Let's give these guys a big round of applause. Hi guys, so um this is Hendrik, I'm Brian.
Um we've been doing quite a bit of research in the field of LTE 4G. We actually started with a
row of talks uh beginning of 2014, LTE versus Darwin, actually showing you know um the basic
problems that are in the specs and did a few theoretical attacks and now basically we are back
with the practical stuff. Um we brought our little toy, our eNodeB in the front here. Um we
wanted to put it up and have it running here during the day but sadly our power supply needs
at least 160 volts, it won't work on 115 so sadly that won't be happening but we've got
everything else in the slide so. Um we do come from Germany, we work for ERNW, we are um yeah
security researchers and analysts. We do quite a lot of penetration, we do a lot of
penetration tests, it's just a small company so we've got quite a lot of time for research, do
quite a lot of interesting projects and yeah basically you know um all of us were using 4G, it's
an interesting topic so we just decided to have a closer look at it. Um 4G brings quite a lot of
new standards, brings in new technologies and as always you know it's new stuff so it might be
flawed. And as I said before in the LTE versus Darwin you know we uh we uh we have a lot of
um found interesting stuff like the the great phrase null ciphering algorithm, even though
encryption has to be enabled and yeah basically we'll have a look what exactly our eNodeB will be
doing. So what we're talking about is actually a macro eNodeB. So it's not these tiny wincy um
home eNodeBs that you put on your desk in your home or in your office, we're actually talking
about the real base stations that are running on your home or in your office. We're actually talking
about the real base stations that are outside in the field and in the streets. Um this picture
actually comes from Down Flamingo, it's basically a portable base station by AT&T as you
can see. Um the physical protection it's not on the picture but the fence is actually broken if
you go something like two meters to the left and you can go in and then you've got your
classical 19 inch racks with locks on the side. And if you go back up to the village get a few
lock picks, basically you know how things go. Um what actually makes it interesting is that um
it makes life really easy for y- for us so this is um a basic 4G network. Um you've got the at
the top the S1 MME which is the the management plane and the U at the bottom which is the user
plane. Um nicely enough the serving gateway at the bottom actually is basically is a simple IP
router. And all communication that comes in from the eNodeB into the backend network is normal
standard IP traffic. So we don't have to do anything else. So we can just go in and we can do
anything else. So we don't have any magical signaling plot- protocols anymore as we had in 2G.
We can go in, we can use all our classical network attacksuits and tools and have a close look at
the whole thing. So um a little apart from our former talk you know you've got physical
protection. Um nice sentences in specs saying like um you only need to use IPsec if the site
isn't physically protected. That up there is physical protection number one. This is a
physical protection number two. Um this is actually in the hometown where I come from. I have to
admit these aren't 4G base stations. The one on the right is an NSN 2G base station by I think
the German operator E plus. And the one on the left is um by O2. So yeah that's what we see
what's physical what physical protection is. Um so a basic approach you know um go in get a base
station. Where you get it you try to go for eBay. If you're lucky you'll find one. Um price wise
let's say something like um a hundred dollar for the main unit. So that's cheap. It's cheaper
than some Cisco switch. Um yeah get the um get the whole thing up and running and actually look
what's on there. And the classical stuff you know you buy something on eBay and just hope for
configuration data and some real um real life traffic. So um so um the first step is to get a
base station. The whole setup consists of the um the baseband unit. Which is um usually in the
rack on the ground. Um it includes stuff like the power distribution unit and things like that.
