Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 54 (Cellular Telephone Network Security)

Published by亵 闵 Modified over 7 years ago

Similar presentations

Presentation on theme: "Module 54 (Cellular Telephone Network Security)"— Presentation transcript:

1 Module 54 (Cellular Telephone Network Security)
At the end of this Module, you'll have seen how security researchers have demonstrated serious security problems with cellular telephone devices that can compromise the confidentiality of messages sent over the cellular telephone network. You'll be familiar with a few scenarios of simple hardware hacking and see how it can open the door to sophisticated network hacking. Module 54

2 Cellular Telephony Several radio communication standards
GSM (Global System for Mobile communications) Worldwide (mostly) standard. Uses Service Identity Module (SIM) card. CDMA (Code Division Multiple Access) Primarily in the U.S. and Canada. Developed by Qualcomm. LTE (Long Term Evolution) Probably the only standard going forward. Will use Voice over LTE for voice calls. Module 54

3 Why does it Matter Can you hear me? Module 54

4 What if my Service is Bad?
Use a femtocell: small, low-powered, base station Connects to your high-speed (hopefully) internet connection. Communicates using your carrier's radio standard to cellular telephones nearby Transmits communications by wrapping them in IP and sending them to a server maintained by your carrier. Module 54

5 Pictured below are (left) the Samsung femtocell used by Verizon for serving CDMA devices and (right) the CISCO Microcell used by AT&T for serving 2G and 3G GSM handsets. Module 54

6 Both Have Been Hacked ISEC partners demonstrated hacked Samsung SCS-26UC4 and SCS-2U01 LMG Security used this ability to create an Intrusion Detection System (IDS) for cell phones that runs on the femtocell. Normally it's difficult to detect intrusions that only exhibit behavior on the cell network. (How do we sniff?) fail0verflow has demonstrated a CISCO microcell hack as well. Module 54

7 ISEC's Diagram showing Femtocell Connectivity
Module 54

8 Samsung LMG's Exploit Approach
Dec. 2012: Richard Allen found that the exposed HDMI port on the SCS-26UC4 is, in fact, a serial port. A serial cable connected at 57600:8N1 can communicate to the console. The machine is a linux box running the U-boot boot loader. The U-boot interrupt key has been modified, but it can be determined through experimentation. LMG interrupted the boot and added init=/bin/sh to the boot parameters, yielding a root command prompt. Module 54

9 Samsung LMG's Exploit Approach
LMG imaged the file system both with dcfldd (dumping the contents of the device) and with tar (to dump the file and directory structure). Ftp code was on the Montevista Linux distro being used by the device. The system uses an ARM926EJ processor, so Android binaries can operate on it. LMG copied binaries for nc and dcfldd onto the device. Upon connecting the device to the internet, it downloaded new software that set the Uboot wait time to 0 (disabling the ability to interrupt). :-( Module 54

10 Samsung LMG's Exploit Approach
LMG purchased additional SCS-26UC4's (returning those with new firmware) until they found one that could boot properly. They identified and implemented a method to keep the system from updating. LMG Modified the kernel to support expanded iptables functionality that was necessary to export traffic necessary to implement intrusion detection. Module 54

11 LMG IDS Physical Setup Faraday Cage External connectors
Internal Contents Module 54

12 IDS Plan All traffic is routed to an external machine
External machine inspects packets using snort and flags those that match expected malware patterns Possible C&C servers Malicious domains Malware filenames Malware binary excerpts Expected communications Expected infected client POSTs C&C commands Module 54

13 CISCO fail0verflow's Exploit Approach
Identified an Ralink System-on-Chip (SoC) and found it's serial communication port (header JP1) which operates at baud Machine boots with u-boot Issues u-boot md command to dump flash memory over the serial port. Lmza compressed raw linux kernel image System tools: busybox 1.8.2 Two users: root and ssh with same password (non-dictionary) guessed after 5 days of processing. Module 54

14 CISCO Wizard Service is accessible over the WAN interface
Supports a function named BackdoorPacketCmdLine that accepts a linux command as its argument. Provides full, unauthenticated, remote backdoor execution. Communication over UDP Responses sent to IP Module 54

Download ppt "Module 54 (Cellular Telephone Network Security)"

Similar presentations

Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.

Managing Cisco IOS Software. Overview The router boot sequence Locating IOS software The configuration register Recovering Passwords Backing Up the Cisco.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
PIKA Technologies Inc. PADS for the PIKA WARP Appliance March 2009.

PIKA Technologies Inc. PADS for the PIKA WARP Appliance March 2009.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 5 Routers CCNA2: Module 1 and 2.

WXES2106 Network Technology Semester /2005 Chapter 5 Routers CCNA2: Module 1 and 2.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
WANs and Routers Routers. Router Description Specialized computer Like a general purpose PC, a router has:  CPU  Memory  System Bus Connecting Internal.

WANs and Routers Routers. Router Description Specialized computer Like a general purpose PC, a router has:  CPU  Memory  System Bus Connecting Internal.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen

1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen
What is Router? Router is a device which makes communication between two or more networks present in different geographical locations. Routers are data.

What is Router? Router is a device which makes communication between two or more networks present in different geographical locations. Routers are data.
Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 4: Security Baselines Security+ Guide to Network Security Fundamentals Second Edition.
COMS W4995-1 COMS W4995-1 Lecture 8. NAT, DHCP & Firewalls.

COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 19 PCs on the Internet.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 19 PCs on the Internet.
Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett 6.03.09 Revised for Firmware Update.

Home Media Network Hard Drive Training for Update to 2.0 By Erik Collett Revised for Firmware Update.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.

Cisco S2 C4 Router Components. Configure a Router You can configure a router from –from the console terminal (a computer connected to the router –through.

Similar presentations

Ads by Google