summaryrefslogtreecommitdiff
path: root/2010/gsm-deepsec2010/abstract.txt
blob: 38eb15be25242544ceb6e0bc73c02636f1404752 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Deepsec 2010 GSM Security Workshop
======================================================================


* attacks from malicious phone 
  * RACH DoS using OsmocomBB
  * IMSI DETACH flood 
  * L2 fuzzing
  * BSC fuzzing using RR messages
  * MSC fuzzing using MM / CC messages
  * use 'emergency call' RACH but then regular SETUP
* passive attacks
  * GSM intercept using airprobe
  * extended GSM intercept with A5/1 decryption

* best security practises when deploying GSM
  * TMSI reallocation as often as possible
  * VLR large enough to never expire VLR records
  * offer A5/3 
  * don't offer A5/2
  * randomized padding of L2 frames
  * encrypted/authenticated backhaul
  * heuristics-based IMSI DETACH protection or DETACH disable
  * use 'late assignment' of TCH
  * use SMS over GPRS whenever possible
  * do SDCCH-reassignment on CS-SMS
  * always use frequency hopping over wide spectrum
  * make SI5/SI6 on SACCH less predictable
  * offer GEA3 and use whenever possible


In recent years, we have seen a significant increase of research in GSM
protocol-level and cryptographic security attacks:  The existing theoretical
weaknesses of A5/1 have been implemented and proven as practical, rainbow
tables have been computed and distributed widely on the internet.  A new
open-source GSM baseband software facilitates fine-grained control over all
information sent from a malicious user, enabling protocol fuzzing and flooding
attacks.

However, the publicly available attack tools are hard to use, and it is
difficult to reproduce the published attacks and assess how easy it is to
perform which type of attack on GSM networks.

This two-day workshop will re-visit all GSM security features and their
publicly know weaknesses.  It will introduce and demonstrate the various
publicly available attack tools;  Workshop participants will be trained
by the creators of the attack tools on how to use them against actual GSM
networks.

After extensive hands-on sessions performing the various attacks,
counter-measures will be presented, followed by a discussion of the best
current practises for configuring a secure-as-possible GSM network.

The target audience of this workshop is GSM network operators and IT security
consultants in the telecommunications industry.
personal git repositories of Harald Welte. Your mileage may vary