00:00:00.000-->00:00:05.005
>>Let's give these guys a big
round of applause. [applause]
>>Hi guys so um this is Hendrik

00:00:10.477-->00:00:17.084
I'm Brian. Um we've been doing
quite a bit of research in the
field of LTE 4G, We actually

00:00:17.084-->00:00:23.390
started with the thereof talks
uh beginning of 2014 LTE bares a
star when actually showing you

00:00:23.390-->00:00:28.629
know um the basic problems
behind the specs and did a few
theoretical attacks and now

00:00:28.629-->00:00:33.033
basically we are back with the
practical stuff. Um we brought
our little toy our eNodeB in the

00:00:33.033-->00:00:40.007
front here. Um we wanted to put
it up and have it running here
during the day but sadly our

00:00:40.007-->00:00:45.012
power supply needs at least 160
volts it won't work on 115 so
sadly that won't be happening

00:00:47.347-->00:00:53.487
but we've got everything else in
the slide so [inhales] Um we to
come from Germany we work for

00:00:53.487-->00:01:00.093
ERNW we are um we are security
researchers and analysts. We do
quite lot of penetration tests

00:01:00.093-->00:01:05.065
just a small company so we've
got quite lot of time for
research do quite lot of

00:01:05.065-->00:01:11.405
interesting projects and ya
basically you know um [coughing]
all of us we're using 4G it's an

00:01:11.405-->00:01:16.410
interesting topic so we just
decided to have a closer look at
it. Umm 4G brings quite a lot of

00:01:18.512-->00:01:24.418
new standards bring in new
technologies and as always you
know it's new stuff so it so it

00:01:24.418-->00:01:30.624
might be flawed and I said
before on the LTE bares a star.
When ya know we um [coughing]

00:01:30.624-->00:01:36.363
found interesting stuff like the
the great grace nelse ciphering
algorithm. Even though

00:01:36.363-->00:01:42.703
encryption has to be enabled and
ya basically we'll have a look
what exactly our eNodeB will be

00:01:42.703-->00:01:47.708
doing. So what we're talking
about is actually a micro eNodeB
so it's not these tiny whimsy um

00:01:52.946-->00:01:57.284
home eNodeB's that you put on
your desk or in your home or in
your office. We're actually

00:01:57.284-->00:02:02.622
talking about the real base
stations that our outside in the
field and in the streets. Um

00:02:02.622-->00:02:08.862
this picture actually comes from
Don Flamingo it's basically a
portal base station by AT&T as

00:02:08.862-->00:02:13.834
you can see. Um the physical
protection set on the picture
but the fence is actually broken

00:02:13.834-->00:02:17.871
if you go something like 2
meters to the left and you can
go in and then you've got your

00:02:17.871-->00:02:22.409
classical 19 inch wrecks
[coughing] with locks on the
side. And if you got back up to

00:02:22.409-->00:02:27.414
the village get a few lockpicks
basically you know how things
go. Um what actually makes life

00:02:29.983-->00:02:34.988
really easy for ya us so this is
um the basic 4G network um
you've got the at the top there

00:02:37.424-->00:02:43.997
S1MME which is the the
management plane and the U at
the bottom which is the user

00:02:43.997-->00:02:49.669
plane. Um nicely enough the
[coughing] serving gateware at
the bottom actually eh basically

00:02:49.669-->00:02:55.442
is a simple IP router and our
communication that comes in from
the eNodeB into the back end

00:02:55.442-->00:03:01.515
network is normal standard IP
traffic so we don't have any
magical signaling proto-

00:03:01.515-->00:03:07.054
protocols anymore as we had in
2G. [coughing] We can go in we
can lose all our classical

00:03:07.054-->00:03:14.027
network attack suits and tools
and have a closer look at the
whole thing. So um belittle pot

00:03:14.027-->00:03:20.267
from our forma talk you know
you've got physical protection
um nice sentences and specs

00:03:20.267-->00:03:27.074
saying like um you only need to
use a P sec if the site isn't
physically protected that up

00:03:27.074-->00:03:32.946
there is physical protection
number 1 this is physical
protection number 2. [audience

00:03:32.946-->00:03:38.251
laughing] Um this actually in
the home town where I come from
I have to admit these aren't 4G

00:03:38.251-->00:03:43.256
base stations. The one on the
right is an NSN 2G base station
by I think the German operator E

00:03:45.392-->00:03:52.365
plus and the one on the left is
um by O2 so ya that's what we
see what's physical what

00:03:52.365-->00:03:57.370
physical protection is. Um so
our basic approach ya know um go
in get a bay station when you

00:03:59.639-->00:04:04.578
get it you try to go for Ebay.
If you're lucky you'll find one
um price wise let's say

00:04:07.114-->00:04:12.819
something like um 100 dolla for
the main unit. So that's cheap
it's cheaper than some Cisco

00:04:12.819-->00:04:19.526
switch. Um ya got the um got the
whole thing up and running and
actually look what's on there

00:04:19.526-->00:04:23.930
and the classical stuff you know
you buy something on Ebay and
just hope for configuration data

00:04:23.930-->00:04:28.935
and some real duh um real life
traffic. So the whole setup
consists of the uh the basement

00:04:31.972-->00:04:36.977
unit which is um usually in the
rec on the ground um it includes
stuff like the power

00:04:39.012-->00:04:43.950
distribution unit and things
like that to stack off sensors.
Then you've got the remote radio

00:04:43.950-->00:04:49.189
head which usually are the the
big white boxes that you've got
on the sail mass undaneath the

00:04:49.189-->00:04:56.029
tow- undaneath the antennas.
They basically just convert um
analog data which comes in by

