July 6, 2015

The MiTM Mobile Contest: GSM Network Down at PHDays V


Although we have published several research works on cell phone tapping, SMS interception, subscriber tracking, and SIM card cracking, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.

Contest conditions and technologies
You've got a corporate cell phone of a MiTM Mobile network user.
Through the DarkNet you have obtained some information that can be useful:
1) The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000. 
2) The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords. 
3) You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. 
There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.
The CTF participants got about the same intro at the MiTM Mobile contest held at PHDays V.

We deployed a real mobile operator infrastructure for the contest. It included a base station, cell phones, landline phones, and SIM cards. The name of the contest — MiTM Mobile — was picked for a reason: we wanted to emphasize the vulnerability of our network. For the logo, we chose the Kraken (well, kind of) destroying a cell tower.

So, it's all clear with the operator's trappings, let's now look at the network implementation. Our hardware solution was a device with a simple name — UmTRX (the manufacturer's site: umtrx.org/hardware). The network's wireless part was based on this unit. The functionality of the base station and GSM (software part) was implemented through the Osmocom/OpenBTS stack.


UmTRX is the heart of MiTM Mobile.

We also ordered SIM cards for a simple and quick network registration. The MiTM Mobile network credentials were specified in them, and the card data were registered in the network. In order to simplify air tapping and make the life of the players easier we disabled data encryption in our network (A5/0). Apart from the SIM cards, the participants were provided with Motorola C118 cell phones and USB-UART cables (CP2102). All this, including the osmocombb stack, allowed the participants to tap the air, intercept SMS messages intended for other users, and make phone calls in the network on the part of another user.

Each team got a SIM card, cable, cell phone, and virtual machine image with the osmocombb stack build to experiment with.


Review of Tasks

Some theory at first:

  • IMSI — International Mobile Subscriber Identity stored in SIM-card. 
  • MSISDN — Mobile subscriber ISDN number phone number, assigned to IMSI in operator’s infrastructure
  • TMSI — Temporary Mobile Subscriber Identity randomly assigned by the network to every mobile in the area, the moment it is switched on.


IMSI is the magic number specified in the SIM card. It looks something like this — 250-01-ХХХХХХХХХХ, where 250 is the country code (Russia), 01 is the operator code (MTS), and ХХХХХХХХХХ is a unique ID. A subscriber is identified and authorized in the operator's network by the IMSI.

In this case, we have the sysmocim SIM card with 901 country code, 70 operator code, and 0000005625 subscriber's ID in the operator's network (see fig.).

The second thing you need to remember: the MSISDN, your cell phone number (for example, +79171234567), is stored in the operator's base, and not on the SIM card. During the call, the base station puts this number according to the IMSI <--> MSISDN conversion table (MSC/VLR has this function in the real network). Or it doesn't (in case of an anonymous call).

TMSI is a 4-byte temporary identifier given to the subscriber after the authorization.

Now that we know this, let's continue.

We need to run the osmocombb stack. The actions are quite simple. You need to connect the cable to the computer and forward it inside the virtual machine. A device named /dev/ttyUSB0 should appear there. After that, you should connect a TURNED-OFF cell phone to the cable through an audio jack.

Then you open two consoles. In the first one, you must run the following command:

#~/osmocom-bb-master/src/host/osmocon/osmocon  -p /dev/ttyUSB0  -m c123xor  -c ~/osmocom-bb-master/src/target/firmware/board/compal_e88/layer1.highram.bin

Now press the red button of the cell phone to turn it on. This command starts uploading firmware into the phone and opening the socket that will be a mediator between the phone and the programs. It is the so-called layer 1 of the OSI model. It establishes physical interaction with the network.


This is roughly what layer1 outputs to the console after it has been uploaded into the phone (this is not something of interest, though).

In the second console, you must run the following command:

#~/osmocom-bb-sylvain/src/host/layer23/src/misc/ccch_scan  -a 774  -i 127.0.0.1

This command establishes layer 2-3 of the OSI model, namely — air tapping in search of CCCH (Common Control Channel) packages.

774 is ARFCN we broadcast at. Yea, nobody needs to look for the channel of our operator. We did everything we could to make your life easier, our dear participants :)

-i 127.0.0.1 is the interface you will send the packages to.


Now, you launch Wireshark. It will do everything for you — for instance, it will gather all the necessary packages in SMS, unparce the TPDU/PDU format, and show everything easy to read.

Remember, you were to intercept SMS for the first task. In order to make browsing in Wireshark more convenient and keep our screen "clean", you should set the filter at gsm_sms packages.


Now you can see SMS messages on the air. Congrats, you've completed the first task! If you were now at PHDays V, you would be able to see the SMS message containing the code for getting publes. The code was being aired constantly during the two days, every five minutes, an even at night.

You must run layer1 again for the second task (or you can just keep it on after the previous one).

In the second console, you run the following command as layer2-3:

#~/osmocom-bb-master/src/host/layer23/src/mobile/mobile -i 127.0.0.1

Nothing really hard here. The mobile application can function as a virtual cell phone. In order to get access to these functions, you must open the third console and run

$ telnet 127.0.0.1 4247

A Cisco-like interface will open. You must enable the extended mode:

OsmocomBB> enable

After that, you should display the list of commands available:

OsmocomBB# list

What do you think the clone command does? Well, its name speaks for itself – you can clone a subscriber. In the description of the command, you can see it accepts TMSI as an argument. If you manage to find out the victim's TMSI and put in our phone, you will be able to connect to the network instead of the initial subscriber.

During the whole conference, we were trying to send an SMS message to a phone number missing in the network. IF a participant would put the TMSI requested by the base station as the clone command parameter, he or she would get the flag with the code for money.

