Some considerations about IMSI Detach DoS Attack

Gloria Mazzi mazzi.teodolinda.gloria at gmail.com
Fri Jul 22 15:48:40 UTC 2011


Hi all,

as stated on OsmocomSecurity:
"A malicious attacker knowing the IMSI or TMSI of a victim can thus send
hand-crafted IMSI DETACH messages to a cell, causing the network to assume
the MS is no longer present in the network.This will effectively prevent the
delivery of all mobile-terminated (MT) services, such as SMS, voice calls,
CSD, ...".

Following the theory i've better understood how it works [1]*, but still i
have some questions for you:

- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which
will be rejected as first? Or both?

- if i will send an IMSI detach with one of them... also the other (that is
phisically in another BTS/LAC) will be disconnected?

- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's
IMSI/TMSI and send to the network where the victim is connected (that could
mean the same network, but different BTS/LAC), this DoS will still be
accomplished?

What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks, with a legal experimental
license.) and eventually if there are any interesting results.


Thank you for attention.

Cheers

Gloria







*[1] - http://www.gsmfordummies.com/gsmevents/detach.shtml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20110722/74a1ea00/attachment.html>


More information about the baseband-devel mailing list