Alright, so, um, this is the point where you see the scary talk and at the end you probably
turn your phone off. Um, so these guys have presented for us before. They've, uh, they've
done some amazing research, uh, very, uh, kind of like they did last year which was a really,
really cool talk. I think you guys are in for a real treat. Let's give these guys a big hand.
Thank you. Thank you guys. I really appreciate that. Oh, there's so many people.
So last year, uh, my team have, uh, had about three presentations and we got a GPS spoofing, we
got a and we also got, you know, the Zigbee. And, uh, I'm really happy to stand
here right again and, uh, you know, uh, share something. So, uh, I'm really, really, really
excited. So, uh, here's my talk and, uh, uh, this is the LTE redirection. So people will
know about, uh, we, uh, people will know about, you know, LTE is four generation, first
generation but, uh, people think it's more secure and, uh, than the two generation and the
third generation. So, today let's, uh, let's learn how to break it. Uh, uh, so, uh,
this is the LTE redirection uh, if there is someone live who can hear go to the Uh, T
target uh LTE cell phone uh into a specific uh unsafe network so uh but don't worry we didn't
burn the device so your phone is still unsafe. Uh so fourth generation network is more
advanced than uh it's a more advanced mobile network than to second generation and third
generation. Uh but absolutely it's not absolutely secure. So there are already some
papers uh uh show how to expose this vulnerabilities of LTE networks and uh one of them has
pre- one of them is the presentations in the last year and uh if you guys had uh listened to it
it's uh on the Black Hat Europe. Yeah. So this presentation is uh it's uh it's uh it's
from the uh first generation introduction introduce the LTE uh invisicator and the uh the
LTE cell phones tracking and the the the attack of uh your LTE cell phone. So uh then my
colleague show you how to break your LTE cell phones network uh in detail. Please.
Hello, glad to see you. My name is Wancheng. And uh to start with let's have a look at the
network. The first one is EMS catcher. How does this work?
From this picture we can see the left tower is a real LTE
network base station which is controlled by operators. Well
the right one is a fake LTE base station which cover by
small which cover small space. Okay when the cell phone comes
into the area of the fake LTE network it will immediately
ask to report it is EMS number by the fake base station. Okay.
Well you know the EMS number stands for the user oh sorry.
Well you know the EMS number stands for the user identifier
which can check user locations and movements. This kind of
device is mostly used by national security departments to
check criminal suspects and I also hear that there are some
illegal casino
to use it for raising alert when some strangers approach.
Well the other attack is called deny of service attack. After
the fake base station get the EMS number or its covered cell
phone it can do further attack to cell phone. It can send the
reject message such as you are illegal cell phone or there is
no available network. Uh well when the cell phone gets this
kind of message it's usually turned into the no service data
for a very long time.
What's more, some cell phone can only recover by rebooting,
but different kinds of cell phone
react in different manners.
According to the experiments we have taken,
the old iPhones and the majority of Android system
cell phones are influenced by their vulnerable elements.
Okay, now let's take a look at the new attack
we have been working on.
As the picture shows, there are two fake networks.
One is the LTE base station,
while the other is the GSM fake base station.
When the cell phone approach them,
then it firstly attach in the malicious LTE base station.
Then the malicious LTE base station will tell the phone,
go to my GSM network.
Okay, the cell phone has to follow its command
and enters into the malicious GSM network.
Well, when the cell phone enters the malicious GSM network,
the malicious GSM network, the attackers could do
further attacks, such as eavesdropping on conversations,
intercepting the SMS, or analyzing data traffic.
Here is the demonstration platform we developed
to verify the redirection attack.
There are two computers with the US RPs.
one is a mini desktop computer with a USRP B210 and it runs an
open LTE program and uh create a fake LTE network. Well the left
one is a Apple Mac laptop with a USRP B200 mini running the open
BTS program. Okay let's show the video. It's done the video so
we can put it in our power point. So let me play it for you. Alright.
It's just one minute. Okay. You know the LTE uh the cell phone from the real 4G network to the fake 4G network
to uh and then down to the GSM network at uh is a faster processor. So it's um very difficult to
show this variation. Uh pay attention to this short video it lasts only one minute. Okay now
let's check the computer with the 2G fake network. Okay we can see the IMSS number from the
fake network.
Now. Yeah. Okay. Wow.
Okay. In this video I'm going to show you how to use the IMSS number from the real 4G network.