The stack of sensors. Then you've got the remote radio head which usually are the the big white
boxes that you've got on the cell mass underneath the tow underneath the antennas. They
basically just convert um analog data which comes in via fiber into the actual digital data which
then goes out via RF. Then you've got the antenna set and all these parts simply are
interconnected. Um the power supply that you'll need is something like minus 48 volts. When we
started with it we actually thought about something like plus minus 48 volts. So something
like a different of nine difference of 96 volts. Luckily you just use uh 48 volt um power supply
and just turn around the contacts. Then you've got minus 48 volts and everything will be running.
um the RRU you only need if you actually want to do real RF so it's a bonus we don't have it with
us today it's um about 25 to 30 kilos and yeah it didn't quite fit into our luggage. So um the
most important part of course is the BVU it's the baseband unit it's the thing that actually
does um the logical work so in the end if you can see it it's on the in the bottom of the rack
we'll have a few pictures on the um slides later on and you've basically got blades in there so
you put in a LTE blade it's an LTE base station you put in a 2G blade and it's a 2G base station
so um quite flexible some of them have actually have a backplane which means that you will need
the whole metal case to be able to run the
device. Um with our Ericsson base station you just need a few wires in the front so you can
actually just buy the digital unit itself and you can start working with it. Is it here? No.
Okay. Um then of course as had variants of the E0Bs we are looking at the macro cells the real
stuff outside not just as the small stuff. Um eventually the nice thing about the E0Bs is that
it's actually um the termination point of most encryption. So the encryption between
your mobile phone and the cellular network will end in the field at the E0B. On the other hand all
encryption from the back end that goes out into the field which should be IPsec encrypted will yet
again terminate in the E0B. So now IPsec client certificates if you own a box you own a client
certificate and who knows what can happen. So the quick intro to the lab as said you hit eBay.
eBay sounds easy but you will need a few little terms. So the first thing you have to do is to go to the
E0Bs. We've got them in the bottom here. So for Nokia um the stuff is called a flexi BTS. For
Huawei you'll be looking for a BBU, an LMPT or a UMPT or both actually. Um for Ericsson you need
the RBS which is the 19 inch rack case and then the DUL which is the digital unit LTE which is the
logical part which will do the LTE. Or for Alcatel Lucent it's the MBS. Um basically it's
a power supply connected set. And this is the�the driver. So this is the cable that's
connected to the electric AC. Uh the cable inside a box. It's the WSDI. This is the.
cable. Um this is the power. Um the power station, power supply, connect everything. Um quite
a lot of the stuff in Telcon networks has magical connectors. So you might actually have to sit
down um create your own connectors or really need quite a while to actually get the correct
cables. We luckily bought the overall box. So everything together in a set. So we were quite
lucky with that. Um that's one of the first pictures. Actually up there it's a little post it
that it's IPsec protected. So what I wanted to do I wanted to show you the watch Army
that um one of our friends put on there actually saying um nano BTS. So kind of just for the
scale the antenna is about 2 meters 20. So just the best thing to play with. And this is our
final lab set up. So um we've got our Ericsson up here, we've got Tuma Huawei BTS that we're
working with. And you know if you want to get started I think all this stuff in the rack
should be about um 5 and a half thousand euros or dollars. So if you're lucky you can go
cheaper otherwise you'll have to spend a little bit of money. So the um Ericsson RBS 6601 and
the DOL. That's the part that we'll be talking about today. Um if you look at it you know it's
quite easy. You've got click classical um RJ45 sockets so you just need Ethernet cables and you
are up and running. Um you've got something like a G-Wave. Um you've got a power cable. Um
you've got a GPS set up which is used um you know LTE base stations are self-configuring. So
you can actually send a dog out into the field to actually put the base station up. Connect um
um a GPS antenna and adds um DHCP on the other side and the base station will get all its
configuration data from the core network and it's working in a few minutes. So you've got GPS on
there. Um you've got the LMT which is the local maintenance terminal. Um you've got the
RLU which basically is the port that you use to own a base station if you're lucky. And then
you've got the TNA and TNB ports which basically are the ports for the backend access. You've got
the IDL which is if you have multiple blades for different cells in the device you interconnect
them. And then you've got the ports the ABCDE and F which simply are um G-BIG slots actually just
to connect the RLUs and for the RF. If you start with the RLU you can actually use the RLU to
connect to the RLU. So when you start with the whole thing you do a sniff. Um you'll be seeing
down here um we've got two VLANs. VLAN two and three. One for the user plan the other one for
the operations and um maintenance. And you can see the stuff will start talking up. So what
you do you set up your box um virtual machine at the VLANs. And you just you know set up the IP
addresses that it's looking for. I think it's actually looking for ten
IP addresses. Something like that. And um you know the moment when those IP addresses are
available you'll see SCTP traffic. Which basically is um the BTS trying to connect to the backend
network to set up the RF link. So from that moment on you can do whatever you want. You can
start setting up your own emulated core network and really start attacking the base station.
