first three digits are the MCC, the Mobile Country Code, the next two/three the MNC, Mobile Network Code. International network overview are publicly available and for example can be found >here<. For instance, Germany has the MCC 262 and Vodafone Germany uses MNC 02. So a SIM card with an IMSI starting with 26202 belongs to them.
Sticking to the settings in its own SIM card a device will always prefer to connect to it’s own home network above all others. If the home network is not available it will usually go for the strongest signal. To protect users from unnecessary costs, an operator will usually add certain rules to prevent the device from connecting to other networks in the same country. So if you’re an O2 customer in Germany, visit a shopping center and only have reception for a T-Mobile cell, your phone will not directly jump into this network, even though it’s the strongest signal source.

 

Basic Approach

When testing a device we have two very simple options: Swap the SIM card for our own or don’t. Usually, if our victim has a removable SIM card, we would use one of our TROOPERS SIM cards and run the network with our own MCC/MNC settings. This of course is the easiest approach as the device will connect to our network voluntarily and will also be rejected by all other networks around it.
But quite a few newer devices have embedded SIM cards. Although they come in a chip package, its just a plain SIM card soldered into the device. Of course, being the hardware guy, I’m happy to unsolder the chips and add a few fly-wires to attach a different SIM card, but sometimes it’s not feasible. In this situation we need a different approach:

  • Step 1: IMSI catching
    • We need to find out which MCC/MNC is configured onto the SIM card. To do so we start our network and make sure we are the ONLY one available to the device. This can be achieved by working in a shielded environment or by aggressively jamming other networks. When the device tries to connect our network, we see the device’s IMSI and can extract both the MCC and MNC.
  • Step 2: Reconfigure the network
    • We then reconfigure our own network so that we’re the device’s home network. This way we make sure that the device will connect directly to us. One might still need to keep other networks out, especially if the device wants to connect to a local network.

A Foreign SIM?

Very often one will notice that embedded devices use a SIM card from a foreign country. The reason for this is plain and simple. A manufacturer wants to sell a product into different countries and does not want to need a different contract with a different operator for every single location, especially if it’s a SIM card for something mobile like a car. Eventually the manufacturer will probably have chosen an operator with a good global deal offering roaming throughout various countries.
For us this means: We can easily set up a home network for our victim. Even if other local networks are available, the device will be preferring our spoofed home network above all the others, even if they have a better signal.

 

Malicious Intent

As described, working with foreign SIM cards is rather easy, as we can spoof their home networks. From a defensive point of view this results in quite a few risks. As a roaming SIM card will connect to the strongest network, malicious attackers do not need a lot of effort when hijacking their connections. We ourselves and maybe also some of you have seen this at TROOPERS15, where we ran an open GSM network. Open meaning every SIM card was allowed to attach (in contrast to 2016, where the network was locked down to our own SIM cards). Quite a few of our foreign Troopers entered the venue and nearly instantly roamed into our network and received the welcome SMS/text message. For those who don’t know the venue (you ought to check it out at TR17 😉 ) – the venue, Print Media Academy Heidelberg, is large glass and steel box with quite a few nicely shielded areas. As such it was easy for us to provide the strongest signal. Above the foreigners, we also had quite a subscribers from the lower level of the building, where we actually were the only available operator.
From an attackers point of view, there are quite a few scenarios in which, when having the necessary equipment, attacks on cellular clients are highly feasible and very very easy to accomplish.

 

A Note on APNs

An APN (“Access Point Name”) is parameter used when connecting to IP networks via cellular. They can basically be used to create a private network for all devices of an individual customer. The access to a specific APN is usually* regulated via credentials or based on the IMSI. The APNs are used in combinations with ACLs to ensure that only own devices in the field can access a backend service. This results in challenges when an attacker is in a MitM position between a mobile device and the backend system, as he cannot forward the traffic via a plain internet uplink. Still, with a little bit of creativity and after buying a target device himself, the attacker can create a valid uplink into the protected backend. By extracting the SIM card from the device and placing it into a mobile phone/internet stick, the attacker gains valid access into the APN’s network. This way he can also route the victims traffic back to the “secure” backend.

*As said above, the access to an APN is usually regulated by defined access controls. Sometimes the APN name/URL/string itself is used as a lone shared secret. As such, you can only join if you know the APN and if you do, you can. As a device will expose, or simply send the APN to the operators/attackers network to function, an attacker can easily retrieve it. Alternatively he could extract it by accessing an actual target device. This way an attacker can access the APN and its systems with a random SIM card from the same operator.

 

Quick Reminder: Consequences

What does it actually mean, if a device is connected to a malicious cellular network?

  • GPRS/IP/Data-Traffic is routed through the attacker’s box!
  • The device can be reached via IP, so can access all its services and open ports! Common port scans are possible!
  • SMS/texts are sent to the attacker’s network – They might not be forwarded to the actual target number but can disclose information!
  • The attacker is able to send a vast amount of text messages to the device (for free)!
  • Phone calls are routed via the attackers system – Might also not be routed to the actual recipient but at least to the attacker!

Although there are quite a few prerequisites to be able to actually intercept calls and SMS/texts and re-route them into the real telco networks, without changing any source data – it’s not impossible.

 

Defense

Cellular networks can, are and will be attacked! So:

  • Use transport or application layer protection on IP traffic. But also protect the content in SMS/text messages if it’s critical.
  • Treat data from devices in the field as untrusted. The transport path might be compromised.
  • If you use an APN, make sure that not every body can access it.
  • Don’t just trust that every device in your APN is a friend.
  • Service on the cellular interface can be reached by attackers. They need to be protected.
  • Prohibit radio connections with NULL-cipher encryption (e.g. A5/0 for GSM). This makes it much more difficult for attackers because they need to get encryption material/keys first (e.g. via SS7/IPX).

 

My two Pennies Worth

Experience in the field shows that RF connections like cellular interfaces still have a very special status. For a long time tools for attacking these interfaces were expensive and rare. This created a false impression of security and a magical shiny aura. But the past has shown that these times are over. Own cellular networks can be set up and run with a budget of less than $300 and a laptop. Attacks are feasible and not very complicated but defense is still low.
It is most surely time to rethink some security strategies before applying them to future IoT devices!

Brian

Comments

  1. My experience echoes yours. I discovered by accident that putting my personal phone into the test RF enclosure containing my OpenBTS that it camps to my OpenBTS instantly. That works despite the fact that my network uses the “test” MCC/MNC and my phone’s SIM has the appropriate MCC/MNC info for my local Telco. (Of course, the Telco’s towers cannot beheard inside the RF enclosure).

Comments are closed.