In this video we utilize the open BTS to build a fake network which means the cell phone can't connect to the internet. In other words it lose connection to the real world. But um the fake networks still can do some malicious attack such as making a call or sending SMS with any calling numbers. Okay besides there is a more advanced attack. This attack utilize open uh the femtocell. Yeah a rogue network. Other than that it's a very
pictureshows. This is uh already hacked by our team. Uh this is the femtocell and it was already hacked by our team. Last year my partner Haoqi has gave a presentation about how to hack this femtocell. Uh and uh and you know the femtocell can connect to the operator's real network. Uh but it can also controlled by attackers. Then the attacker can eavesdrop all the traffic including the real network. So this is a very
unique way to hack. Now let's go further into the protocol to see how this attack is uh realized. Here is the LTE basic procedure. Um when cell phone's powered on it firstly search search the c-cells around it and choose the cell with uh with strong signal to attach. In this case the cell phone is powered on. It goes through the
phone will initiate an RRC connection. Over the connection, the cell phone will send
the attach request message to start authentication. Okay, when the authentication
procedure finish, the RRC connection will enter a status, um, with the secure, uh, will
enter the s- uh, will enter the status. Okay. Enter status with integrity and
the suffering protection. In other words, the basic station and the cell phone will
establish a security network service. But before this step, all the message are not
encrypted. So this, uh, all sensorized part is the attack space. Yeah, the blue
signalings. Let's see how to realize EAMS catcher from the signaling process value.
Now we presume our, uh, the phone is staying in the operator's
network. Then we set up a fake network around it. Then it find a better cell, the fake
cell, and, uh, try to connect to it. To avoid easily, easily exposing the cell phone itself, it
will not directly send the EAMS number. But, uh, send a checking error update request with
the team's number. The team's number stands for the temporary mobile subscriber identity,
which is decided by base station. If this is a normal cell, uh, the, uh, the, uh, the
selection procedure in normal network, then the base station should know the team's number and
then complete checking error updating. But obviously, uh, fake LTE base station doesn't know the cell
phone's identity. So it sends back, uh, checking error update reject message. At the same time,
this message will cause reason why network refuse cell phone's request. There are many kinds of
requests for refusal, and each cause has a number. If we send the cause number nine to cell
phone, which is, uh, described in the specification, UE identity can't be drive by the network.
Then the cell phone will initiate the attach procedure by sending a ta- an attach request. This
message contains information what the attackers wants. Yes, the EAMS number. We already know that, uh,
the money cancels or causes for refusal. Well, when we get, uh, when we get the EAMS number, we can do
further attack to throw the next message. In this case, we can send attach reject with some special causes.
Here are several, uh, here are several causes for typical DOS attack. Number three, number seven, number eight, and number fourteen. Cause number three means illegal UE. Cause number seven means EPS service are not allowed. Well come back to this.
cause number eight means EPS service and non-EPS service are not allowed. Cause number
fourteen means EPS service are not allowed in this PLMN. All of these causes may lead
the cell phone to shut down their modem and to keep off for very long time.
Okay, the third attack, RRC redirection. Follows the attack reject message. From this
picture we can see the red words, yeah. Um, the malicious network send an RRC connection
release message additionally. Uh, well the release message could carry extension information
called redirection crea- uh, redirection carrier info. The redirected carrier can be any type of
network. 4G, 3G, or 2G. So we could redirect a target cell phone into 2G or 3G network and
redirect other cell phone into the neighboring 4G network. Well, someone may argue that you
just downgrade the cell phone into an unsafe, uh, network, uh, to 2G or 3G or 2G. But the po- um,
we could use jamming tool as well and it much easier than encoding. Yes, jamming tool can also
l- uh, light 4G network and workable. And downgrade cell phone into 3G or 2G. But the
point is, in this manner, the, it will influence all cellphones. That's why we claim that
our, um, uh, that's why we claim that the redirection attack could accurately attack the
target cellphone and do not influence any other cellphone. They can still keep in the 4G
network and don't need to worry about rewiring information. Okay, after knowing about the
principle of the, of this attack, let's, uh, talk about the method to build a set of demo
system to verify this attack. Well, here is, uh, test platform. We use the common tool. USRP
plus a computer. The model of the USRP is B210, uh, B210, yeah. The computer is a gigabit
and, uh, it's small enough to hide itself. There are several open source LTE project.
Well, I think these two project are most, uh, popular. The first one is Open Air Interface.
Um, developed by Eurocom. This is the most complicated, this is the most complicated open source
LTE project. And it has been developed, uh, for many years. What's more, it provides, um, um,
it provides a connection between the real cellphone and the internet. But the OAS system refers
to the very complicated software architecture. So there's a little difficult to modify in
source code. Well, the second project is named Open Air TE, written by only one person, Ben.
He was a Motorola engineer and joined a Google project line in last year. Boon gives this
project on a very beautiful coding style. So it's quite easy to understand the whole architecture
and to extend its theory. Uh, that's the goal. Boon gave me a lot of, uh, knowledge in this, in my experiences.
function. That's why it has a more popular situation in open uh in security research.