Good. So um let's start with the attacking part. So all we've done um is just to that base
station. So that is one we bought on eBay uh like Brian introduced. Or we uh we bought online.
And that is one which have been in production I think one year ago something like that. So
it's a real in in production environment. Two two years ago. Um so it was set up I think at the
we have seen it in the log files 2012 something like that um and whatever it was just uh yeah we
moved from site and um now we have an example and to demonstrate um how attacks could yeah
look like in real life. Um fortunately the config was not erased so it's a one to one config like
it has been in production. Um so how to do that? We have multiple layers we can uh do some
attacks on. The first first one um is the signaling traffic so all that traffic which is uh
necessary to set up connection from a phone and to forward the traffic and so on. So there is
one interface that S1 MME uh where the eNodeB stands in communication with that MME which is a
management server and is always exchanging some control information. So that is the first one we
can take a look on. Um then there are some local maintenance interfaces that LMT provides
support. There are also some remote maintenance interfaces or or um other operational stuff um
like SSH traffic whatever. So if the engineer don't want to go on site and plug in into that uh
yeah that connector um there are also remote possibilities. Um in this case the local maintenance
interface was quite the same like the remote one. So um everything what we can do with the local
interface we now can do with the remote interface. Um but there was quite more. Um and then
of course because we have direct access to the device uh we can do some physical attacks. So just
we move the cover and take a look inside for example. Um and we had to do that anyhow because
we are we got the whole box. We have had no credentials um so we tried to uh. Our goal was to
to understand the whole box, how it is working.
Of course we want to have configuration access
because we want to use it for our own purposes.
And finally, because we are attacking it,
we want to get root, so we want to extract
maybe some binaries later to take a look on.
Again, keep in mind it's a real base station
and how it is like out in the field.
So it's not a theory, or one configured from us.
Good, let's start with the transport interface.
So that's the connection from the eNodeB
to the provider's network, to the core.
That connection is called S1.
And as introduced by Brian, that is split up
in the control plane called S1-MME and S1-U.
S1-U is just for the user traffic,
so that means your calls are
forwarded via that interface.
So for attacking, for us now, not that relevant,
but if you have access to, of course,
you can just access the calls or SMS, whatever,
or the internet data which is transported
over that interface.
Physically, it's the same cable,
so if you are a man-in-the-middle situation,
you have access to both.
The MME, as introduced, is the control interface.
This time, if we just assigned the IP addresses
to our laptop as we have connected to the machine,
there are a lot of hosts.
For example, I think there are six MMEs configured
on that machine, but only one of them has to be up,
so it's just for availability reasons.
If we now assigned on our laptop that IP address
standing here on VLAN 2, we could see that the IP address
is establishing, or tries to establish a CTP connection.
That is that S1.
There is a protocol behind called S1AP.
But anyhow, that should not be possible.
We should not be able to do that anyhow,
because the standards say that it is required
to implement IPSec.
So what we expected, as we have been connected there,
is an IPSec connection.
That is something we have seen on one of the Huawei devices,
for example, so that is not that easy to get in, of course,
but in this case, we can directly talk IP to it.
Why is there no IPSec?
There is one node in the standards,
like here, displayed on 3GPTS33401.
That node means if that interface is trusted
for example, because it is physically protected,
then there is no need to use IPSec.
And obviously, our one was physically protected.
That is the same for the control plane,
but also for the user plane.
So there is no difference.
The whole security is based on the IPSec here.
There are also some interconnections between eNodeBs.
Again, it is the same.
The same, again, is for operation and maintenance traffic,
so it is a kind of Linux on the box.
So there is an SSH, like we will see later,
and that one should also be protected by an IPSec.
