how to use lte / 4g pseudo base station + gsm man in the middle attack to break all sms verification, pure dry goods!

Posted by santillano at 2020-02-29

The guests invited for this open class introduced themselves as follows:

Entrepreneurial mentors who have failed in continuous entrepreneurship;

Pseudo angel investors;

Founder and President of an unknown private university;

In my spare time, I worked in the communication security laboratory of our school.

Since he gave a speech at the hacker Conference on "advanced utilization technology of pseudo base station - completely breaking the SMS verification code", black production has focused on this technology. They offered a minimum of 2 million yuan a month, plus a share, to anyone who could copy the attack.

This attack method can actually blood wash many bank accounts in one second. He said that it is conservatively estimated that an hour will bring 70 million yuan of black production value. But he's not about money. His original words are: "SMS verification code is a kind of security mechanism that is immortal. I want to push it down!"

He is seeker, a hacker previously reported by Leifeng's home guest channel (wechat ID: letshome). Last time, Seeker felt that he had talked too much about "Lei Feng's net" (official account: Lei Feng net). He decided to talk about "pure technology" in the open class. Still won't let go of your gossip), talk about how to use LTE / 4G pseudo base station + GSM man in the middle attack to break through all SMS verification, as well as coping strategies.

Guest introduction

Seeker, founder and CEO of China Haitian Group Co., Ltd., it veteran, network security expert, started business in 1994, after several ups and downs, is still on the road. His main business is to start a private university, research and develop Internet and network security products, and provide IT technology training and consulting services. Seeker is very sensitive to new technologies. At the age of 13, she started programming and playing radio communication in junior high school. After that, she has always been interested in the field of network security and wireless communication.

Quiz highlights

1. First of all, ask Mr. seeker to introduce himself briefly.

Seeker: I am a continuous entrepreneur. I graduated from university in 1994, when I founded the first company in Zhongguancun, Beijing. Since then, I have been on the road of entrepreneurship. The direction of entrepreneurship is mainly it, Internet and education. After several ups and downs and adjustments, the business of the company is mainly to open private universities, research and develop Internet and network security products, and provide IT technology training and consulting services.

I have always been very interested in new technologies, new management concepts, new entrepreneurship methods, etc., and I also track the development of many science and technology fields. I am a technology school with a leading consciousness and relatively new trends. Programming began at the age of 13, and radio communication began in junior high school. It was a computer prodigy and a juvenile ham. After that, it has always maintained its research interest in the field of network security and wireless communication. The reason for my work is that I am mainly active in the education circle, entrepreneurship circle and investment circle, but in my spare time, I spend most of my time in the field of network security and wireless communication.

2. In order not to recruit police, please introduce LTE redirection + GSM man in the middle attack method in detail on the basis of legality.

Seeker: this attack method I implemented can prove that the short message verification code security authentication mechanism can be easily broken through, so we should give up and use a more secure authentication mechanism as soon as possible.

Let's talk about the principle briefly: an attacker can attract the target LTE mobile phone to attach by setting up a pseudo base station of LTE. During the attaching process, the mobile phone is redirected to the malicious network set up in advance by RRC redirection signaling, usually GSM Pseudo base station, then the attacker uses another mobile phone as the attack mobile phone, registers in the carrier's current network as the target mobile phone, so as to have all the identities of the target mobile phone in the current network, and can receive and send calls and SMS as the target mobile phone, which is the so-called GSM man in the middle attack. This attack method can intercept all the messages sent to the target mobile phone, so it can break through any network services, including mobile banking and mobile payment system, using SMS verification code as the authentication mechanism.

It should be noted that LTE RRC redirection can not only connect to GSM pseudo base station, but also to CDMA pseudo base station, as well as cracked 3G and 4G femto cell, which can also realize man in the middle attack. Even if it is connected to GSM, in some cases, it can directly connect to the existing GSM base station without setting up a pseudo base station, and then use semi-active mode to intercept short messages, without man in the middle attack, it can also achieve the same SMS interception effect.

LTE redirection + GSM man in the middle attack is widely used and destructive. It has a wide range and is realized through LTE redirection attack, because more than 95% of LTE mobile phones within the coverage of LTE pseudo base station will be affected. It is a form of man in the middle attack with strong destructiveness. It is equal to the fact that the whole control right of the mobile phone's SMS is transferred to the attacker's hand when the owner is not aware of it. It can not only intercept the SMS verification code, but also combine various utilization methods.