However, the shortcoming of this project is uh it hasn't achieved a sta- a stable LTE
data connection. Uh but for our experiments, the function learning is enough, yeah, to
build a fake LTE network. I wrote a f- I wrote a few slides to give the TEP and open LTE
source code. Uh if you want to build a fake LTE network, just look at this signalings. Let's
see the signalings again. In IMSS catcher, we need to send tricking error update reject
message with special cause. Yeah. In current open LTE software, the TAU request isn't
handled. You can see the line not handling tricking error update request. Luckily, we
found a TAU- the TAU reject message is not handled. So we need to send a TAU error update
reject message packing function. It's ready. So in this part, we can see this uh this part.
MME- MME pack tricking error update reject message. So what we need to do is just adding some
cause to handle TAU keys- keys with this function. Okay. Just uh like the principle.
Okay, when receiving the TAU request from cell phone, we should uh first of all check the TAU
幾-Twenty and practice new procedure. So that's how we set the TAU request. Then we also
to do is just writing a function to call a TAU reject message. Um, yeah. When writing
this TAU reject to function, you can refer to the attached reject to function. It was
already two. Then how about DOS attack? We can directly use this function. Send attached
reject. As you see the highlighted line, you can set your reject to causes clear. Yeah.
In the next message, we can do further attack. Send, uh, sending attached reject with some
special causes. Here, uh, okay. And the third case is the RRC redirection. Um, this is a
little complicated. You have to read the specification to know the message format.
And the insert the redirector clear info into RRC connection release message. From the red
cycle, uh, we can see we written one to this function. Yeah, it is because here, yeah, this
part is a 3GPP protocol about RRC connection release message. We can see the top layer of
this message. Yeah, the red line, the redirected clear info choice is optional. So in this
case, we just need to have the red line. We can see that, um, this is a red line. So, uh,
to um open this uh open this uh choice and uh set one in this bit then we can modify the
last code in in this manner. Okay. That's all the method we need to modify. Now it's
how to spam. Let's let me introduce why we do this. Okay. Okay. This. Yeah. Sorry.
This picture is a cell phone screenshot and this uh this cell phone has logging capability and
I use it to check whether it uh really received my redirection info so yes it did receive. Uh
the clear info is a G I N. Yeah it means GSM network. It uh uh and it's ARFCN frequency
number is fourteen two. Then the cell phone will firstly search this frequency. Um and
yeah. So um these are almost all the uh source code you need to modify. If you want to build a
tag tool quite simple. Right? Now it's Ho Chi's time. Let's let me introduce why we do this.
Okay. All right. Thanks to my colleague's great work and she actually she did most of the
job. Yeah. Pretty awesome. Thank you.
So actually we are our team is not a team that has very strong attack abilities. Uh we
always said we you know they got imagination of doing some better things we just to find
the vulnerabilities but uh we don't know how to use it. Uh we prefer to be a defender. So uh
we tell ourselves that you know from this presentation of my team we are good at finding the
and uh we will emphasize not only the risk of the vulnerabilities of your uh as I said LTE
network uh you know from the attackers side. Uh but also think about the background. So the
reasons uh why these vulnerabilities exist. So our question is um why is the uh double
rc redirection message not encrypted? I say I suppose uh some of you will think of the same
question. Uh first question is is this really a new problem? Uh we consult with uh several
you know Huawei security uh it's a really large company in China uh and the 3GPP standard
experts. So surprisingly uh she found uh she's finding is uh a problem with the uh uh uh
not a new. And the 3GPP knows uh risk about 10 years ago. Really 10 years ago. So here is
the document in generally uh in general uh 20 yeah 26. 26 years. So which introduced a
forced handover attack. So let's see this paragraph. I don't know uh yeah you can see it
clearly. Uh so this compromised the base station can be can be inactivity. Uh uh uh uh
we committed it. Re-connected uh re-configuration uh procedure to the UE. Directing it to to a
cell or network chosen by the attacker. So this could be this could function as a denial of
suinity you know if the target network cannot or will not offer to the UE suinity or to allow uh
chosen network to capture UES. So this document this document uh writes this problem I just
mentioned before. Uh and then uh so this document it's uh it's uh it's another uh it's a uh this
about 10 months later, so in November on 26th, the 3GPPs made a decision. So let us read the
two key points in this decision. And point one is, you know, the WRC is integrated and
the ciphering will be started only once. Just once. During the attach-attach procedure and
uh for example, uh after the AKA has been AKA has been performed. Uh the ciphering will
be started. So it cannot be deactivated later. And the point two is, the WRC integrated and
the ciphering algorithm can only be changed in the case, you know, after E uh node B handover.
