Some considerations about IMSI Detach DoS Attack

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.

Aleph void at techberto.com
Fri Jul 22 16:28:18 UTC 2011 

On Fri, Jul 22, 2011 at 12:48, Gloria Mazzi <
mazzi.teodolinda.gloria at gmail.com> wrote:

> Hi all,
>
> as stated on OsmocomSecurity:
> "A malicious attacker knowing the IMSI or TMSI of a victim can thus send
> hand-crafted IMSI DETACH messages to a cell, causing the network to assume
> the MS is no longer present in the network.This will effectively prevent the
> delivery of all mobile-terminated (MT) services, such as SMS, voice calls,
> CSD, ...".
>
> Following the theory i've better understood how it works [1]*, but still i
> have some questions for you:
>
> - what could happen if i will clone one SIM (Ki, IMSI) and use it to
> register on the same network, but on different BTS/LAC, two phones? Which
> will be rejected as first? Or both?
>

Both will go to a blacklist that will block  new GSM Attach in the same HLR
from carrer, unless you use the OpenBSC! :-)


> - if i will send an IMSI detach with one of them... also the other (that is
> phisically in another BTS/LAC) will be disconnected?
>
>
...if dettach is promoted by the HLR: Yes. If by the another side: not.


> - what could happen if i will connect a C123 with ./mobile to the network
> using another SIM and then trying to forge IMSI_DET_IND with victim's
> IMSI/TMSI and send to the network where the victim is connected (that could
> mean the same network, but different BTS/LAC), this DoS will still be
> accomplished?
>
>
there are protections in the HLR / VLR of the GSM System network.

What exactly i would like to know is, if someone already made some
> experiments on it (obviously on private networks, with a legal experimental
> license.) and eventually if there are any interesting results.
>
>
I personally, know the existign protections but I never did experiences or
dared to do this kind of experiment in my country for legal reasons, but its
the kind of thing I´d like to do withn legal parameters. My experiences were
only in experimental networks in faraday cage.



>
> Thank you for attention.
>
> Cheers
>
> Gloria
>
>
>
>
>
>
>
> *[1] - http://www.gsmfordummies.com/gsmevents/detach.shtml
>






-- 
- .... .  -... . ... -  .-- .- -.--  - ---  .--. .-. . -.. .. -.-. -  - ....
.  ..-. ..- - ..- .-. .  .. ...  - ---  .. -. ...- . -. -  .. -     .- .-..
.- -.  -.- .- -.--
"""
  The best way to predict the future is to invent it ,  Alan Kay

""
/*  0x42 0x69 0x74 0x20 0x46 0x61 0x6e  */
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/baseband-devel/attachments/20110722/82a6d4ec/attachment.htm>

More information about the baseband-devel mailing list