The first public disclosure of LTE redirection attack was briefly mentioned in the new book "secrets of radio security attack and defense" published by 360 Unicorn Team in May this year, and the first public display in the world was completed by Dr. Huang Lin of 360 Unicorn Team on hitb in Amsterdam at the end of May. Huang Lin demonstrated an iPhone of China Unicom, which was redirected by LTE pseudo base station to GSM pseudo base station, verifying the possibility of LTE redirection attack. So, I'm not the first to find out about this LTE exploitable vulnerability.

GSM man in the middle attack has a long history. I am neither the first to discover it nor the first to implement it.

GSM man in the middle attack has been used in China for two to three years. The most common one is the number acquisition system, which is used to collect the GSM mobile phone number near a certain location. Through the GSM pseudo base station + attack mobile phone, hijack the identity of the GSM mobile phone user nearby to dial a specific number, and then summarize the missed calls on the number. In this way, the mobile phone number of people passing by the location will be revealed unconsciously. There are also hackers who send SMS to subscribe to some sp services after hijacking the identity of mobile phone users. Because of the obvious cost, users can easily detect it. The more concealed method is to use it to swipe the bill, keep the status of identity hijacking for a short time after getting the mobile phone number to intercept the SMS, and then quickly complete the SMS confirmation of network users' registration and account opening or some sensitive operations, so as to realize batch automatic registration of users and swiping the bill. This year's use of hijacking mobile phone identities near international airports, and then dialing high pay phone calls from foreign operators' networks, is even more vicious.

I found that in theory, LTE redirection attack and GSM man in the middle attack can be combined to form a widely applicable and powerful attack tool. Based on my observation of black production, sooner or later, this tool will be developed and used by black production. The timeliness of telecommunication protocol loopholes is very long, because billions of existing mobile terminals need to be taken care of. Once the loopholes of telecommunication protocol are exploited, the harm will be extensive and lasting. I personally predict that the black industry will first aim at SMS verification code, which has been proved to be unsafe authentication mechanism, and start with mobile banking and mobile payment system. All financial institutions and network service providers should be fully alert and prepare early. After all, it will take a lot of time to deploy another identity authentication system. In order to prove that this kind of attack is not only theoretically valid, but also will come true soon, and let the industry give up the SMS verification code as soon as possible, I programmed and implemented this attack combination, and made a speech "advanced utilization technology of pseudo base station - completely breaking the SMS verification code" at the kcon hacker conference in August. Today's open class is also based on the same purpose, which is to push another authentication mechanism of SMS verification code, which is immortal and not easy to be pushed down, and propose alternative solutions.

In accordance with the responsible disclosure mode, I will not release the specific details of the attack source code and implementation to the public to avoid being used by the black industry practitioners. However, I will still disclose enough information to enable financial institutions and network service providers to pay full attention to, understand the severity of security threats and prepare alternative solutions.

The above is the background information. Let's go to the main topic. The following content assumes that the group has a preliminary understanding of the basic knowledge of GSM and LTE.

LTE RRC redirection is frequently used in the current network, which is often seen in CSFB when LTE mobile phones receive and make calls. It means that LTE system indicates that the mobile phone / user equipment (UE) should try to stay in the specified system / frequency point after leaving the connection state through the redirectedcarrierinfo in rrcconnectionrelease message. UE will first release the current connection, and then redirect to the indicated frequency point to reestablish the connection.

The principle of LTE RRC redirection attack: LTE pseudo base station attracts LTE mobile phones to attach. After receiving the attach request from mobile phones and before the security process starts, it directly issues the NAS message to reject the attachment, followed by the rrcconnectionrelease message, which carries the redirectedcarrierinfo Information, instruct the mobile phone to close the current connection, and then turn to the network (2G / 3G / 4G) and frequency point (ARFCN) indicated by the attacker, usually a malicious network set up in advance to establish the connection, so as to facilitate the attacker to carry out the next attack.

The reason why LTE RRC redirection attack is established: under LTE, the UE and eNodeB should be two-way authentication, and it should not follow the instructions of the base station without authentication. When 3GPP formulates protocol standards, it should choose availability and give up security when availability and security are not both available. That is to say, in case of emergencies and emergencies, there may be a large number of mobile phone business requests. Network availability is very important to ensure the safety of life and property. It needs to be able to timely schedule network requests and transfer pressure. At this time, a large number of authentication is needed , encryption, integrity check and other security measures may cause network bottlenecks, so they are all abandoned.