OsmocomBB# clone 1 5cce0f7f

It was quite easy to see the base station request to the subscriber. You could look for gsmtap packages in Wireshark with the Paging Requests Type 1 request (the request the base station makes when a call is originated).


Alternatively, you could use the second console that has mobile launched:


After you type the TMSI, you will get an SMS message intended for the initial subscriber.

Now you have enough information for the third task. Here, you have to pretend to be another subscriber as in the previous task. You know his number, but not TMSI. What can you do? It's easy: you just have to send an SMS message to the subscriber or call him to the number 77777. You will see the base station requests to the 77777 subscriber as in the last example. Note: you must use another cell phone for the call or SMS; otherwise, your Motorola won't see the base station's broadcast requests intended for the target subscriber.

After that, you need to put the TMSi into your phone by means of the clone command and make a call to the precious number!

OsmocomBB# call 1 2000

Now you take Motorola and listen to the code. If the participants have done everything right, they will hear it, otherwise — a joke will be the sole thing they get :)

Additionally, there were SMS messages in the network that informed about a new voice message received. If the participants hadn't been lazy and had opened the phone book of the device, they would have seen the number of the voice mail. If you call this number, you can hear insider information — data about increase and decrease in the rate of MiTM Mobile shares.

The fourth task was connected not quite with GSM, but with vulnerable SIM cards used for getting access to the network. Apart from the phone, each team got a SIM card with a pre-installed application showing a greeting — "Welcome to PHDays V". Lukas Kuzmiak and Karsten Nohl created a utility called SIMTester for searching vulnerable applets. Its key feature is the ability to work through osmocom cell phones. So, you need to plug the SIM card into the phone, connect it to your computer and start the search. After a couple of minutes, you can analyze the data obtained:


Apart from lots of apps disclosing information enough for key brute forcing, you've been provided with a "red" application, which doesn't demand any secret keys for accessing. Let's analyse it separately:


The last two bytes of the SIM card reply are the status bytes, where, for instance, 0x9000 means that the command has been completed successfully. In this case, you get 0x9124, which means there are 36 bytes the card wants to return to us. Let's change the program code a little and see, what kind of data it is.


After decoding, you will get:

>>> ‘D0228103012100820281028D1704596F752061726520636C6F73652C2062616420434C419000'.decode('hex')
'\xd0"\x81\x03\x01!\x00\x82\x02\x81\x02\x8d\x17\x04You are close, bad CLA\x90\x00'

You need to brute force all the possible CLAs and INSs for the instructions sent in the binary SMS message — and you will get the flag:


>>> 'D0378103012100820281028D2C04596F757220666C61673A2035306634323865623762623163313234323231383333366435306133376239659000'.decode('hex')
'\xd07\x81\x03\x01!\x00\x82\x02\x81\x02\x8d,\x04Your flag: 50f428eb7bb1c1242218336d50a37b9e\x90\x00'

That's it, as far as the tasks are concerned.

Contest winners and surprises

All the PHDays participants could try hand at the MiTM Mobile contest together with the CTF teams: those who wished to take part were provided with all the necessary equipment and a virtual machine. Overall, there were more than ten participants on top of the CTF teams.

However, the only one who managed to intercept the SMS message in the middle of the first day was Gleb Cherbov, who ultimately became the contest winner.

Only the More Smoked Leet Chicken team managed to complete three tasks by the beginning of the second day. The fourth task was available only for the CTF participants, but everybody failed it.

The forum visitors could notice that LTE and 3G were missing occasionally, and sometimes the network was not available if you come close to the zone with the GSM jammers that looked like this:
 

Some people were getting messages from the number 74957440144 (or from an anonymous one) with the text "SMS_from_bank" or some other "harmless spam". It was connected with the operation of the MiTm Mobile network.

Also, some "luckers" got the following message by the end of the second day:


This joke has nothing to do with MiTM Mobile functioning, but it reminds everyone once again of general safety rules. Watch out for your pet phone, which suddenly starts finding the MosMetro_Free network (free WiFi network in Moscow underground) in a place where it shouldn't be, connects to it, and lots of programs get loose into a trap. Some of them use the phone number as an identifier. The attacker can get this number and then sends the messages out through the SMS gateway to all the "luckers".


P.S. Here are the details about the network components for all those who would like to make a contest similar to our MitM Mobile.

The UmTRX itself is an SDR (Software Defined Radio), i.e. "just a radio". All the manuals concerning the configuration can be found at umtrx.org or osmocom.org. You may also use a ready-made solution from UmTRX — UmDESK, it has everything pre-installed. All you need is to fill in the configuration files according to the manual and start broadcasting.

You can find an image of the osmocombb stack here (we highly recommend you to have VMWare 11). This build is enough for experimenting. SIM cards are not necessary, but you have to get a cell phone and any USB-UART cable.

You could choose any cell phone from the list: http://bb.osmocom.org/trac/wiki/Hardware/Phones
Cables: http://bb.osmocom.org/trac/wiki/Hardware/SerialCable

And, yes, you can find PL2303 and FT232 almost everywhere. Unsoldering a 2.5 mini-jack is piece of cake.


You can order SIM cards and the cable here: http://shop.sysmocom.de/

Such as
USB-UART (CP2102): http://shop.sysmocom.de/products/cp2102-25
SIM cards: http://shop.sysmocom.de/t/sim-card-related/sim-cards

You can find cell phones on Ebay, buy in pedestrian underpasses, or order in China: on average, you will spend 10$ per phone.


We want to express special gratitude to the guys from Fairwaves (they are the ones who make UmTRX, UmDESK, UmROCKET, and etc.) for consulting and the equipment provided for testing. They do a GREAT thing! And also, special thanks to Ivan.

8 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete