On Fri, Jul 22, 2011 at 12:48, Gloria Mazzi < mazzi.teodolinda.gloria@gmail.com> wrote:
Hi all,
as stated on OsmocomSecurity: "A malicious attacker knowing the IMSI or TMSI of a victim can thus send hand-crafted IMSI DETACH messages to a cell, causing the network to assume the MS is no longer present in the network.This will effectively prevent the delivery of all mobile-terminated (MT) services, such as SMS, voice calls, CSD, ...".
Following the theory i've better understood how it works [1]*, but still i have some questions for you:
- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
Both will go to a blacklist that will block new GSM Attach in the same HLR from carrer, unless you use the OpenBSC! :-)
- if i will send an IMSI detach with one of them... also the other (that is
phisically in another BTS/LAC) will be disconnected?
...if dettach is promoted by the HLR: Yes. If by the another side: not.
- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's IMSI/TMSI and send to the network where the victim is connected (that could mean the same network, but different BTS/LAC), this DoS will still be accomplished?
there are protections in the HLR / VLR of the GSM System network.
What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks, with a legal experimental license.) and eventually if there are any interesting results.
I personally, know the existign protections but I never did experiences or dared to do this kind of experiment in my country for legal reasons, but its the kind of thing I´d like to do withn legal parameters. My experiences were only in experimental networks in faraday cage.
Thank you for attention.
Cheers
Gloria