The construction of LTE pseudo base station: Hardware: High Performance PC, bladerf (or USRP b2x0), antenna system; software: Ubuntu Linux, openairinterface. Compared with openlte, OAI code is much more mature and stable, and supports TDD and FDD LTE at the same time.

Programming implementation of LTE RRC redirection attack: R8 and R9 rrcconnectionrelease are defined in OAI (open air interface) code, but no calling logic is available; the code of MME and eNodeB needs to be modified to add corresponding logic.

The following describes the principle of GSM man in the middle attack: insert a GSM pseudo base station and a GSM attack cell phone between the target GSM mobile phone and the carrier GSM base station. Start the pseudo base station near the target, induce the target mobile phone to camp, and call the attack mobile phone to attach the carrier base station of the existing network. If the existing network requires authentication, send the authentication request to the target mobile phone through the pseudo base station, and the target mobile phone returns the authentication response After the fake base station is given, the authentication response is first transmitted to the attack cell phone, then transmitted to the current network, and finally the authentication is completed. The attack cell phone successfully registers on the current network as the target cell phone. When receiving and sending SMS messages or receiving and making calls, if authentication is not required by the current network, it can be directly completed by the attacking mobile phone. If authentication is required, the pseudo base station will be called again to send authentication request to the target mobile phone, and then the received authentication response will be forwarded to the carrier base station of the current network.

Construction of GSM pseudo base station: Hardware: ordinary PC, USRP b2x0 + antenna (or Motorola c118 / C139 + CP2102). Software: Ubuntu Linux, openbsc. Openbsc: an open source GSM / GPRS base station system with high performance and open interface initiated and maintained by osmocom.

Construction of GSM attack cell phone: Hardware: ordinary PC, Motorola c118 / C139 + CP2102. Software: Ubuntu Linux, osmocombb. Osmocombb: an open source GSM baseband project based on a set of leaked baseband source code rewriting of mobile phones, which can only support Ti Calypso baseband processor. The set of leaked source code used for reference is incomplete, only 90 +% of the source code, part of the connection library has no source code, and there is also a lack of DSP code. Osmocombb is designed as an experimental tool for hackers, rather than a mobile phone system for ordinary users. Its layers 2 and 3 are run on a PC, which is convenient for hackers to write and modify code and realize some of their own functions.

Openbsc: realize the basic function of pseudo base station; send the IMSI attached to mobile phone to attack mobile phone; receive the authentication request from attack mobile phone and send the network authentication to target mobile phone; send the authentication response received from target mobile phone back to attack mobile phone.

Programming implementation of GSM middleman attack (osmocombb): receive IMSI from pseudo base station, and send location update to corresponding operator network with IMSI Update) request; if the operator network requires authentication, send the received authentication request to the pseudo base station; receive the authentication response sent back by the pseudo base station, forward it to the operator network, and complete the authentication; start to use the fake identity to execute the attack vector: receive / send SMS, make / receive phone calls. If an operation requires authentication, repeat the previous authentication process.

Screenshot of LTE RRC redirection attack:

Screenshot of GSM mitm attack:

Possible use of black production (lightweight): backpack, small power, small range. It is a targeted attack that affects a few people at a time.

In the figure, USRP b200mini is used to implement LTE pseudo base station, one Motorola C139 is used to implement GSM pseudo base station, and one Motorola c118 is used to implement attack mobile phone.

Possible utilization of black production (common): frame height / vehicle / backpack, high power, large range. It affects a lot of people and belongs to indiscriminate attack. LTE pseudo base station will be able to cover 95% of LTE mobile phones within 300 meters radius, and the peak performance can redirect 15-20 LTE mobile phones per second. For each LTE pseudo base station, 4-5 GSM pseudo base stations and 100-150 attack cell phones are needed to connect. GSM pseudo base station is set up with appropriate parameters and methods, covering a wide range. Once LTE mobile phone is attracted by LTE pseudo base station and redirected to GSM pseudo base station, its dwell time will be enough to complete dozens of SMS verification code reception. Attack mobile phone because it works together with GSM pseudo base station through UDP protocol, which can be scattered in any place of Internet coverage in theory. Once such an attack system is set up by the Mafia, in the worst case, it will be able to blood clean all their bank accounts at the rate of 20 mobile phone users per second. In the best case, it will be used by the Mafia to swipe bills and complete about 100 account registrations per second. Such a powerful system has surpassed all kinds of attack methods possessed by the Mafia in the past.