But here, again, it is not.
Let's take a look to S1.
So there is a defined protocol called S1AP.
The S1AP is used
to do all the necessary procedures
to transport authentication information,
to establish a beaver,
so that connection from your mobile phone,
to initiate handovers, and so on and so on.
That one is implemented via SCTP,
and you can see that for S1AP,
SCTP port 36412 is used.
That is exactly what we have seen
in that first Wireshark sniff.
So,
just to give you one example
of what is possible via that interface,
here is a list out of the standards
implemented for S1,
but also for X2.
X2 is that interconnection of eNodeBs,
so from our eNodeB,
we can theoretically also talk to other eNodeBs.
And we can talk to that management entity
in the core network,
or just try to compromise our eNodeB itself
and affect the traffic anyhow.
So, we see here some functions like NAS signaling,
that is the transport of authentication information,
for example.
We have some trace functions
to just take a look where our mobile account currently is.
We also have a configuration transfer
that means the MME is pushing some configuration updates
over that interface to the eNodeB,
like changing the RSCN,
the frequency, and so on.
Or just make the cell louder.
That is everything implemented
because there is a so-called feature
called self-organizing networks,
or self-optimizing networks.
So, the central management entity
will talk with all eNodeBs in the country,
and will also make some load balances, and so on.
So, if there is a need,
or is there a black hole of...
If you don't have a signal,
then the power is turned up
by the eNodeB automatically.
Something like that.
And these function over that interface.
Because there is no IPsec,
there is only one message
we had to simulate
to access that interface.
It's called the S1 setup request,
or setup response.
So, the eNodeB is sending that request
to the MME.
We assigned that IP address,
and now we emulated that MME.
We've written a short tool.
We also will publish after the talk.
It's called fake MME,
which is just establishing the connection
and making the necessary configuration
to turn that one up.
But it's not much necessary.
So, basically, only that S1 setup request
and maybe some configuration changes
so that configuration transfer.
So, what we have had now running
is the eNodeB is up,
and we have an MME simulated.
Now we can start attacking.
For that, again,
we made a second script.
It's made in the middle tool
where we can inject our own S1 messages.
So, all the messages shown in that picture,
we can inject.
It's just an SETP.
You just need to make the middle of that.
Well, you just can use some Python script.
And then we modulated some of that S1 messages
to check if that is really working.
Who is interested for you?
We use the...
Yeah, a thousand toolkit of us called Dizzy,
which we use for spoofing of the messages.
Some of the scripts are published on our blog.
So, we can do some scanning.
We can do tracing of some UEs and so on.
That is the main purpose of that interface.
Good.
So, that is the main connection for connectivity.
But still, we want to be a root in the device.
We want to access the configuration itself.
So, we need some possibilities to push configuration,
use the maintenance tools, and so on.
That is over the ORM network.
Here in ORM, it's a different VLAN.
It's VLAN 3.
There are, again, a couple of IP addresses used for that.
We just picked out one of them.
Because that one was used for NTP, for example.
So, we just symbolized our own NTP server.
That's also necessary because, of course,
the eNodeB must have some timing information.
Otherwise, the cell will not work correctly.
So, that's quite easy.
Taking a further look to the interface,
we can see that we have a lot of information.
So, we made an NMAP scan.
Here you see the outcome.
Quite interesting, of course, the FTP and Telnet.
So, for a device from 2012 or something like that,
I don't know if that is really necessary.
But, okay, they have SSH, anyhow.
But all interfaces work.
Then we see a port 80.
So, an HTTP server, not HTTPS.
But I don't know if you really need HTTPS on that connection.
In reality, there should be IPSec again, right?
And we have some higher-range ports,
like that 8443 and that 56834,
which are used for the maintenance tools
we will show directly after here.
So, the maintenance tools are very interesting
because they are used by the engineers
if they are going on site,
on setup of the machine, for example,
or if there is a problem.
For example, if there is a false state of the base station,
an engineer will come on site,
plug into a maintenance port,
and doing something, reconfiguring,
getting log files, accessing the monitoring
with some magic tools.
