Back to Home

MiTM Mobile contest: how they broke mobile communications at PHDays V / Positive Technologies blog

mobile communications · information security

MiTM Mobile contest: how they broke mobile communications on PHDays V



    Although we have repeatedly published studies on the possibilities of wiretapping of mobile communications , interception of SMS, substitution of subscribers and hacking of SIM-cards , for many readers these stories still belong to the field of some complex magic, which only special services possess. The MiTM Mobile contest , held for the first time this year at PHDays, made it possible for any conference participant to see how easy it is to carry out all of the above attacks with only a 300 rubles phone with a set of free hacking programs.

    Competition conditions and technologies


    “You got the corporate phone of a user of the MiTM Mobile network in your hands.
    Through DarkNet, you received information that may be useful:

    1. Codes for receiving the public are periodically sent to the number of the chief accountant of the corporation - 10,000.
    2. The financial director has disappeared somewhere, no one can reach him for several days already, the phone is switched off, but passwords are still allocated to him.
    3. Important information can be obtained by calling to number 2000, but authorization by the caller's number is set there. I also managed to find out that the phone number of the personal secretary of the director is 77777, he probably has access. There are other numbers on the network through which employees receive important information, but, unfortunately, they could not be found. And do not forget, in the corporate network you can always stumble upon private information. ”

    Approximately such an introductory presentation was presented to CTF participants as part of the MiTM Mobile contest held at PHDays V.

    For the contest, we deployed the real infrastructure of a mobile operator. It included a base station, mobile phones, landlines, and SIM cards. The name MiTM Mobile, as you might guess, was not chosen by chance: I wanted to emphasize the vulnerability of our network. The network logo was Kraken (or almost it), breaking a cell tower.

    So, with the external attributes of the mobile operator, everything is clear, now consider the implementation of the network. The device with the simple name UmTRX (manufacturer’s website: umtrx.org/hardware) acted as an “iron” solution, and the wireless part of the network was built on its basis. Directly GSM-functionality and the functionality of the base station, namely the software part, was implemented by the Osmocom / OpenBTS program stack.



    MiTM Mobile Heart - UmTRX

    For simple and quick registration on the network, SIM cards were ordered. The details of the MiTM Mobile network were registered in them, and the data of the SIM cards were, accordingly, registered on the network. To simplify listening to the air and to make life easier for players on our cellular network, encryption was turned off (A5 / 0). Along with SIM cards, Motorola C118 phones and a USB-UART cable (CP2102) were given to participants. All this, together with the osmocombb program stack, allowed CTF participants to listen to the broadcast, intercept SMS intended for other users, and also make calls on the network, substituting another user.

    Each team got at its disposal for experiments a SIM card, cable, phone and a virtual machine image with an assembled osmocombb stack.



    Analysis of tasks


    First of all, a little theory:

    • IMSI - International Mobile Subscriber Identity stored in SIM-card.
    • MSISDN - Mobile subscriber ISDN number phone number assigned to IMSI in operator's infrastructure
    • TMSI - Temporary Mobile Subscriber Identity randomly assigned by the network to every mobile in the area, the moment it is switched on.



    IMSI - this is the magic number registered on the SIM card. For example, it has the form 250-01-ХХХХХХХХХХХ 250 - this is the country code (Russia), 01 - operator code (MTS), ХХХХХХХХХХХ - unique ID. By IMSI, the subscriber is identified and authorized in the operator’s network.

    In our case, with the sysmocom 901 SIM card, the country code, 70 - the operator code, 0000005625 - the subscriber ID within the operator’s network (see figure).

    The second thing to remember: MSISDN, your mobile number (for example, +79171234567) is NOT stored on the SIM card. It is stored in the operator’s database. During a call, the base station substitutes this number according to the IMSI <--> MSISDN correspondence table (in a real network, this is the MSC / VLR function). Or does not substitute (anonymous call).

    TMSI is a temporary identifier of 4 bytes. It is allocated to the subscriber after authorization.

    Armed with knowledge, we continue.

    Launch the osmocombb program stack. Everything is simple here. Pre-connect our cable to the computer and forward it inside the virtual machine. The device / dev / ttyUSB0 should appear in the virtual machine. Next, we connect the switched-off phone to the cable through the audio jack.