00:04:56.029-->00:05:01.968
via fiber into the actual
digital data which then goes all
via RF. Then you've got the

00:05:01.968-->00:05:08.875
antenna set and all these pots
simply are interconnected. Um
the power pla supply that you'll

00:05:08.875-->00:05:15.048
need is something like minus 48
volts. When we started with it
we actually thought about

00:05:15.048-->00:05:19.419
something like plus minus 48's
volts or something like a
different of ninet- difference

00:05:19.419-->00:05:25.325
of 96 volts luckily you just use
a 48 volt net uh power supply
and just turn around the

00:05:25.325-->00:05:31.398
contacts then you've got minus
48 volts and everything will be
running. Um the RLU you only

00:05:31.398-->00:05:37.871
need if you actually want to do
real RF so it's bonus. We don't
have it with us today it's um

00:05:37.871-->00:05:42.876
about 25 to 30 kilos [coughing]
and ya it didn't quite fit into
our luggage. [inaudible talking]

00:05:45.278-->00:05:51.484
So um the most important pot of
course is the BBU it's the
basement unit. It's the thing

00:05:51.484-->00:05:56.489
that actual does um the logical
work so in the end if you can
see it it's on the in the bottom

00:05:59.593-->00:06:05.565
of the rack. We'll have a few
pictures on the um slides later
on and you've basically got

00:06:05.565-->00:06:10.770
blades in there so you put in a
LTE blade it's an LTE bay
station you put in a 2G blade

00:06:10.770-->00:06:15.775
and it's a 2G bay station. So um
quite flexible some of them have
actually have a back plane which

00:06:18.745-->00:06:23.883
means that you will need the
whole metal case to be able to
run the device. Um with our

00:06:23.883-->00:06:28.288
Erickson bay station you just
need a few wires in the front so
you can actually just buy the

00:06:28.288-->00:06:33.293
digital unit itself and you can
start working with it. Is it
here? No okay. Um then of course

00:06:36.496-->00:06:42.102
a set variance of the eNodeB's
we're looking at the macro sithe
the real stuff outside not plus

00:06:42.102-->00:06:48.241
S the small stuff. Um eventually
the nice thing about the eNodeB
is that it's actually um the

00:06:48.241-->00:06:53.179
termination point of most
encryption. So the encryption
between your mobile phone and

00:06:53.179-->00:06:58.685
cellular network will end in the
field of the eNodeB. On the
other hand all encryption from

00:06:58.685-->00:07:04.391
the back end that goes out into
the field which should be IPsec
encrypted will yet again

00:07:04.391-->00:07:10.297
terminate in the eNodeB. So you
know IP set clines are difficult
if you own a box you own a cline

00:07:10.297-->00:07:16.970
so difficult and who knows what
could happen. [heavy breathing]
So the quick intro to the lab I

00:07:16.970-->00:07:22.275
said you hit Ebay. [coughing]
Ebay sounds easy but you will
need a few little terms. We've

00:07:22.275-->00:07:28.481
got em in the bottom here. So
for Nokia um this stuff is
called the flexi BTS for who eva

00:07:28.481-->00:07:33.486
you'd be you looking for a BBU
an LMPT or a UMPT or both
actually. Um for Erickson you'd

00:07:36.489-->00:07:43.096
need the RBS which is the 19
inch rec case and then the dul
with is the digital unite LTE

00:07:43.096-->00:07:48.468
which is the logical part which
will do the LTE. All four I
could tell you losing it's the

00:07:48.468-->00:07:53.473
NBS. Um bay station power supply
connect everything um quite a
lot of the stuff in telco

00:07:57.711-->00:08:02.649
networks has magical connectors
so you might actually have to
sit down and create your own

00:08:04.751-->00:08:10.256
connectors or really need quite
a while to actually get the
correct cables. We luckily

00:08:10.256-->00:08:16.429
bought the overall box so
everything together in a set so
we we're quite lucky with that.

00:08:16.429-->00:08:22.736
Um that's one of the first
pictures. Actually up there it's
a little Post-It that um one of

00:08:22.736-->00:08:27.741
our friends put on there
actually saying um nano BTS so
kind of just for the scale the

00:08:30.443-->00:08:36.016
antenna is about 2 meters 20
[coughing] so just the best
thing to play with and this is

00:08:36.016-->00:08:42.188
our final lab set up so um we've
got our Ericsson up here we've
got 2 more whoever IBTS that

00:08:42.188-->00:08:47.494
we're working with and you know
if you want to get started I
think all the stuff in the rec

00:08:47.494-->00:08:52.499
should be about um 5 and a half
thousand euros or dollars so if
you're lucky you can go cheapa

00:08:54.934-->00:09:01.307
otherwise you'll have to spend a
little bit of money. So the um
Ericsson RBS6601 And the dule

00:09:01.307-->00:09:08.114
that's the part we'll be talking
about today. Um if you look at
it you know it's quite easy

00:09:08.114-->00:09:14.788
you've got clack classical um
RJ45 sockets or adjusted
ethernet cables and you are up

00:09:14.788-->00:09:21.127
and running. Um you've got
something like a GPS set up
which is used um you know LTE

00:09:21.127-->00:09:25.932
base station are self
configuring so you can actually
send a doc out into the field to

00:09:25.932-->00:09:30.937
actually puts the base station
up connects um and a GPS antenna
and adds um the HTP on the otha

00:09:33.573-->00:09:38.545
side in the base station where
it gets all it's configuration
data from the co network and

00:09:38.545-->00:09:45.084
it's work in a few minutes. So
you've got GPS on there um
you've got LMT which is the

00:09:45.084-->00:09:50.490
local maintenance terminal which
is basically the port you use to
own a base station if you're