That always depends on the vendor.
In our case, that is also possible remotely,
so via the transport network.
But you can also plug into the LMT port,
which is just a different connector,
and then you have also access to that interfaces and tools.
Yeah.
So, that is where we first focused on
to get access to the environment.
If you go on the web server,
so that port 80,
you directly have a download option
of that magic tool.
So, that's really great that they provided to us that way.
Very nice.
Unfortunately, it's only running under Windows,
so not that easy for us.
But the most problem was that Java 1.5 wasn't necessary.
So, we first had to install XP again.
Thank you.
Yeah, that was almost the biggest problem to us,
to install Java 1.5 and XP.
Okay.
If we had that running,
we could just connect.
That was quite interesting,
because we started the tool,
and then we had access to some information,
like the radio frequency information and so on.
So, that is how the tool is looking like.
So, you have different views
for different configuration parts,
like the whole rack you're standing in,
which fans are...
So, the fan controller is inside there,
some debugging information,
some monitoring information,
and you can also access log files,
like that one.
And you see there are a lot of errors popping up,
of course,
because some other parts of that rack,
where that e0b was in,
are missing.
But okay, you can just remove that part
in your configuration,
and then it's working.
So, that's not a problem.
More interesting is,
maybe you have missed that, guys.
So, again, in the standards,
there's done something that's setting up
and configuring the e0b shall be authenticated.
Unfortunately, there was no password for that tool.
So, we just started that tool,
like here.
You can set up an IP address,
a name, and maybe a comment.
Then you click on connect,
and you are in.
So, again, quite interesting.
Not too easy.
Again, the biggest problem was
to just install the tool.
Okay, so,
we had configuration access,
but still we had no operating system access.
The configuration is that one
which the engineer is using.
But furthermore, over that interface,
there are some other services provided,
like FTP, Telnet, and SSH.
That is where we also wanted to take a look on.
But, yeah,
so we can also
try some exploits on Java.
So, since 1.5, I see,
there was quite a lot.
So, that is also a good possibility
to compromise the machine.
In our case,
it's unfortunately not asking for a password,
so we can't do some password brute enforcing here.
And, if you connect
with that tool,
it's establishing a connection
to that high range port I showed in the Nmap.
So, that 5, 6, 7, 8,
56,000
stuff,
there it is
establishing a connection via GEOP.
So, it's Java.
I think Juan is saying something to that later.
And, over that interface,
it's transmitting
the whole configuration data
of the NBTS.
And, that is also not authenticated
and secured anyhow.
So, there is no
sequence.
You can do replay attacks, whatever.
It's just transmitting
the configuration directly.
So,
next look.
That was also not that hard.
There were two users
configured on the system
called RBS and cello user
and the password for both was RBS.
And, again,
we could log in via telnet
and via FTP
and via SSH.
Okay, there was some outdated
SSH keys used,
but the whole system was prohibiting
the connection first.
So, we have to enable that
algorithms manually.
But, okay, then we are in
and had access to the whole device.
If you take a look to the file system,
there was a lot of interesting information
like the path W.
So, it's the kind of Linux you see here
where we can expect passwords again
if there are other users configured
but usually not supported.
But, more interesting is that
security CFG.
So, it's a folder where the
IPsec keys are stored.
So, if you have access,
you can just extract your
IPsec keys here.
Again, really, really nice
because it's also possible remotely.
It gives the attacker
a lot of possibilities, right?
Good.
Then,
we had access to everything.
Could take a look to the local configuration
and also to the local web server.
The local web server
was vulnerable to a couple of exploits
because it, again,
used a very outdated Java SDK.
So, 1.1.6.
There are also some other ones
which, so other,
yeah,
Java applications running on
which are using some other
outdated Javas.
So, there's a couple of
lots of possibilities
to compromise a machine.
And the web server
is just used
to provide
the element manager
which is an LMT tool
to download.
And also,
some XML configuration is placed there.
You can also directly access
without any configuration.
You just need to know the path.