    We open two consoles. In the first run the command:

    #~/osmocom-bb-master/src/host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor -c ~/osmocom-bb-master/src/target/firmware/board/compal_e88/layer1.highram.bin
    

    And we press the red button to turn on the phone. With this command, we start downloading the firmware to the phone, as well as opening the socket, through which our programs will communicate with the phone. This is the so-called layer 1 OSI model. Implements physical interaction with the network.



    This is what approximately issues layer1 to the console after downloading to the phone (however, this does not interest us).

    In the second console, run the command:

    #~/osmocom-bb-sylvain/src/host/layer23/src/misc/ccch_scan -a 774 -i 127.0.0.1
    

    This command implements layer 2-3 OSI models. Namely, listening to the air in search of Common Control Channel (CCCH) packages.

    -a 774 - stands for ARFCN on which we are broadcasting. Yes, yes, no one needs to look for the channel on which our operator works. Everything for you, dear participants :)

    -i 127.0.0.1 - the interface to which we will send our packages.



    And run Wireshark. He will do everything for us, namely, he will collect the necessary packages in SMS, parse the TPDU / PDU format and show us everything in a readable form.

    We remember that for the first task we need to intercept SMS. For convenience of viewing in Wireshark, we set the filter on gsm_sms packets so as not to clog the screen.



    We see the SMS, which are in the meantime on the air. Congratulations, you completed the first task! And if you were now on PHDays V, then on the air you could see an SMS with a code for receiving publishers. The code was broadcast for two days constantly, every 5 minutes, even at night.

    For the second task, you also need to run layer1 (or you can not turn it off after the last time).

    In the second console, run layer2-3 as

    #~/osmocom-bb-master/src/host/layer23/src/mobile/mobile -i 127.0.0.1
    

    And here everything is simple. The mobile application implements the functions of a virtual phone. To access these functions, open the third console and run:

    $ telnet 127.0.0.1 4247
    

    A Cisco-like interface opens in the console. Turn on advanced mode:

    OsmocomBB> enable
    

    Next, we list the available commands:

    OsmocomBB# list
    

    I wonder what the clone team does. Who would have thought she completely lives up to her name! Using this command, you can clone a subscriber to the network. From the help to the command, we see that it takes TMSI as an argument. If we can find out the TMSI of the victim and substitute him in our phone, then we can connect to the network instead of the original subscriber.

    Throughout the conference, we tried to send SMS to a number that was not on the network. And if the participant had guessed to substitute the TMSI requested by the base station as a parameter of the clone command, then he would receive the following flag with a code for the currency!

    OsmocomBB# clone 1 5cce0f7f
    

    And to see the request of the base station to the subscriber was very simple. It was possible to look at Wireshark gsmtap packets with the request Paging Requests Type 1 (request of the base station when making a call).



    Or in the second console, where mobile is running: We



    register TMSI and we receive an SMS intended for the original subscriber.

    For the third taskwe already have enough knowledge. As in the previous task, you must impersonate another subscriber. We know his number, but we don’t know his TMSI. What to do? It's simple: just send an SMS or initiate a call to this subscriber, namely to number 77777. And, as in the previous example, we will see the base station's requests to subscriber 77777. An important point: you need to make a call and SMS from another phone, otherwise our Motorola will not be able to see the broadcast requests of the base station, intended for the target subscriber.

    Next, we register TMSI in our phone using the clone command - and make a call to the coveted number!

    OsmocomBB# call 1 2000
    

    Now we pick up Motorola and listen to the code. If the participants did everything correctly, then they will hear the code. Otherwise, they will hear a joke :)

    In addition to everything else, SMS messages were sent on the network saying that a new voice message had arrived. If the participants were not too lazy and went into the phone book of the device, then they would see the voicemail number. By calling this number, you could hear insider information - data on the growth and fall of the stock price of MiTM Mobile.