00:09:50.490-->00:09:52.492
lucky. And then you've got the
TNA and TNB ports which
basically are the ports for the

00:09:52.492-->00:09:54.494
beckett access. You've got the
IDL which is if you have
multiple blades [coughing] for

00:09:54.494-->00:09:56.830
different cells in the device.
You interconnect em and then
you've got the ports the A, B,

00:09:56.830-->00:10:01.835
C, D, E, and F which simply are
um jeebix slots actually just to
connect the RLU's and for the

00:10:14.214-->00:10:19.219
RF. If you start with the whole
thing you do your sniff um
you'll be seeing down here um

00:10:22.021-->00:10:27.026
we've got 2 VLANs VLAN 2 and 3.
One for the user plane the other
one for the operations and um

00:10:29.729-->00:10:34.734
maintenance and you can see the
stuff will start talking up. So
what do you do you set up your

00:10:37.270-->00:10:43.776
box um virtual em stream at the
VLANs and you just [coughing]
you know set upped the IP

00:10:43.776-->00:10:48.648
addresses that it's looking for.
I think it's actually looking
for 10 IP addresses something

00:10:48.648-->00:10:55.355
like that. >>Ya about >>And um
you know the moment when those
IP addresses are available

00:10:55.355-->00:11:00.994
you'll see SCTP prefix
[coughing] which basically is um
the BTS trying to connect to the

00:11:00.994-->00:11:05.999
beckett network to set up the RF
link. So from that moment on you
can do whatever you want. You

00:11:08.601-->00:11:13.106
can start setting up your own
immulated core network and
really start attacking the base

00:11:13.106-->00:11:18.111
station. [Shuffling] >>Good so
um let's start with our
attacking pot so all we've done

00:11:22.248-->00:11:26.853
um is just to [inaudible word]
(11:24) base stations. So uh
that is the one we bought on

00:11:26.853-->00:11:33.259
Ebay uh like Brian introduced oh
we um we bought online and that
is one which have been in

00:11:33.259-->00:11:39.032
production I think think 1 year
ago or something like that so
it's a wheal eh inproductional

00:11:39.032-->00:11:44.137
environment [low talking] 2
week, 2 years ago. Um soo it was
set up I think we've seen it in

00:11:44.137-->00:11:49.142
the locked files 2012 something
like that um and whatever it was
a just uh ya we moved from that

00:11:52.545-->00:11:57.550
and um now we have an example
and to demonstrate um how
attacks could uh look like in

00:11:59.586-->00:12:06.359
real life unfortunately the
conflict was not a waste. It's a
1 to 1 conflict like it has been

00:12:06.359-->00:12:13.266
in production. Um so how to do
that we have multiple layers we
can uh do some attacks on. The

00:12:13.266-->00:12:19.372
fost first one um is the
signaling traffic so all that
traffic which is uh necessary to

00:12:19.372-->00:12:24.877
set up connection from a phone
and to forward the traffic and
so on. To those one to face that

00:12:24.877-->00:12:29.882
F 1 MME where the eNodeB stands
in communication with that MME
which is a management server and

00:12:32.719-->00:12:37.090
is always exchanging farncombe
twelve information. So that is
the first one we can take a look

00:12:37.090-->00:12:42.095
on. Um then there's was some
local maintenance interfaces
that LMT port. There are also

00:12:44.163-->00:12:50.436
some remote maintenance
interfaces or eh or um as
operational stuff um like SSH

00:12:50.436-->00:12:56.342
traffic whateva so if the
engineer don't wants to go on
side and plug in into that eh

00:12:56.342-->00:13:01.280
yuh that connector. Um there are
also remote possibilities. Um in
this case the local maintain

00:13:04.884-->00:13:11.024
interface was quite the same
like the remote one so um
everything what we can do with

00:13:11.024-->00:13:16.062
the eh local interface we now
can do with the remote
interface. Um but there is quite

00:13:16.062-->00:13:21.067
more um and then of course
because we have direct access to
the device uh we can do some

00:13:23.436-->00:13:28.441
physical attacks. So just uh we
we move the cova and take a look
inside for example. Um

00:13:30.777-->00:13:35.848
[coughing] and we have to do
that anyhow because we are we
got the whole box we had have no

00:13:35.848-->00:13:42.155
credentials um so we try to uh
eh our goal was to understand
the whole box how it is working

00:13:42.155-->00:13:47.160
uh of course we want to have
configuration access because we
want to use it for our our own

00:13:49.195-->00:13:54.567
purposes and a finally because
um we are attacking it we want
to get root so we want to

00:13:54.567-->00:13:59.572
extract maybe some binaries
later um to um take a look on.
[coughing] um again keep in mind

00:14:01.841-->00:14:08.681
it's a wheelbase station um like
how it is out in the field so
it's not uh a theory or uh one

00:14:08.681-->00:14:15.354
configured from us. Good um
let's start with the transport
interface so let's see um

00:14:15.354-->00:14:21.194
connection from the eNodeB to
[coughing] the providers network
easy call Um that connection is

00:14:21.194-->00:14:27.100
called S1 and ent um as
introduced by Brian that is
split up um in the contouring

00:14:27.100-->00:14:33.573
plane called S1MME and S1U. Uh
SU1U is just for the user
traffic so that [coughing] means

00:14:33.573-->00:14:38.578
your calls are um forwarded by
uh that interface so protecting
um for us now not that relevant

00:14:41.180-->00:14:47.019
but if you have ack access to of
calls you can just access the
calls or SMS whateva or the

00:14:47.019-->00:14:52.725
internet data um which is
transported uh over that
interface. Um physically it's

