UMTS_IMSICATCHER_HALFMITM

Routing Area Update Reject or RAUReject / service attach reject code

Routing area update reject is 10 (IMPLICITLY DETACHED)
Service attach reject for redirection : 2 (IMSI Unkown in HLR) or 17 (Network failure or user busy)
Service attach reject for Dos : 3,7,8,9,14 code
Service attach reject without denied of service : 15 (No suitable cells in this area)

Schematics flow

  • Classic flow

  • IMSI-Catcher for non programmer without modification but with denied of service

  • IMSI-Catcher for programmer with modification but without denied of service

  • Redirect 1 : IMSI-Catcher for programmer with modification but with denied of service and redirection without getting IMSI over 3G

  • Redirect 2 : IMSI-Catcher for programmer with modification but with denied of service and redirection and getting IMSI over 3G

Learning UMTS Protocol Stack

pptx
video1
video2

Reading articles

New AKA security (Mutual authentication)

  • Detailed AKA

LIST OF ATTACK

  • SIMPLE IMSI CATCHER
  • UMTS DENIED OF SERVICE
  • JAMMING
  • BIDDING DOWN ATTACK
  • UMTS REDIRECTOR
  • CRYPTO HACKING USING RAINBOW TABLE
  • FEMTOCELL_HACKING
  • UMTS CBC(CELL BROADCAST CENTER)

1. SIMPLE IMSI CATCHER

Attack explanation

  • Just catch IMSI
  • Finding all parameter1 (using android apps) MCC, MNC, RAU1 and UARFCN1 as same as operator like NodeB_Jammer
  • Options 1 : launch NodeB_Jammer openbts_umts as parameter1
  • Options 2 : launch NodeB_Jammer using Modmobmap or CleverJam with same frequency as UARCN1 and bandwith 5MHz
  • Finding all parameter2 (using android apps) MCC, MNC, RAU2 and UARFCN2 as same as operator like NodeB_Collector
  • Stop NodeB_Jammer
  • launch NodeB_Collector as same as MCC, MNC, RAU3 different of RAU2 and UARFCN2 and location update reject with code 15 (No Suitable cells in area)
  • launch NodeB_Jammer as same as options1 or options2
  • Collect IMSI

Protocol Flow

2. UMTS DENIED OF SERVICE

Attack explanation

  • Sending Location Update Reject for making Denied of service having code number 3 "Illegal MS"

Protocol Flow

### Reject Code list

3. IMSICATCHING ATTACKS ON 3G NETWORKS (Bidding Down Attack)

  • For bidding down attack (bda2g) uses Location Update Reject having code number 14 "Service option temporarily out of order"

Descriptions

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate3g videos1 videos2 videos3 videos4 videos5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure

Following the steps in the Getting_Started_with_3G tutorial, we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G/LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).

Implementation

3G
femtocell nano3G (Sysmocom)
Osmocom 3G network, running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)

2G
BladeRF x40
YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):

To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

  • Disable the USIM entirely until power-off or USIM removal.
  • Attach requests disable the USIM for packets domain until power-off or USIM removal.
  • Periodic Location Update requests will trigger the UE to attempt GERAN instead. Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):

Detection

CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.
Advantages using active monitoring;
ciphering algorithms (UEA) usage
authentication parameters and rates
But on the other hand, there is a big disadvantage:

one SIM card and device per operator in order to scan all the 3G fake stations
Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

Important Comments

Yes, there is a periodic location update timer in both 2G (osmo-bsc) and 3G (osmo-msc) T3212 with openbts-umts:
osmobsc-vty-reference.pdf: “1.15.45 periodic location update <6-1530>”
osmomsc-vty-reference.pdf: “1.14.9 periodic location update <6-1530>”

4. UMTS REDIRECTOR

Attack explanation

  • Make a denied of service with redirectioncarrier info attack code

Protocol Flow

Attack scenario global

Attack scenario 1 : the mobile connects to the 3G

Attack scenario 2 : the fake bts sends redirected carrier info

Attack scenario 2 : the victim is at the fake 2G network

5. CRYPTO HACKING USING RAINBOW TABLE

  • Create a rainbow table for cracking crypto openbts-umts code

6. FEMTO_CELL HACKING

  • Rooted the femtocell for having a mitm
  • Could hack SS7

7. UMTS CBC(CELL BROADCAST CENTER)

  • Sending a fake panic attack (fake notification, emergency sms)

Remark

  • Choose the best parameter of UHD for openbts_umts
  • No opensource for umts client , so no full mitm opensource
  • Femtocell3G for osmocom named osmo-iuh (more expensive)
  • course