So you see here, 3GPPs, they gave an expression on the WRC ciphering and uh here is the
question, why they did this? So, you know, because some special, in some special case, uh
earthquake, uh during hot event, uh there will be too many cell phones try to access one, just
one best uh stations. They make these best stations will be overloaded. So to let a network
load, you know, balanced. So this base station can ask the new coming cell phone to redirect to
the on another base station. Uh if we don't uh, if you don't tell the cell phone, you know, which
base station is light loaded, the telephone will, the cell phone will might uh might uh
bindly and uh ineffectively uh to search one by one. This cause a lot of powers. So finally
increase uh the whole network uh loaded. So 3GPPs, they think the new base station should
take a responsibility to uh you know, to all the cell phone. Uh so they decide to encrypt the
uh they decide not to encrypt the WRC reduction procedure. So I explained just to explain
to the background reason of this 3 attack here and uh in the capture they cannot avoid uh
avoid, be avoided because we need a global money and you have to firstly show your NFI and then
to do the auth. So Wifi secure system, you know, they have the similar uh situation. We all, you
know that you know the MAC address people can use it to uh uh to track you yeah. So from
iOS 8 and uh Windows 10 so there will be some you know MAC randomization and uh this
method that it will be used. Um but actually you know to factorize the network manager uh
management a random MAC address only enabled in a strict uh con condition yeah strict
condition. So if a terminal use wifi hotspot such as uh 2.0 yeah uh the wifi hotspot 2.0 is
a specific specification for the wifi roaming. So in that case this MAC uh randomization will
also be disabled. That's that's a little bit uh a little bit bit. So uh the uh the uh the
global roaming and and identify and identity privacy is conflict and uh it's need to
chat off. Uh DOS attack and uh you know the battery energy saving and uh saving is another
chat off. Suppose this network is really really unusable and uh so if you if this cell phone
keeps searching the network you will consume too much energies uh and uh and uh uh uh
and uh quickly come uh quickly consume out. So this is also a bad thing. Uh as you can see
this network protocol designer they have to make many many chat off between the basic
connection requirement and the high level requirement the privacy. The privacy is what we
caring about. So I gave the excuse of this vulnerabilities uh I believe people should. So do
not mean I refuse to fix this problem. So let's find out how to fix this. In this slide uh let's
discuss this uh yeah uh let's discuss this countermeasures. Uh so firstly uh at the cell phone
manufacturer side uh since you know the standard and the modern side uh chipsets had haven't
fixed this problem. So what do we can what do they can do for example uh is how to fix this problem.
Uh such as yeah don't follow the reduction command but also alter search the other other
available the best station. Or you can say cell phone can follow the reduction command but you
should give your users some alert uh such as warning you are downgraded and to the lower security
uh network. But I think it's really hard work. So we know about uh the root of this problem uh
is the unsafe GSM network. So why don't we try to solve this problem. And the GSM network is
still needed uh by the operators. You know there's a lot of device you need to just support the
GSM network. So uh you want to change it it need a long time. So from the standard side they're
making effort to fit you know the weak point of the GSM network. Uh so here is a very fresh news.
Just a couple months ago 3GPB received a proposal of the GSMA. Uh so the basic idea of the
upgrade uh the mobiles device security capability and uh since you know the older network uh
GSM network uh equipment we we cannot or you can say difficult to upgrade it. So GSMA you
they propose two measures. One is a mobile uh device you know mobile device uh mobile device uh
you know they refuse one one way out and if they uh visit a network it's 3G capable. And the
second method is you know disable some weak encryption such as the A1 uh A5 one. Yeah A5
one algorithm in mobile. So um I'm sorry. Where is my mouse? Yeah here it is. Um so this two
proposal haven't finally you know the GSM network. Uh the GSM network. Uh the GSM network is a
standardised by the 3GPB because uh it's you you want to be you want it to be a standard it's
really hard. And uh not quite easy. So but we see a good beginning is someone trying to fix
this situation. And uh okay. Uh yeah. Uh actually we uh show you how show you how to break
and uh show you how to fix this problem. And uh we did it both way but uh it's uh it's uh it's
a very good idea. Uh I think there's some you know some cell phone man manufacturers can learn
something from this presentation and I hope so. So here is our presentation today. And uh we
thank so many companies give us uh a lot of help such as Huawei and uh Qualcomm and uh Apple.
Yeah Apple. So uh if you had any questions about how to you know how to build your own LTE
networks that uh or some malicious and say or you can say unsafe network so please feel free to
contact us. And uh you're welcome to take a picture. Thank you.