00:14:52.725-->00:14:59.265
the same cable so if you are in
a man in the middle situation um
you have access to both. Um the

00:14:59.265-->00:15:04.203
MME and introduced um is the
control interface uh this time
um if we just assign the IP

00:15:09.876-->00:15:14.447
addresses to our laptop as we
have have connected to the
machine um there are a lot of

00:15:14.447-->00:15:20.853
holes. [coughing] and for
example eh I think there are are
6 MME's configured on uh that

00:15:20.853-->00:15:27.760
machine um but only one of them
has to be up so it's just for
availability reasons. Um if you

00:15:27.760-->00:15:32.765
no isn't on our laptop uh that
IP address standing here on VLAN
2 um we could see that um the

00:15:36.369-->00:15:42.208
device is establishing or tries
to establish a CTP connection
that is at S1 uh there is a

00:15:42.208-->00:15:47.213
protocol behind called S1AP.
[coughing] Um but anyhow that
should not be possible we should

00:15:49.715-->00:15:56.255
not be able to do that anyhow
because of the standards say
that uh it is required to

00:15:56.255-->00:16:01.194
implement IPsec. Um so what we
expected as we have been
connected there uh is an IP set

00:16:03.763-->00:16:09.569
connection. Um that is something
we have seen on one of the
hallway devices for example so

00:16:09.569-->00:16:15.474
that is not e easy that easy to
get in of course but in this
case um we can directly talk IP

00:16:15.474-->00:16:20.479
to it. Um why is there no IPsec
um there is one note in the
standards um like here and

00:16:23.950-->00:16:28.955
displayed on an 3GP PTS set 3
and 4 oh 1. Um that note means
if the interface is trusted um

00:16:34.760-->00:16:40.066
for example because it's
physically protected then there
is no need to use IPsec.

00:16:40.066-->00:16:45.071
[coughing] And obviously em our
one was was physically
protected. And this is the same

00:16:47.139-->00:16:52.645
for the um contour plane but
also for the user plane so there
was no difference the whole

00:16:52.645-->00:16:57.783
security is based on the IPsec
here. Um there are also some
interconnections between

00:16:57.783-->00:17:02.722
eNodeB's there uh again it's the
same. Um good and the same again
is for operation and maintenance

00:17:08.060-->00:17:13.065
traffic so um it's a kind of
Linux on the box um so there was
an SSH like we will see later

00:17:17.737-->00:17:22.742
and that one should also be
protected by a via IPsec but
here again it's not. Um let's

00:17:24.810-->00:17:29.815
take a look 2 as 1 um so there
was a defined protocol called
S1IP the S1IP is used [coughing]

00:17:32.385-->00:17:37.390
um to do all the necessary
procedures to transport
authentication information to um

00:17:39.725-->00:17:45.031
establish a veerus so that a
connection from your mobile
phone uh to initiate hand ova's

00:17:45.031-->00:17:50.036
and so on and so on. That one um
is implemented by uh STTP and
you can see that uh eh it for us

00:17:52.705-->00:17:57.710
uh 1 IP T uh STTP [coughing]
port 36412 is used. Um that is
exactly that what we have seen

00:17:59.712-->00:18:05.952
in that first wire shock sniff.
Um just to give you one example
what is possible um via that

00:18:05.952-->00:18:10.957
interface um here is a list of
all the standards uh implemented
for S1 but also for X2. X2 is at

00:18:13.859-->00:18:19.065
interconnection of eNodeB's so
from our eNodeB we can
theoretically also talk to uzza

00:18:19.065-->00:18:24.070
eNodeB's um and we can talk to
uh the the management entity uh
in the core network um or just

00:18:26.739-->00:18:31.744
ya try to compromise our um
eNodeB itself and effect the
traffic anyhow. Um so we see

00:18:33.813-->00:18:37.717
[beep] here some functions like
[beep] NAS signaling [beep] that
is [beep] the transport [beep]

00:18:37.717-->00:18:42.455
of [beep] authentication
information for example [beep]
um we have some [beep] uh trace

00:18:42.455-->00:18:48.427
functions to just eh take a look
where our mobile count accountly
is uh we also have a

00:18:48.427-->00:18:53.165
configuration transfer that
means the MME is pushing some
configuration updates ova that

00:18:53.165-->00:19:00.072
interface to the eNodeB like
changing um the e eh RSTN the
frequency or uh um and so on or

00:19:00.072-->00:19:05.077
just makes itself louda. Um that
is everything implemented
because um there was eh so

00:19:07.246-->00:19:12.818
called feature called se self
organizing network or self
optimizing networks so um the

00:19:12.818-->00:19:17.189
the central [inaudible] will
talk with all eNodeB's in the
country and [coughing] um ma

00:19:17.189-->00:19:23.095
will also make some load
balances and so on so if ther is
a need or the the uh black hole

00:19:23.095-->00:19:30.069
of um uh ya if you don't have a
signal um then the power is
turned up at the eNodeB

00:19:30.069-->00:19:35.074
automatically. Sometimes that un
that uz that the functions we
can um ova that interface. Um

00:19:38.677-->00:19:44.884
because there is no IPsec
there's only one message uh we
had to simulate to access uh

00:19:44.884-->00:19:51.457
that interface. It's called the
S1 set up request um or setup
setup response so the eNodeB is

00:19:51.457-->00:19:57.129
sending that request to the MME
we assigned that IP address and
now we immulated um [coughing]

00:19:57.129-->00:20:02.935
that MME. We've written uh a
shop 2 uh we also we'll publish
afta afta the talk uh it's

00:20:02.935-->00:20:08.707
called uh fake MME which is just
uh establishing the connection
and uh making ya the the

