1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
|
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
\documentclass{beamer}
\usepackage{url}
\makeatletter
\def\url@leostyle{%
\@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
\makeatother
%% Now actually use the newly defined style.
\urlstyle{leo}
% This file is a solution template for:
% - Talk at a conference/colloquium.
% - Talk length is about 20min.
% - Style is ornate.
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
%
% In principle, this file can be redistributed and/or modified under
% the terms of the GNU Public License, version 2.
%
% However, this file is supposed to be a template to be modified
% for your own needs. For this reason, if you use this file as a
% template and not specifically distribute it as part of a another
% package/program, I grant the extra permission to freely copy and
% modify this file as you see fit and even to delete this copyright
% notice.
\mode<presentation>
{
\usetheme{Warsaw}
% or ...
\setbeamercovered{transparent}
% or whatever (possibly just delete it)
}
\usepackage[english]{babel}
% or whatever
\usepackage[latin1]{inputenc}
% or whatever
\usepackage{times}
\usepackage[T1]{fontenc}
\usepackage{subfigure}
\usepackage{hyperref}
% Or whatever. Note that the encoding and the font should match. If T1
% does not look nice, try deleting the line with the fontenc.
\title{Free Software for GSM cellular telephony}
\subtitle
{OpenBSC, OsmoBTS, OsmoSGSN, OpenGGSN}
\author{Harald Welte}
\institute
{gnumonks.org\\osmocom.org\\sysmocom.de}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.
\date[DORS/CLUC 2014] % (optional, should be abbreviation of conference name)
{DORS/CLUC, June 2014, Zagreb}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
% yourself) who are reading the slides online
\subject{GSM Security}
% This is only inserted into the PDF information catalog. Can be left
% out.
% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
% \logo{\pgfuseimage{university-logo}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>{Outline}
% \tableofcontents[currentsection,currentsubsection]
% \end{frame}
%}
% If you wish to uncover everything in a step-wise fashion, uncomment
% the following command:
%\beamerdefaultoverlayspecification{<+->}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}{Outline}
\tableofcontents[hideallsubsections]
% You might wish to add the option [pausesections]
\end{frame}
% Structuring a talk is a difficult task and the following structure
% may not be suitable. Here are some rules that apply for this
% solution:
% - Exactly two or three sections (other than the summary).
% - At *most* three subsections per section.
% - Talk about 30s to 2min per frame. So there should be between about
% 15 and 30 frames, all told.
% - A conference audience is likely to know very little of what you
% are going to talk about. So *simplify*!
% - In a 20min talk, getting the main ideas across is hard
% enough. Leave out details, even if it means being less precise than
% you think necessary.
% - If you omit details that are vital to the proof/implementation,
% just say so once. Everybody will be happy with that.
\begin{frame}{About the speaker}
\begin{itemize}
\item Using + playing with GNU/Linux since 1994
\item Kernel / bootloader / driver / firmware development since 1999
\item IT security expert, focus on network protocol security
\item Core developer of Linux packet filter netfilter/iptables
\item Trained as Electrical Engineer
\item Always looking for interesting protocols (RFID, DECT, GSM)
\end{itemize}
\end{frame}
\begin{frame}{Success of Free Software}{depending on area of computing}
\begin{itemize}
\item Free Software has proven to be successful in many areas of
computing
\begin{itemize}
\item Operating Systems (GNU/Linux)
\item Internet Servers (Apache, Sendmail, Exim, Cyrus,
...)
\item Desktop Computers (gnome, KDE, Firefox, LibreOffice, ...)
\item Mobile Devices
\item Embedded network devices (Router, Firewall, NAT, WiFi-AP)
\end{itemize}
\item There are more areas to computing that people tend to
forget. Examples in the communications area:
\begin{itemize}
\item Cellular telephony networks (GSM, 3G, LTE)
\item Professional Mobile Radio (TETRA, TETRAPOL)
\item Cordless telephones (DECT)
\end{itemize}
\end{itemize}
\end{frame}
\include{part-security_research}
\begin{frame}{Security analysis of GSM}{The bootstrapping process}
\begin{itemize}
\item Start to read GSM specs (> 1000 PDF documents!)