But you see, if you're starting the tool,
you see
in Wireshark.
While we discovered the web server,
we unfortunately
had another vulnerability found here,
just a DOS.
But it was not a DOS of the web server,
it was a DOS of the whole eNodeB.
And because the web server
is running with high-risk privileges
in the operating system itself,
so it crashed.
While we scanned the machine
or the web server with a crawler,
the whole machine crashed.
That's also interesting.
Good.
So far, we have taken a look
to the configuration,
to the operating system.
We had some access to it.
Obviously,
the whole machine was not
wiped or erased
by the provider.
And obviously,
no IPsec is used
on that machine.
But okay, even if it's used,
you find a way to connect to
and extract the IPsec keys.
There are some kind of
encoded or default credentials,
like RBS,
or cello user RBS.
There is a possibility to change it,
but
I think it's not really used.
It was not that easy.
And even the
login with the element manager
is working anyhow all the time.
There is
telnet in use, also interesting,
because you can just sniff the traffic then
and then you have to get the real credentials
if somebody's logging in.
So,
maintenance interface.
So,
what's running on?
The eNodeB has
a real-time OS running.
So it's very, very plain,
and it's about,
it's all stored on
a compact flash,
you see here.
So if you just open the device,
you have a compact flash in,
that's quite interesting.
So, there are just some
problems here,
because it's not easy,
it has an own file system,
which is based on gzip.
So you just have to recognize that first.
But the architecture is in PowerPC,
so we expected to see
some PowerPC binaries,
and the architecture is also
assisted by some FPGAs,
and also one ARM processor
to do all that work.
Radio stuff and so on.
The flash disk.
The first step,
we removed that from our eNodeB
and plugged it into our laptop.
First, it was not that easy
because it's a flipped architecture,
so all that little endian, big endian stuff.
We can see here
in that binary,
if we made an analysis,
that the alphabet here is just flipped.
So we had to switch that first
to access the direct information
like the PowerPC binaries.
As you can see here.
And then all the files here
are gzipped.
It's a small system,
so it's an embedded system,
so they just want to keep some space.
Save some space.
But now we have access to the
upper layer operating system,
could extract binaries,
and start with reverse engineering.
And also,
because we had access to that volume,
we can again extract the IPsec keys.
Good.
Another interesting one,
if you're on the machine,
just for debugging,
you have some debugging interfaces enabled there,
and you have a RAM lock.
And the RAM lock
displays the whole booting process.
So if you want to do some attacking there,
you can just hold the machine
on the right places here.
There are also some commands for that.
And you see here
on step two
that it's mounting that gzip volume
and powering up.
So that is our volume we extracted here.
So we can just modify it.
Just
a small joke for us.
It's that line,
that no magic found.
That was quite funny to see that in the log file.
Good.
The rest
is for Brian.
So, you know, you go in
and it has this configuration on there.
You know, you've got a mobile country code,
and a mobile network code,
actually defining an operator.
Luckily you found the numbers
311 and the MNC 660.
Turns out
it's an American operator,
or an old one,
Metro PCS.
Only one of you has ever heard it.
They were actually
kind of sold,
or they fused with T-Mobile USA
in 2012, or a little bit later.
So we know
where exactly this,
Yet again, you know, if we actually had
a client certificate,
that would be probably the most awesome combination.
Then, you know,
we found a few little interesting things.
You know, the classical pass WD command
for changing a password.
We've got cello user
and we've got RBS,
and we actually just wanted to change a password
just to play around with it.
And actually it turned out
that if you change the password for RBS,
also the password
for cello user will be changed,
and the other way around.
So for some reason they actually combined
the passwords for both user accounts.
Somehow, magically,
even for pass WD.
So, it looked a little bit
strange.
Then, as Henrik already said,
you know, we've got quite old SSH,
so we actually had to go in
and go in for our
Diffie-Hellman Group 1 SHA-1.
Modern SSH
simply won't do this anymore,
so we had to re-enable it.
Then, when you're on the box,
interesting,
you had something that was called
cell and UE traces.