00:20:08.707-->00:20:14.580
necessary configure uh um
configuration to turn that one
up but it's not much necessary

00:20:14.580-->00:20:20.753
so basically only thats as one
set up request and maybe some uh
configuration changes so that

00:20:20.753-->00:20:25.758
configuration transfer. Um so
what we have had now wanting is
uh the eNodeB is up and uh we

00:20:31.030-->00:20:36.035
have uh MME simulated now we can
start attacking. Um for that
again we um made uh a second

00:20:38.804-->00:20:45.578
script it's an it's a middle
tool where we can inject our own
S1 messages so all the messages

00:20:45.578-->00:20:51.750
shown in the picture we can
inject. It's just an STTP you
just need to um in the middle

00:20:51.750-->00:20:56.755
that um while you just can can
use some Python script um and
then uh we modulated some of it

00:20:59.859-->00:21:05.364
as S1 messages to check if it is
really working. Um who's
interested toward you we use a

00:21:05.364-->00:21:11.837
um off ef ya ef a thousand crew
kit of us called Dizzy uh which
we use for spoofing of the

00:21:11.837-->00:21:16.842
messages um some of the scripts
are published on our blog um so
we can do some scanning we can

00:21:19.545-->00:21:24.550
do tracing of some UE's and so
on. That is uh the main purpose
of that interface. Good um so

00:21:29.155-->00:21:35.728
that is the main connection for
connectivity um but still we
want to be a route in the

00:21:35.728-->00:21:40.733
device. We want to access the
configuration itself um so we
need some err possibilities and

00:21:42.902-->00:21:47.907
to push configuration use the
maintenance tools and so on. Um
that is over the OM network um

00:21:51.410-->00:21:56.415
here in our N uhP it's a
different VLAN. It's VLAN uh
suite. Um there are again a

00:21:58.551-->00:22:04.857
couple IP addresses used for
that uh we just picked out one
of them. Um because that one was

00:22:04.857-->00:22:10.629
used for NTP for example and so
we um an just similithed our own
NTP serva that's although

00:22:10.629-->00:22:17.203
necessary because of cause of
the eNodeB must have some timing
information otherwise this uh

00:22:17.203-->00:22:22.208
will not work correctly um so
that's quite easy. Um taking a
further look to the interface eh

00:22:25.578-->00:22:32.084
though we met an in net scan uh
here you see see the outcome uh
quite interesting of course the

00:22:32.084-->00:22:38.557
FTP and telnet phone um for a
device from 2012 or something
like that I don't know if that

00:22:38.557-->00:22:43.562
is really necessary but okay
they have SSH um anyhow but all
interfaces work so and then we

00:22:46.632-->00:22:52.771
see a port 80 so HTTP serva not
HTTPS but uh I dunno if you
really need HTPS on that

00:22:52.771-->00:22:57.776
connection um in reality that
should be IPsec again right and
we have some higher range ports

00:23:00.012-->00:23:05.017
like that 8443 and 56834 which
are used for the uh maintenance
tools um we will show directly

00:23:07.152-->00:23:12.157
afta here. Um so the maintenance
tools are very interesting
because that are used by the

00:23:15.461-->00:23:21.066
engineers if they are going
inside so on setup of the
machine for example or if there

00:23:21.066-->00:23:27.539
is a problem. So the eh for
example if there is a false
state of the base station um an

00:23:27.539-->00:23:32.544
engineer will come on site plug
into a maintenance port and um
doing something reconfiguring

00:23:35.080-->00:23:40.085
and getting lock files um
accessing the monitoring with
some magic [coughing] tools that

00:23:40.085-->00:23:45.090
always depends on the venla. Um
in our case that is also
possible remotely so via the

00:23:47.159-->00:23:53.432
transport network um but you can
only uh also plug into the LMT
port which is just a different

00:23:53.432-->00:23:58.437
connector and then you have all
the access to that uh ya
interfaces and tools. Ya um so

00:24:01.473-->00:24:06.478
that is why we are focused on um
to get access uh to the
environment um if you go on the

00:24:09.348-->00:24:14.353
web server um so that port 80
you directly have a download
option of that magic tool so um

00:24:16.855-->00:24:21.860
that's really great that they
provide it to us uh that way.
Very nice. Um unfortunately it's

00:24:24.430-->00:24:29.435
only running on on the le on the
Windows so uh not that easy for
us um but the most problem was

00:24:31.971-->00:24:36.975
that JAVA 1 dot 5 was necessary
um so we first had to install XP
again. [speaker laughing]

00:24:44.516-->00:24:47.252
[audience laughing] [applause]
[whistling] Thank you. [speaker
laughing] [applause] Ya that was

00:24:47.252-->00:24:52.257
all almost the the um biggest
problem to us to install JAVA 1
dot 5 in XP um eh okay uh if we

00:24:54.893-->00:25:01.300
have it running uh we could just
connect um that was quite
interesting because uh we

00:25:01.300-->00:25:08.040
started the tool and then we had
access to some information like
uh the radio frequency

00:25:08.040-->00:25:13.779
information and so on so that is
how the tool's looking like. Um
so you have different views for

00:25:13.779-->00:25:20.285
different configuration parts
like the whole rec here standing
in which fans um um arc so the

00:25:20.285-->00:25:25.023
uh fan controller is inside
there um some debugging
information some monitoring

00:25:25.023-->00:25:29.695
information and you can also
access lock files like that one
and you see there are a lot of

00:25:29.695-->00:25:36.468
flaw umffmm uh ya arrows are
popping up of course because em
some other pots of that rec were

00:25:36.468-->00:25:42.775
that eNodeB was in uh missing um
but okay you can just remove
that pots in the real