\item Gradually grow knowledge about the protocols
\item Obtain actual GSM network equipment (BTS)
\item Try to get actual protocol traces as examples
\item Start a complete protocol stack implementation from scratch
\item Finally, go and play with GSM protocol security
\end{itemize}
\end{frame}
\subsection{The GSM network}
\begin{frame}{The GSM network}
\begin{figure}[h]
\centering
\includegraphics[width=100mm]{gsm_network.png}
\end{figure}
\end{frame}
\begin{frame}{GSM network components}
\begin{itemize}
\item The BSS (Base Station Subsystem)
\begin{itemize}
\item MS (Mobile Station): Your phone
\item BTS (Base Transceiver Station): The {\em cell tower}
\item BSC (Base Station Controller): Controlling up to hundreds of BTS
\end{itemize}
\item The NSS (Network Sub System)
\begin{itemize}
\item MSC (Mobile Switching Center): The central switch
\item HLR (Home Location Register): Database of subscribers
\item AUC (Authentication Center): Database of authentication keys
\item VLR (Visitor Location Register): For roaming users
\item EIR (Equipment Identity Register): To block stolen phones
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{GSM network interfaces}
\begin{itemize}
\item Um: Interface between MS and BTS
\begin{itemize}
\item the only interface that is specified over radio
\end{itemize}
\item A-bis: Interface between BTS and BSC
\item A: Interface between BSC and MSC
\item B: Interface between MSC and other MSC
\end{itemize}
GSM networks are a prime example of an asymmetric distributed network,
very different from the end-to-end transparent IP network.
\end{frame}
\subsection{The GSM protocols}
\begin{frame}{GSM network protocols}{On the Um interface}
\begin{itemize}
\item Layer 1: Radio Layer, TS 04.04
\item Layer 2: LAPDm, TS 04.06
\item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08
\item Layer 4+: for USSD, SMS, LCS, ...
\end{itemize}
\end{frame}
\begin{frame}{GSM network protocols}{On the A-bis interface}
\begin{itemize}
\item Layer 1: Typically E1 line, TS 08.54
\item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56
\item Layer 3: OML (Organization and Maintenance Layer, TS 12.21)
\item Layer 3: RSL (Radio Signalling Link, TS 08.58)
\item Layer 4+: transparent messages that are sent to the MS via Um
\end{itemize}
\end{frame}
\include{section-openbsc}
% \include{section-osmocombb}
% \include{section-openbts}
% \include{section-airprobe}
% \include{section-wireshark}
%\section{Summary}
%\subsection{What we've learned}
\begin{frame}{Summary}{What we've learned}
\begin{itemize}
\item The GSM industry is making security analysis very difficult
\item It is well-known that the security level of the GSM stacks is very low
\item We now have multiple solutions for sending arbitrary protocol data
\begin{itemize}
\item From a rogue network to phones (OpenBSC, OpenBTS)
\item From a FOSS controlled phone to the network (OsmocomBB)
\item From an A-bis proxy to the network or the phones
\end{itemize}
\end{itemize}
\end{frame}
% \subsection{Where we go from here}
\begin{frame}{TODO}{Where we go from here}
\begin{itemize}
\item The tools for fuzzing mobile phone protocol stacks are available
\item It is up to the security community to make use of those tools (!)
\item Don't you too think that TCP/IP security is boring?
\item Join the GSM protocol security research projects
\item Boldly go where no (free) man has gone before
\end{itemize}
\end{frame}
\begin{frame}{Current Areas of Work / Future plans}
\begin{itemize}
\item UMTS(3G) support for NodeB and femtocells
\item SS7 / MAP integration (Erlang and C)
\item Playing with SIM Toolkit from the operator side
\item Playing with MMS
\item More exploration of RRLP + SUPL
\end{itemize}
\end{frame}
%\subsection{Further Reading}
\begin{frame}{Further Reading}
\begin{itemize}
\item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
\item \url{http://bb.osmocom.org/}
\item \url{http://openbsc.osmocom.org/}
\item \url{http://openbts.sourceforge.net/}
\item \url{http://airprobe.org/}
\end{itemize}
\end{frame}
\end{document}
|