Wednesday, March 26, 2014

3G Attacks at RootedCON 2014

Some time ago we learned that a subset of the attacks that were possible for 2G mobile communications using a fake base station were also possible in 3G, particularly:
  • IMSI Catching: or how to know whether an IMSI is active in the range of the attacker's base station
  • Geo-location of mobile devices, with high accuracy and reliability. You can find more details on this attack in the associated materials of two of our previous talks: RootedCON 2013 (Spanish) [slides] and [video], and BruCON 2013 (English) [slides] and [video], where we demonstrated in practice how an attacker could use a fake base station to know the location of a device (identified by its IMSI or its IMEI).
  • Denial of service: there are many flavours of denial of service attacks. We explained some of them and we demonstrated in practice the "LUR Reject Cause codes" one at RootedCON 2012. [Slides] and [video] of the talk are available (Spanish).
  • Selective donwgrade to 2G: this attack allows an attacker to force a mobile device to choose 2G service instead of 3G, regardless of the availability of the 3G service.

In our recent talk at the fantastic RootedCON 2014, we explained the protocol concepts and issues behind these attacks and how an attacker could theoretically exploit the underlying vulnerabilities to perform the attacks (slides available in our lab page). As we clarified during the talk, this was actually a summary of information that was already in the public domain, though not very publicized.

Our goal is to test the aforementioned attacks and our first step in that direction has been the development a 3G software modem. During the talk we demonstrated the modem decoding the bits of the BCH of a real cell.

This practical work is only a first -but necessary- step towards our goal. We continue our research activities in this area, so stay tuned!

[*** UPDATE March 26, 2014 ***] English version of the slides have been added to our lab page]