00:25:42.775-->00:25:48.714
configuration and [coughing]
then it's looking um so that's
not a problem. More interesting

00:25:48.714-->00:25:53.719
is um em maybe you have missed
like us um though again in the
standards there stands something

00:25:56.588-->00:26:03.095
that the uh that's heading up
and configuring the eNodeB shall
be authenticated um

00:26:03.095-->00:26:08.100
unfortunately there was no
password for that tool so we
just started that tool like here

00:26:11.003-->00:26:16.575
you can uh you can set up a IP
address a name and maybe a
comment then you click on

00:26:16.575-->00:26:23.315
connect and you are in so again
quite too easy. See again the
the mm eh biggest problem was to

00:26:23.315-->00:26:28.320
just install the tool. Um okay
so we had configuration access
but still um we had no operating

00:26:31.256-->00:26:35.761
system as access. The
configuration of that one which
the um [high pitch noise] ya

00:26:35.761-->00:26:42.100
engineer is using but
furthermore over that interface
there are some other services

00:26:42.100-->00:26:47.106
provided FTP telnet and SSH Um
that is where we also uh wanted
to take a look on but we have mm

00:26:50.742-->00:26:55.747
so we can also try some exploits
on Java so since 1 dot 5 I see
there was [coughing] quite a lot

00:26:59.218-->00:27:05.157
um so that is also a good
possibility to compromise a
machine in our case it's

00:27:05.157-->00:27:08.927
unfortunately not asking for a
password so we can't do some
password google falsing here. Um

00:27:08.927-->00:27:13.932
and if you connect to with that
tool um it's establishing a
connection to the tyrant port

00:27:16.702-->00:27:21.707
[mic boom] I showed you in the
end map [mic boom] so that 5 6
uh eh 56-->000 um eh stuff that is

00:27:24.610-->00:27:29.515
establishing connection via D up
so it's um Java um I think Brian
was saying something to that

00:27:29.515-->00:27:34.520
lata. Um and ova that interface
it's transmitting um the whole
configuration data of the NBTS

00:27:36.855-->00:27:41.860
and that is also not
authenticated and eh secured
anyhow so there was no umm ya

00:27:44.930-->00:27:50.636
sequence you can to replay
attacks whateva you just need to
know how the gear up is working.

00:27:50.636-->00:27:55.641
It is just transmitting the uh
continuation uh directly. So um
next look that was also not that

00:27:59.211-->00:28:05.651
hot um there were 2 users
configured on the system called
RBS and Cello Uza and za

00:28:05.651-->00:28:12.558
password for both was RBS. Um
[coughing] and again we could
lock in via telnet and via FTP

00:28:12.558-->00:28:17.563
and uh via FFH. Um okay there
are some out dated SSH keys used
uh so our system was prohibiting

00:28:20.332-->00:28:26.204
the connection first and so we
have to enable that algorithms
um manually um but okay then we

00:28:26.204-->00:28:31.843
are in and had access to the
whole device. Um if ya take a
look to the file system there

00:28:31.843-->00:28:36.081
was a lot of interesting
information like the past W's so
it's a kind of Linux you see

00:28:36.081-->00:28:41.219
here. Uh where we can expect
passwords again if there are
otha users configured but

00:28:41.219-->00:28:47.826
usually not supported. Um but
more interesting is that
security CFG uh and that folder

00:28:47.826-->00:28:52.831
called IPsec. That's a folder
where the IPsec keys are stored
so if you have access you can

00:28:55.000-->00:29:00.606
just extract yours uh IP secs in
keys here. So again weally
weally nice [cough] um because

00:29:00.606-->00:29:05.611
it's also possible remotely um
gives the uh tech here a lot
possibilities right. Good um

00:29:11.149-->00:29:16.221
then we had access to everything
could take a look to the locka
configuration and also to the um

00:29:16.221-->00:29:21.226
local web serva and the local
web serva was vulnerable to a
couple of exploits because it

00:29:23.228-->00:29:29.534
[laughs] again used a maybe
outdated Java SD case O116 um
there are also some otha ones

00:29:29.534-->00:29:34.539
which so uzza and ya and Java
applications running on which
are using some uzza um outdated

00:29:38.176-->00:29:44.883
Java's [exhales] um so there's
couple a lots eh possibilities
to compromise a machine.

00:29:44.883-->00:29:49.888
[inhales] Um and the we server
is just used to um ya provide
the element melon manager which

00:29:53.925-->00:29:58.930
is it LMT tool um dow to
download um and also some XML
configuration is placed there.

00:30:01.366-->00:30:05.370
You can also dive the excess
without any configuration you
duh you just need to know the

00:30:05.370-->00:30:10.375
pass but you see if you're
starting the tool um you see uh
in wire shock. Um while we

00:30:15.681-->00:30:20.952
discovered the web serva uh
[chuckles] we unfortunately uh
had another vulnerability found

00:30:20.952-->00:30:27.559
here just in DOS but it was not
a DOS of the web serva it was a
DOS of the whole eNodeB and

00:30:27.559-->00:30:33.165
because um the web serva is
running with higher privileges
in the operating system itself

00:30:33.165-->00:30:39.037
so it crashed. While we scanned
the machine or the web serva
with a crawl the whole machine

00:30:39.037-->00:30:44.042
crashed um but also interesting.
[inhales] Um good so far uh
we've taking a look to the close

00:30:49.347-->00:30:55.287
uh uh to the the configuration
to the operating system so uh we
had some uh access to um

00:30:55.287-->00:31:00.225
obviously the whole machine was
not why uh wiped or erased by
the um provider um and obviously

00:31:07.699-->00:31:12.704
no IPsec is used on that machine
but okay even if it's used umm
you find a way to connect to and