3. What are the consequences of this attack?

Seeker: 1) affect all 4G / LTE mobile phones, fast, simple and rough.

2) Information disclosure.

3) Loss of funds.

4) If it is used by the black industry, it is possible to blood wash all bank accounts bound by 20 mobile phones in one second, and transfer 70 million yuan in one hour.

4. Is there any technical means to prevent such attacks?

Seeker: there is no direct way for ordinary users. Financial institutions and network service providers should give up the insecure authentication mechanism of short message verification code as soon as possible.

5. What's the attitude of telecommunication industry friends when they know your attack method?

Seeker: no official statement. Personal views of friends in the telecom industry mainly mean that the Telecom is a pipeline and an infrastructure, and the application security should be solved by the businesses themselves. This is the same as the development history of TCP / IP protocol and the Internet. From the beginning, there was no security mechanism at all, to some protocols, the protocols were constantly upgraded and improved, but businesses still default that the Internet is not safe, so they must have their own security mechanism in the application layer. In the same way, telecommunication network can not be trusted, so the security mechanism of application layer should be designed on the premise of assuming that telecommunication network is not secure.

6. Why do we focus on breaking SMS verification code?

Seeker: 1) great harm: all kinds of important operations generally use SMS verification code as a security mechanism; 2) SMS verification code is immortal and needs to be pushed down; 3) supplementary note: This is only a part of my more extensive penetration of intrusion research, which is a by-product of the process. The demo broke through the mobile bank account just to prove the harm.

7. The SMS verification code has been broken. What should we do? Who can do something responsibly?

Seeker: 1) solution: use a real two factor authentication system, and then take care of the user's ease of use as much as possible. 2) Normal user: wait. 3) Application service provider: prepare for the future and prepare for the technology. 4) Bank / Telecom: business opportunities, providing infrastructure services with two factor certification. 5) Me: providing solutions and consulting services.

8. Why is mobile phone the best breakthrough for penetration?

Seeker: 1) mobile phone is a channel to obtain personal information / sensitive data / permissions. 2) Mobile phones are often carried in and out of office areas. Outside the office area, it's a good time to break through. 3) Mobile phones can be penetrated and broken through in multiple ways and at multiple levels. 4) Mobile phones have long been the best breakthrough in the penetration of large-scale networks, but most of the previous intrusions took the Internet as the channel, and most of them used WiFi to complete the Trojan horse implantation, which was inefficient.

9. Can you tell me about the hidden dangers of mobile phones?

Seeker: 1) SIM card: OTA push applet; 2) baseband: cellular data network; 3) operating system: cellular data network / WiFi; 4) application layer: cellular data network / WiFi; 5) if the above is remote, bootloader / TrustZone / hlos / DRM

10. What are the security problems of telecommunication network?

Seeker: 1) core network / femto cell; 2) ss7-map / LTE diameter interconnection; 3) volte.

11. I heard that there is a black product coming to you. Can you tell the story in detail?

Seeker: because I left wechat in the PPT of kcon's speech, some black industrialists came to ask if I could cooperate after reading it Almost every day.

12. What is the scale of black production in this field? Where is the threshold to copy your technology?

Seeker: there is no authoritative figure for the scale of black production. I don't know. There are still some thresholds for imitation. A R & D team that is familiar with telecommunication protocol + base station RF HARDWARE + software development is needed. Black production has not yet reached the stage of supporting the R & D team, and R & D is done by individual soldiers. It will take a while for breakthrough.

13. Do you study these for hobbies or not? Can you resist the temptation of money?

Seeker: 1) it's a pure hobby. I like to study the principle of military / intelligence secret technology and try to realize it by myself. 2) It is also the release of entrepreneurial pressure. The digital world is easier to control than the real world. 3) The main business is entrepreneurship. From the perspective of challenges, entrepreneurial success is more challenging. From a broader perspective, society itself is a big system and a bigger battlefield for talent. 4) I firmly believe in the theory of social value creation. Anything that does not create social value will not go far.

14. What new technologies are not illegal? Let's not talk about those who break the law.

Seeker: 1) open source mobile communication project, basic / platform nature; 2) 4G / 5G security testing platform, testing baseband security; 3) positioning and attacking pseudo base station; 4) operator security road test, testing base station configuration hidden dangers, crowdsourcing mode.

