Hi all,
as stated on OsmocomSecurity: "A malicious attacker knowing the IMSI or TMSI of a victim can thus send hand-crafted IMSI DETACH messages to a cell, causing the network to assume the MS is no longer present in the network.This will effectively prevent the delivery of all mobile-terminated (MT) services, such as SMS, voice calls, CSD, ...".
Following the theory i've better understood how it works [1]*, but still i have some questions for you:
- what could happen if i will clone one SIM (Ki, IMSI) and use it to register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
- if i will send an IMSI detach with one of them... also the other (that is phisically in another BTS/LAC) will be disconnected?
- what could happen if i will connect a C123 with ./mobile to the network using another SIM and then trying to forge IMSI_DET_IND with victim's IMSI/TMSI and send to the network where the victim is connected (that could mean the same network, but different BTS/LAC), this DoS will still be accomplished?
What exactly i would like to know is, if someone already made some experiments on it (obviously on private networks, with a legal experimental license.) and eventually if there are any interesting results.
Thank you for attention.
Cheers
Gloria
On Fri, Jul 22, 2011 at 12:48, Gloria Mazzi < mazzi.teodolinda.gloria@gmail.com> wrote:
Hi all,
as stated on OsmocomSecurity: "A malicious attacker knowing the IMSI or TMSI of a victim can thus send hand-crafted IMSI DETACH messages to a cell, causing the network to assume the MS is no longer present in the network.This will effectively prevent the delivery of all mobile-terminated (MT) services, such as SMS, voice calls, CSD, ...".
Following the theory i've better understood how it works [1]*, but still i have some questions for you:
- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
Both will go to a blacklist that will block new GSM Attach in the same HLR from carrer, unless you use the OpenBSC! :-)
- if i will send an IMSI detach with one of them... also the other (that is
phisically in another BTS/LAC) will be disconnected?
...if dettach is promoted by the HLR: Yes. If by the another side: not.
- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's IMSI/TMSI and send to the network where the victim is connected (that could mean the same network, but different BTS/LAC), this DoS will still be accomplished?
there are protections in the HLR / VLR of the GSM System network.
What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks, with a legal experimental license.) and eventually if there are any interesting results.
I personally, know the existign protections but I never did experiences or dared to do this kind of experiment in my country for legal reasons, but its the kind of thing I´d like to do withn legal parameters. My experiences were only in experimental networks in faraday cage.
Thank you for attention.
Cheers
Gloria
Hi Aleph,
- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
Both will go to a blacklist that will block new GSM Attach in the same HLR from carrer, unless you use the OpenBSC! :-)
- if i will send an IMSI detach with one of them... also the other (that
is phisically in another BTS/LAC) will be disconnected?
...if dettach is promoted by the HLR: Yes. If by the another side: not.
- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's IMSI/TMSI and send to the network where the victim is connected (that could mean the same network, but different BTS/LAC), this DoS will still be accomplished?
there are protections in the HLR / VLR of the GSM System network.
Could you please suggest me some ETSI specs where i can find more infos about HLR/VLR's security policies to prevent DoS?
What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks, with a legal experimental license.) and eventually if there are any interesting results.
I personally, know the existign protections but I never did experiences or dared to do this kind of experiment in my country for legal reasons, but its the kind of thing I´d like to do withn legal parameters. My experiences were only in experimental networks in faraday cage.
It would be really interesting to analyze its behaviour on real networks, unfortunately as you stated, is quite illegal without a previous authorization from the provider of a pubblic GSM network.
Unfotunately i own only an USRP and OpenBTS doesn't have the full support of a pseudo HLR/VLR, so i cannot make further investigations about it.
Which results did you reach with OpenBSC? Have you tried to forge some IMSI_DET_IND and trying to DoS other MS, camped to the same BTS?
At the state of art, as i can see, this attack is more theorical than practical (i'm talking about real networks' applications). Or am i wrong?
Thank you for attention.
Cheers
Gloria
On Fri, Jul 22, 2011 at 19:48, Gloria Mazzi mazzi.teodolinda.gloria@gmail.com wrote:
Hi all,
as stated on OsmocomSecurity: "A malicious attacker knowing the IMSI or TMSI of a victim can thus send hand-crafted IMSI DETACH messages to a cell, causing the network to assume the MS is no longer present in the network.This will effectively prevent the delivery of all mobile-terminated (MT) services, such as SMS, voice calls, CSD, ...".
Following the theory i've better understood how it works [1]*, but still i have some questions for you:
- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
I can't tell about this attack, but from my experience with using cloned SIM-cards in the real network, The last phone who did a call receives incoming calls. If this (last active) phone is turned off then the second phone doesn't receive incoming calls at all until it does something. And I think this is a natural behavior, because it may happen that some phone loose its battery, then you take SIM off and insert in an other phone, and it should work - and the case with two cloned SIM-cards looks about the same to an operator.
PS To make it clear, I cloned my own SIM-cards, because I used multi-SIM card with several numbers on a single SIM. So nothing really illegal.
Hi Alexander,
PS To make it clear, I cloned my own SIM-cards, because I used multi-SIM card with several numbers on a single SIM. So nothing really illegal.
Thank you for the infos.
I wanted to make the same experiments, unfortunately all providers in my country are no more providing "weak and clonable" SIMs.
Which provider's SIMs did you used for that?
Is it still possible with some providers around Europe that i could use with roaming procedures?
Thank you again for attention.
Cheers
Gloria
- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which will be rejected as first? Or both?
If you do that, it will send a LOC.UPD.REQ in another LAC ... which is exactly the same as if you moved your phone to that LAC ... it's a perfectly valid situation and it's fully specified. Only the latest registration is valid.
- if i will send an IMSI detach with one of them... also the other (that is
phisically in another BTS/LAC) will be disconnected?
As mentionned above : Only one can be active at a time. (the latest location update), so ... not applicable.
- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's IMSI/TMSI and send to the network where the victim is connected (that could mean the same network, but different BTS/LAC), this DoS will still be accomplished?
Only the behavior if the message is sent in the same LAC is specified. What happens in other situation is implementation dependent. Some network will detach, others won't ... no way to tell and neither behavior is "wrong" per-spec.
Most will simply ignore the message. Some will accept it ... Note that the network can also be configured not to use the detact procedure at all and then ignores all detach messages.
What happens when a detach is sent _while_ a call is active on the target is also dependent. Some network (including my home network) instantly disconnect the active call. Some other networks don't ...
What exactly i would like to know is, if someone already made some experiments on it (obviously on private networks, with a legal experimental license.) and eventually if there are any interesting results.
It's been tested on commercial networks (with consenting targets obviously) and it works exactly as expected. And since we're only sending perfectly formed/valid messages to the network, there shouldn't be a problem. The issue here is not a bug, it's a specified behavior / messages that can be exploited.
Cheers,
Sylvain
baseband-devel@lists.osmocom.org
-
Aleph -
Alexander Chemeris -
Gloria Mazzi -
Sylvain Munaut