summaryrefslogtreecommitdiff
path: root/2011/gsm-ensa2011/part-security_research.tex
diff options
context:
space:
mode:
Diffstat (limited to '2011/gsm-ensa2011/part-security_research.tex')
-rw-r--r--2011/gsm-ensa2011/part-security_research.tex141
1 files changed, 141 insertions, 0 deletions
diff --git a/2011/gsm-ensa2011/part-security_research.tex b/2011/gsm-ensa2011/part-security_research.tex
new file mode 100644
index 0000000..676a4f5
--- /dev/null
+++ b/2011/gsm-ensa2011/part-security_research.tex
@@ -0,0 +1,141 @@
+%\part{Security Research}
+\section{Researching GSM/3G security}
+%\begin{frame}{Part 3 -- Researching GSM/3G security}
+%\tableofcontents
+% You might wish to add the option [pausesections]
+%\end{frame}
+
+%\subsection{An interesting observation}
+
+\begin{frame}{Free specs / Free implementations}
+\begin{itemize}
+ \item Observation
+ \begin{itemize}
+ \item Both GSM/3G and TCP/IP protocol specs are publicly available
+ \item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
+ \item GSM networks are as widely deployed as the Internet
+ \item Yet, GSM/3G protocols receive no such scrutiny!
+ \end{itemize}
+ \item There are reasons for that:
+ \begin{itemize}
+ \item GSM industry is extremely closed (and closed-minded)
+ \item Only about 4 proprietary protocol stack implementations
+ \item GSM chip set makers never release any hardware documentation
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{The closed GSM industry}
+
+\begin{frame}{The closed GSM industry}{Handset manufacturing side}
+\begin{itemize}
+ \item Only very few companies build GSM/3.5G baseband chips today
+ \begin{itemize}
+ \item Those companies buy the operating system kernel and the protocol stack from third parties
+ \end{itemize}
+ \item Only very few handset makers are large enough to become a customer
+ \begin{itemize}
+ \item Even they only get limited access to hardware documentation
+ \item Even they never really get access to the firmware source
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+%\subsection{The closed GSM industry -- Network side}
+
+\begin{frame}{The closed GSM industry}{Network manufacturing side}
+\begin{itemize}
+ \item Only very few companies build GSM network equipment
+ \begin{itemize}
+ \item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei
+ \item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
+ \end{itemize}
+ \item Only operators buy equipment from them
+ \item Since the quantities are low, the prices are extremely high
+ \begin{itemize}
+ \item e.g. for a BTS, easily 10-40k EUR
+ \item minimal network using standard components definitely in the 100,000s of EUR range
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{Operator side}
+From my experience with Operators (prove me wrong!)
+\begin{itemize}
+ \item Operators are mainly finance + marketing today
+ \item Many operators outsources
+ \begin{itemize}
+ \item Network servicing / deployment, even planning
+ \item Other aspects of business like Billing
+ \end{itemize}
+ \item Operator just knows the closed equipment as shipped by manufacturer
+ \item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance
+\end{itemize}
+\end{frame}
+
+\subsection{Security implications}
+
+\begin{frame}{The closed GSM industry}{Security implications}
+The security implications of the closed GSM industry are:
+\begin{itemize}
+ \item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers
+ \item No independent research on protocol-level security
+ \begin{itemize}
+ \item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis)
+ \item Or on application level (e.g. mobile malware)
+ \end{itemize}
+ \item No free software protocol implementations
+ \begin{itemize}
+ \item which are key for making more people learn about the protocols
+ \item which enable quick prototyping/testing by modifying existing code
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+ \item On the handset side?
+ \begin{itemize}
+ \item Difficult since GSM firmware and protocol stacks are closed and proprietary
+ \item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too
+ \item Known attempts
+ \begin{itemize}
+ \item The TSM30 project as part of the THC GSM project
+ \item MADos, an alternative OS for Nokia DTC3 phones
+ \end{itemize}
+ \item none of those projects successful so far
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+ \item On the network side?
+ \begin{itemize}
+ \item Difficult since equipment is not easily available and normally extremely expensive
+ \item However, network is very modular and has many standardized/documented interfaces
+ \item Thus, if equipment is available, much easier/faster progress
+ \item Also, using SDR (software defined radio) approach, special-purpose / closed hardware can be avoided
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{The bootstrapping process}
+\begin{itemize}
+ \item Read GSM specs day and night (> 1000 PDF documents)
+ \item Gradually grow knowledge about the protocols
+ \begin{itemize}
+ \item OpenBSC: Obtain actual GSM network equipment (BTS)
+ \item OpenBTS: Develop SDR based GSM Um Layer 1
+ \end{itemize}
+ \item Try to get actual protocol traces as examples
+ \item Start a complete protocol stack implementation from scratch
+ \item Finally, go and play with GSM protocol security
+\end{itemize}
+\end{frame}
+
+
personal git repositories of Harald Welte. Your mileage may vary