# Development of Signaling Spoofing Attacks Using Function Containerization of Rogue Base Stations - Shin-Ming Cheng, Bing-Kai Hong {%hackmd @HITCON/r1z4zylVv %} > 從這開始 agenda security mechanisms in 4Glte rogue bs attacks signaling spoofing attack containerization and orchestration demo and expreimental results security issues is 5GNR conclusion 5G security the prague proposals 2019 5 3 joint declaration on 5G security 2020 8 26 ait 美國在台協會 and tecro 駐美國台北什麼の security mechanisms in 4G lte mutual authentication writeless medium is accessible for everyone in the vicinity identifiers can be easily forged user authentication from network provider accounting authorizaition and the association of data sessions to a legal person network authentication from user network authentication for traffic confidentiality GSM by faking ... - [ ] authentication and key agreement(AKA) in 4G/LTE[](https://) AKA with keys in 4G/LTE security issues in 4g lte after aka integrity and confidentiality protection for control plane signaling only confidentiality protection for user plane data recent fake rogue base station attack isolated rogue bs victim impacts are suppressed new attacks appear in recent years Rogue BS attacks software defined radio sdr with gnu radio a free software development toolkit provides signal processing blocks low cost external rf hardware usrp by ettus research ni opensource software 2G : openBTS implementation of rogue base is possible very cheap comparing with the commercial products software free hardware ettus usrp b210 50000 ntd challenges require both telecom knowledge and system level programming skills worldwide research teams isolated rogue bs attacks the rogue bs attacts victims ues to camp on itself by transmitting a stronger signal than legitimate cells the rogue bs cannot connect to the operational cn leverage the procedure before aka leverage the unecrypted messages relay and man in the middle attack very difficult to be implemented (中間處理的速度要很快，否則整個 connection 會 broke，造成攻擊失效，這也是實作困難的地方) overshadow overwrite the legitimate signal tightly time synchronize with downlink physical channel communication configuration matching subframe structuring and injection 3 db power difference very difficult to be detected (需要有物理層的 knowledge，實作困難度高) <!-- 曲高和寡 --> isolated rogue base station attacks retrievve imsi international mobile subscriber identity of ue iot devices unique id stored in sim card trace the route of a paricular imsi dos of a particular imsi spoofing of broadcasted system information broadcasted signaling mib master information block static system frame number synchronization channel bandwidth ... system information block sib 1 dynaic information ... sib 2 sib3-26 (國家級警報傳在 Sib 1) signaling spoofing attack lte sib 4 blacklist -> dos attack (例如可以指令整個南港的基地台都不給連線) lte sib 6 energy coordination -> energy depletion attack (要求終端持續以最大功率進行連接) lte sib 10-12 emergency alerts -> panic and phishing attacks (送出偽造的國家級警報的訊息) lte sib 16 GPS time -> asynchronous attack (送出假的 GPS 時間) ... etc via lte commercial mobile alert service cmas japen etws presidential alerts president to all of the united states imminent threat alerts serious threats to life and property often related to severe weather amber alerts missing or abducted children panic or scam spreading containerization and orchestration drawbacks the limitation of attack range low antenna power attack victim is too specific operator frequuency maintenance issue initialization of attacks modification of functions control of attack types sharing among cooperation teams contarnerization kubernetes (k8s) single ui demo and experimental results cross operator three famous operators cross frequency band cross location ntust and academia sinica cross type sib 12 and sib 16 cross open source srslte open air interface (oai) SIB攻擊成功機會大都跟晶片有關 samsung 毒瘤 中國手機很難買 ... aka in 5G/NR 導入 public key and private key private key protect imic rogue bs attack in 5G/NR digitally signing broadcast messages each operational bs has a certificate issued by its operator a ue needs to be provisioned with a root certificate operator public key to verify the certificate of the bs overheads substantial computational overhead at bs message size increases due to the signature and certificate broadcasting ... signaling spoofing in 5G/NR conclusion sdr and cellular opensource enable the applications of private and reconfigurable bs popularity of rogue bs attacks containerization and orchestration make attacks more servere 5G and 4G have similar protocols detection and protection are necessary ......... https://www.iii.org.tw/Files/FileManager/%E4%BC%81%E6%8E%A8%E8%99%95/%E5%85%AC%E5%91%8A/%E7%A7%91%E5%B0%88%E5%90%88%E4%BD%9C%E6%A1%88/FY109%E7%A7%91%E5%B0%88%E5%90%88%E4%BD%9C%E7%A0%94%E7%A9%B6/RFP/RFP_5G%E7%B6%B2%E8%B7%AF%E5%81%BD%E9%80%A0SIB%E6%94%BB%E6%93%8A%E8%A8%AD%E8%A8%88%E8%88%87%E5%81%B5%E6%B8%AC.pdf https://www.anquanke.com/post/id/177963 https://www.usenix.org/conference/usenixsecurity19/presentation/yang-hojoon ###### tags: `HITCON2020`,`HITCON`