00:31:15.440-->00:31:21.413
expect the IPsec keys. [inhales]
Um there are some kind of hard
coded or default credentials um

00:31:21.413-->00:31:26.418
like RBS R er um RBS or cello
user RBS and there was a
possibility to change it um but

00:31:28.754-->00:31:33.759
I think it's not really used in
uh it was not that easy and even
the lock in was an LM manager is

00:31:37.629-->00:31:44.002
working anyhow all the time. Um
there was Telnet in use also
interesting because you can just

00:31:44.002-->00:31:47.305
uh sniffs the traffics in and
then you have to get the real
credentials if somebodies

00:31:47.305-->00:31:52.310
logging in and you have a lot of
unencrypted maintenance
interface. So um so what's

00:31:55.347-->00:32:00.285
running on um the eNodeB has an
um uh real time OS running um so
it's very very plain and it's

00:32:04.689-->00:32:09.694
about uh it's I'll start on an S
on uh a compact flash you see
here so if you just open the

00:32:12.531-->00:32:16.601
dedevice you have a compact
flash in where the whole
operating system and the file

00:32:16.601-->00:32:21.606
system is on. Um that's quite
interesting um so there were
just some plob problems here

00:32:25.177-->00:32:31.716
because it's not easy eh it has
an own file system which um
which is based on Gzip so we you

00:32:31.716-->00:32:36.721
just have to recognithe it
first. Um but the architecture
is in power PC's so we expect it

00:32:38.890-->00:32:43.562
um to see the some powerPC
binaries um and the
architectures also its says that

00:32:43.562-->00:32:48.567
by some FPGAs and also one um uh
processor to do all the radio
stuff and so on. Um the flash

00:32:52.337-->00:32:58.543
disk [exhales] the first talk um
we removed that from our eNodeB
and plugged it into our laptop

00:32:58.543-->00:33:03.982
um first it was not that easy
because it's a flipped
architecture so all that uh

00:33:03.982-->00:33:09.187
little indian big indian stuff
um we see we can see here in
that binary if we made an

00:33:09.187-->00:33:15.193
analysis um that the alphabet
here is just uh it's flipped so
we had to switch that first to

00:33:15.193-->00:33:21.132
access the direct information
like that powers PC binaries you
see here. [inhales] Um and then

00:33:21.132-->00:33:27.372
all the files here are Gzipped.
It It's a small system so it's
an embedded system so they just

00:33:27.372-->00:33:32.377
want to um ya keep some space.
Or save some space. Um but now
we have access to the uppa layer

00:33:36.548-->00:33:41.553
operating system could attack
binaries and um start with
reverse engineering. Um and also

00:33:44.122-->00:33:49.127
because we had access to that uh
volume we can again extract the
IPsec keys. [coughing] Good um

00:33:52.197-->00:33:56.368
another interesting one if
you're on the machine uh just
for deeba debugging you have

00:33:56.368-->00:34:02.274
some uh debugging interfaces
enabled there and you have a WAM
lock and the WAM lock um

00:34:02.274-->00:34:07.679
displays um the whole routing
process so if you want to do
some attacking there you can

00:34:07.679-->00:34:13.451
just um hold the machine uh on
the white uh places here. There
are also some uh commands for

00:34:13.451-->00:34:18.456
that and you see here on step 2
that it's mounting that Gzip
volume and powering up and so

00:34:21.092-->00:34:26.097
that it our volume we extracted
here um so we can just modify
it. Um just small joke uh for us

00:34:31.036-->00:34:36.041
uh is that line that no magic
found uh that was quite funny to
see that in the lock file. Good

00:34:38.543-->00:34:43.548
um the rest is for Brian. >>So
um you know you go in and a set
this configuration on there um

00:34:46.585-->00:34:52.257
you know you got a mobile
country code and a mobile
network code actually finding an

00:34:52.257-->00:34:57.262
operator. Um luckily you found
the numbers 311 and then we see
660 and turns out it's an

00:35:00.398-->00:35:05.403
american operator or an old one
metro PCS only one of yous eva
heard it um they were actually

00:35:09.307-->00:35:14.312
kind of sold or they fused with
T Mobile USA in 20 12 or a
little bit later. Um so we know

00:35:16.381-->00:35:22.320
where exactly this uh the eNodeB
comes from. Yet again you know
if you actually had a client

00:35:22.320-->00:35:28.627
certificate that would be
probably the most awesome
combination. Um then you know we

00:35:28.627-->00:35:34.032
found a few little interesting
things ya know the classical
past WD command for changing a

00:35:34.032-->00:35:39.871
password um we've got cello user
and we've got RBS and we
actually just wanted to change a

00:35:39.871-->00:35:44.609
password [coughing] just to play
around with it and actually it
turned ri- um turned out that if

00:35:44.609-->00:35:51.182
you change the password for RBS
also the password for cello user
will be changed and the other

00:35:51.182-->00:35:57.322
way around. So for some reason
they actually combine the
passwords for both user accounts

00:35:57.322-->00:36:02.260
somehow magically even for past
WD's so it looked a little bit
strange. Then um as Hendrik

00:36:06.665-->00:36:13.104
already said ya know we've got
quite old SSH so we actually had
to go in and go in for our old

00:36:13.104-->00:36:19.911
diffie hellman group 1 shire 1
um modern SSH simply won't do
this anymore so we had to re

00:36:19.911-->00:36:26.251
enable it. Um then when you're
on the box um interesting you
had something that was called

00:36:26.251-->00:36:31.256
cell and MUE tracers. Um sadly
we only had cell tracers so
basically you can see um status

00:36:36.094-->00:36:40.832
and lock information of the cell
that actually was on the eNodeB
and a few neighboring cells. Um

00:36:40.832-->00:36:45.837
from the documentation the info
that we found if we would have
had an um UE trace this UE trace

00:36:49.441-->00:36:55.380
actually locks everything that a
mobile device in the LTE cell
does over a certain amount of

00:36:55.380-->00:37:00.885
time. So you know if you have
access to an eNodeB in the field
you just kick in the UE trace

00:37:00.885-->00:37:06.424
command and you basically lock
all unencrypted information that
goes through that mobile device

00:37:06.424-->00:37:11.429
so rather nice for playing
around with. Then yes um you
know when you you do stuff you

00:37:16.334-->00:37:21.339
always find really really really
strange things so um all
communication that you've seen

00:37:23.441-->00:37:29.581
so far went into um private IP
address base which is the way
that you do it in your own

00:37:29.581-->00:37:34.586
network. Now we found a G up
remote session that was actually
uh trying to find a serva to a

00:37:37.422-->00:37:42.427
public IP address um we were
able to have it connecting to us
so ya know you've got basic um G

00:37:44.896-->00:37:49.901
up communication which you could
attack but um if anybody knows
the nature of G up you need

00:37:52.003-->00:37:56.908
quite a lot of information to
actually be able to push objects
over the line until something

00:37:56.908-->00:38:01.846
happens. So um you know as it
was the only public IP address
we had a closer look at it and

00:38:04.649-->00:38:09.654
I've got to say you know um the
next slide is it's vague. You
know we can't guarantee for any

00:38:11.956-->00:38:17.095
correctness on the next slide
but um you know what you do
you've got an IP address you

00:38:17.095-->00:38:21.566
look it up and um you remember
metro PCS. the IP address that
we found actually belongs to an

00:38:21.566-->00:38:23.568
uh Iranian cellular operator. So
you [coughing] we can't
guarantee that um basically the

00:38:23.568-->00:38:25.570
American tale code simply um
miss used the pu- um a public IP
address but you've got to admit

00:38:25.570-->00:38:27.572
it simply looks very very
strange and time wise uh if you
go down to the um address base

00:38:27.572-->00:38:29.574
was actually registered in 20 12
and we know from the lock files
that the eNodeB was up and

00:38:29.574-->00:38:34.579
running in the field up to 20 13
um so you know for what reason
is this American eNodeB actually

00:38:50.795-->00:38:55.800
talking to an to the network of
an Iranian operator. It's
strange and doesn't make any

00:39:08.913-->00:39:13.918
sense [audience chatter] So you
know um I said the information
is vague we've just got the data

00:39:17.188-->00:39:22.160
that we've got off the eNodeB
we've got no idea if maybe the
IP address base was ya know

00:39:22.160-->00:39:27.165
snared or something like that or
is that a misused public IP
address but stuff like that

00:39:29.400-->00:39:35.406
actually just is scary and we
have to say um the port that it
connected to you know um on the

00:39:35.406-->00:39:40.411
Iranian IP address now a days is
down. So whatever was running
there isn't there anymore so um

00:39:42.981-->00:39:47.986
ya you knows little bit of scary
shit in teleco networks. >>So
okay so first that was our first

00:39:50.788-->00:39:57.195
start with our research. We
wanted to um ya present for you
um we could see that there's no

00:39:57.195-->00:40:02.200
magic behind as the lock file
already has um it's just uh yeh
easy system uh which some else

00:40:04.936-->00:40:11.509
special characters I would say
um there's it's also very
strange that there most of the

00:40:11.509-->00:40:16.514
devices have no uh that the
conflict is still not a waste.
Um we also uh uh bought a second

00:40:20.084-->00:40:25.089
blade for that RBS um just while
we are here um that one is from
T Mobile and it looks exactly

00:40:27.191-->00:40:32.196
like the same. Um so um that is
quite interesting to do a lot of
stuff where we now also have

00:40:34.532-->00:40:39.103
acs- en ya access to the
binaries which is some future
work for us we are taking a look

00:40:39.103-->00:40:44.108
to that um but basically if you
the attack factor for such
devices uh based on that

00:40:47.612-->00:40:52.617
signaling so you can just um
access that management uh con
control traffic there and to do

00:40:54.752-->00:41:00.992
some traces of UE's to um ya
establish connection on you own
or also hand ova. There was no

00:41:00.992-->00:41:05.997
security in reality and um uh
sometimes there was no security
so that IPsec stuff or even if

00:41:08.666-->00:41:14.839
you are able to extract it
somehow. Um for example like
that OAM and what we've seen

00:41:14.839-->00:41:19.877
there is not really good so
that's an architectural problem
I think um or a hardening

00:41:19.877-->00:41:24.882
problem so that is a development
hopefully the uh vendors are
working on um but um that is a

00:41:27.552-->00:41:32.557
quite new device um uh quite new
2012 so it's an LTE device which
is out in the field so we expect

00:41:35.059-->00:41:41.432
that there are a lot of base
stations out there which are
exactly configured like that. Um

00:41:41.432-->00:41:46.437
and if signaling and OAM is not
working even then um with having
physical access to devi device

00:41:49.073-->00:41:55.413
you can just yelp get that uh
flash disc that compact flash
and put it to a laptop extract

00:41:55.413-->00:42:00.518
all necessary information like
the password file like the IPsec
information and then you're in

00:42:00.518-->00:42:05.523
again so there is a lot to do.
Good um so that's it so far um
that is what we wanted to

00:42:08.226-->00:42:13.865
present to you this time um
thank you. Um If there are any
questions let me know ya.

00:42:13.865-->00:42:17.668
[applause]