15. The main business is a businessman, and the amateur is such a good hacker. Can you teach me some experience - how to successfully study the hacker business in my spare time?

Seeker: 1) no experience. People's energy is limited. My breakthrough in hacker technology usually occurs in the period of business failure or main business downturn. Therefore, according to my current technical performance, it is easy to reverse launch that I have encountered difficulties in enterprise development.

2) I have some experience in keeping up with the technology: Mastering the principle and seeing through the essence, firmly taking the basic principle / core technology with a long life cycle, and not wasting time on those flashy appearances and trivia with rapid changes.

3) Besides, I don't think I'm a businessman. A successful entrepreneur must be a successful businessman at the same time, but a successful businessman is not necessarily a successful entrepreneur. Although I am not a successful entrepreneur, I was driven by entrepreneurship from the first day I decided to start my own business.

4) I said before that I am a technology school, so I look at the world from the perspective of Pan Technology. I think R & D is technology, marketing is technology, finance is technology, management is technology, entrepreneurship is technology. This world is a technology world, as long as it is technology, it should not be difficult to master. If hacker technology is a kind of intellectual game in a relatively narrow field, then entrepreneurship and competition in this vast world is a kind of intellectual game with a sense of challenge and achievement. I have spent more energy on studying how to be an enterprise than I have invested in the field of security. From a technical point of view, I have mastered a lot of knowledge about how to be an enterprise, which should have made achievements in a long time. Later I found out that I was wrong. The world is a complex system, and many things, such as management, are both technology and art. Complex system contains uncertainty, which is not the result of simple logic deduction. This is different from the digital world of hackers. So, when I'm frustrated in the real world, running back to the digital world to find the feeling of 100% control is also a kind of psychotherapy.

16. Before you said that you like to communicate with colleagues face to face. Last time you went to 360 Unicorn lab, what did you say?

Seeker: 1) I like to find experts all over the world to exchange skills and often visit new friends strangely. 2) The atmosphere of wireless security research in China is not strong. It is rare for us to have a team dedicated to wireless security research. We all feel sorry for each other. 3) Promised to serve as honorary consultant of Unicorn Team, and may have research cooperation in the future.

17. To show that this lecture is really for the purpose of building a harmonious society, please talk about your original intention of being a hacker and future ideas harmoniously.

Seeker: 1) this lecture is to push down the insecure authentication mechanism of SMS verification code. It may be very difficult to push down, but someone has to push it. 2) Hacker technology is just a kind of intellectual game and a hobby. In the end, institutions are more powerful than individuals, and construction is more valuable than destruction. What I am more eager to do is to create an ecotype economic organization, focus on the social value creation in a field that I am good at, and attract and pool social resources for my own use with a common vision and efficient value creation. The organization should be able to learn, grow, mutate and evolve itself, and finally really promote the social progress in its field. This ambition and vision appeals to me even more. 3) We will spare no effort to crack down on illegal production. 4) In case of war, serve the country. 5) We are willing to support start-ups in the field of security in various forms.

18. What do you want to say to the readers of homesteader channel?

Seeker: 1) there is no future for black production, and we will turn around. 2) Construction is always more valuable than destruction. Security itself and innovation and R & D beyond security need constructive talents. 3) I hope more people come to play wireless communication and communication security. 4) If you are interested in playing communication security together and have the ability and energy to do open source project research and development in the field of wireless communication together, please contact me, my wechat: 70772177.

Readers ask: if the mechanism of SMS verification code is not secure, which verification methods are relatively reliable and can replace it?

Seeker: the answer to this question has long been: two factor or multi factor authentication. The problem is that excessive care for the user experience and the pressure of the increase in the number of users caused by competition, which makes businesses generally reluctant to deploy the first two factor authentication system. Who can provide a security authentication system that does not significantly reduce the user experience will certainly have a great business opportunity.

Readers ask: how does Kali attack? (let's discuss the theory briefly to prevent the police from hunting for millet.)

Seeker: after installing nethunter on Android mobile phone, it is a hacker's mobile phone. It is often used as WiFi attack. SDR plugged in USB port can be used as GSM pseudo base station, but it is not enough to support LTE.

Reader's question: how to evaluate 360's display of how to black out 4G LTE mobile phones on def con?

Seeker: good, win honor for our country. Chinese people are suitable for security. There should be more Chinese hackers to share at the international hacker conference.

Lei Feng's original articles are not allowed to be reproduced without authorization. Please refer to the reprint notice for details.