Sadly,
we only had cell traces,
so basically you can see
status and log information
of the cell that actually was on the
ENRB and a few neighboring cells.
From the documentation
and the info that we found,
if we would have had a UE trace,
this UE trace
actually logs everything
that a mobile device
in the LTE cell does over a certain amount of time.
So, you know,
if you have access to an ENRB in the field,
you just kick in the UE trace command
and you basically log
all the unencrypted information
that goes through that mobile device.
So, rather nice for playing around with.
Then,
yes,
you know,
when you do stuff,
you always find really, really,
really strange things.
So, um,
all communication that you've seen so far
went into private IP address space,
which is the way that you do it
in your own network.
Now, we found
a geop remote session
that was actually trying to find a server
to a public IP address.
Um,
we were able to have it connecting to us
so, you know,
you've got basic geop communication
which you could attack,
if anybody of you knows
the nature of geop,
you need quite a lot of information
to actually be able to push objects
over the line until something happens.
So, um,
you know,
as it was the only public IP address,
we had a closer look at it.
And I've got to say,
you know,
um,
the next slide is,
it's vague,
you know,
we can't guarantee for any correctness
on the next slide,
but, um,
you know what you do,
you've got an IP address,
you look it up,
and, um,
you remember metro PCS?
The IP address that we found
actually belongs to an, um,
Iranian cellular operator.
So, you know,
we can't guarantee that,
um, basically the American telco
simply, um,
misused the, um,
the public IP address,
but you've got to admit
it simply looks very, very strange.
And time-wise,
if you go down to the, um,
address space was actually registered
in 2012,
and we know from the log files
that the eNodeB was up and running
in the field up to 2013.
So, you know,
the eNodeB actually talking to an,
to the network of an Iranian operator.
It's strange,
it doesn't make any sense.
So,
you know, um,
as said, the information is vague,
we've just got the data that we got
of the eNodeB,
we've got no idea if maybe the IP address
space was, you know,
shared or something like that,
or as said, a misused public IP address,
but stuff like that
actually just is scary.
And we have to say, um,
the port that it connected to,
you know, um, on the Iranian IP address
nowadays is down.
So whatever was running there
isn't there anymore, so, um,
yeah, you know,
a little bit of scary shit in telco networks.
So, okay, so,
first, that was our first start
with our research.
We wanted to, um, yeah,
present for you.
Um, you really see that there is no magic behind
as the log file already has.
Um, yeah, easy system,
which some are special characters,
I would say.
Um, there's, it's also very strange
that most of the devices
have no,
um, yeah, that the config is still
not erased.
Um, we also bought a second
blade for that RBS,
um, just while we are here.
Um, that one is from T-Mobile
and it looks exactly like the same.
Um, so,
um, that is
quite interesting to do a lot of stuff.
We now also have, um, yeah,
access to the binaries, which is some future work
for us, so we are taking a look to that.
Um, but basically
if you, the
attack vectors for such devices
are based on that
signaling, so you can just, um,
access that management,
control traffic there,
um, to do some traces of UEs,
to, um, yeah,
establish connections on your own, or also hand over.
There is no security
in reality, and, um,
or, sometimes there is no security
for that IPsec stuff,
or even if you are able to extract
it somehow.
Um, for example, like that OAM,
and what we've seen there is not
really good, so that's an architectural
problem, I think, um, or a hardening
problem, so that is, uh, development
hopefully the vendors
are working on, um,
but, um, that is a
quite new device, um,
quite new, 2012, um,
it's an LTE device, which is out in the field,
so we expect that there are a lot
of base stations out
there, which are exactly configured
like that. Um,
and if signaling and OAM
is not working, even then, um,
with having physical access
to the device, you can just,
yeah, get that, uh,
flash disk, that compact flash,
and put into your laptop, extract all necessary
information, like the password file,
like the IPsec information,
and then you're in again. So there is a lot
to do.
Good. Um, that's it so far.
Um, that is what we
wanted to present to you this time.
Um, thank you. Um,
if there are any questions, let me know.