    The fourth task was not directly related to GSM-communication, but with vulnerable SIM-cards, which are used to access the network. In addition to the phone, each team was given a SIM card with an application installed on it displaying the invitation “Welcome to PHDays V”. To search for vulnerable applets, Lukas Kuzmiak and Karsten Nohl created the SIMTester utility. A distinctive feature of this utility is the ability to work through osmocom phones. We insert the SIM card into the phone, connect it to the computer and start the search. In a couple of minutes, we will analyze the data obtained:



    In addition to many applications that disclose information that is sufficient for brute force keys , we were carefully highlighted in red with an application that does not require any secret keys for access. We analyze it separately:



    The last two bytes of the SIM card response are status bytes, where, for example, 0x9000 means that the command completed successfully. In this case, we get 0x9124, which means there are 36 bytes that the card wants to return to us. Let's change the program code a bit and see what kind of data it is:



    Decode and get:

    >>> ‘D0228103012100820281028D1704596F752061726520636C6F73652C2062616420434C419000'.decode('hex')
    '\xd0"\x81\x03\x01!\x00\x82\x02\x81\x02\x8d\x17\x04You are close, bad CLA\x90\x00'
    

    We sort through all the possible CLAs and INSs for instructions sent in binary SMS, and we get our flag:



    >>> 'D0378103012100820281028D2C04596F757220666C61673A2035306634323865623762623163313234323231383333366435306133376239659000'.decode('hex')
    '\xd07\x81\x03\x01!\x00\x82\x02\x81\x02\x8d,\x04Your flag: 50f428eb7bb1c1242218336d50a37b9e\x90\x00'
    

    That's all for the assignments.

    Winners and surprises of the competition


    Not only CTF teams, but also all PHDays visitors could try their hand at the MiTM Mobile contest: everyone was given all the necessary equipment and a virtual machine. As a result, more than ten people participated in the competition, not counting the CTF teams.

    However, the only one who managed to intercept SMS by the middle of the first day was Gleb Cherbov , who won the competition.

    Three tasks were completed only by the More Smoked Leet Chicken team at the beginning of the second day. The fourth task was available only to CTF participants, but no one was able to complete it.

    Visitors to the forum could notice a periodic loss of LTE, 3G, and sometimes the network was completely lost when approaching the area of ​​GSM jammers, which looked like this:



    Some received messages from the number 74957440144 or from “Anonymous” with the text “SMS_from_bank” or other “harmless spam”. This was due to the operation of the MiTM Mobile cellular network.

    And by the end of the second day, some "lucky ones" received the following message:



    This joke is not related to the work of MiTM Mobile, but once again reminds everyone of the observance of elementary safety rules. Monitor your pet phone that unexpectedly finds MosMetro_Free network where ee can not be, connected to it, and tolpischa programs come at will into a trap. Some of them use the mobile phone number obtained by the attacker as identifiers, and then through the SMS gateway arrange mailing to all the "lucky ones".



    PS For those who want to organize a contest similar to our MiTM Mobile - a little more about the network components.

    UmTRX itself is SDR (Software Defined Radio), that is, “just radio”. All setup instructions can be found on umtrx.org or osmocom.org. You can also mention the ready-made “boxed” solution from UmTRX - UmDESK, everything is already installed in it. It is enough to fill out configs on the manual - and start broadcasting.

    The finished image with the assembled osmocombb stack can be found here: phdays.ru/ctf_mobile.7z (it is very desirable to have VMWare 11). For experiments, this assembly is enough. Sims are optional, but you need a phone and any USB-UART cable.

    The phone can be taken from any of the list: bb.osmocom.org/trac/wiki/Hardware/Phones
    Cables:bb.osmocom.org/trac/wiki/Hardware/SerialCable

    And yes, PL2303, FT232 can be found almost everywhere. Soldering a 2.5 mm mini-jack is easier than ever.



    Sims and cable can be ordered here: shop.sysmocom.de

    Namely:
    USB-UART (CP2102): shop.sysmocom.de/products/cp2102-25
    SIM cards: shop.sysmocom.de/t/sim-card-related/ sim-cards

    Phones can be found on Avito, in the underpass or ordered in China: the issue price is about 300 rubles / pc.



    The guys from Fairwaves (they are the ones who make UmTRX, UmDESK, UmROCKET, etc.) special thanks for the advice and for the equipment provided for testing; they do a BIG deal! Special thanks to Ivan.

    Read Next