Hi Aleph,
- what could
happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which
will be rejected as first? Or both?
Both will go to a blacklist that will block new GSM Attach in the same HLR
from carrer, unless you use the OpenBSC! :-)
- if i will send an IMSI detach with one of
them... also the other (that
is phisically in another BTS/LAC) will be disconnected?
...if dettach is promoted by the HLR: Yes. If by the another side: not.
- what could happen if i will connect a C123 with
./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's
IMSI/TMSI and send to the network where the victim is connected (that could
mean the same network, but different BTS/LAC), this DoS will still be
accomplished?
there are protections in the HLR / VLR of the GSM System network.
Could you please suggest me some ETSI specs where i can find more infos
about HLR/VLR's security policies to prevent DoS?
What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks,
with a legal experimental
license.) and eventually if there are any interesting results.
I personally, know the existign protections but I never did experiences or
dared to do this kind of experiment in my country for legal reasons, but its
the kind of thing I´d like to do withn legal parameters. My experiences were
only in experimental networks in faraday cage.
It would be really interesting to analyze its behaviour on real networks,
unfortunately as you stated, is quite illegal without a previous
authorization from the provider of a pubblic GSM network.
Unfotunately i own only an USRP and OpenBTS doesn't have the full support of
a pseudo HLR/VLR, so i cannot make further investigations about it.
Which results did you reach with OpenBSC? Have you tried to forge some
IMSI_DET_IND and trying to DoS other MS, camped to the same BTS?
At the state of art, as i can see, this attack is more theorical than
practical (i'm talking about real networks' applications). Or am i wrong?
Thank you for attention.
Cheers
Gloria