Tagged: LTE

Eavesdropping on LTE Calls with a USRP Software Defined Radio

Ars Technica recently ran a story about how University researchers have been able to eavesdrop on LTE mobile phone calls using a USRP B210 software defined radio which runs the Airscope software. The technique exploits a flaw in how some LTE carriers are implementing their keystream. A keystream is a stream of random data combined with the actual voice data, resulting in encrypted data.

It turns out that many LTE carriers reuse the same keystream when two calls are made within a single radio connection. An attacker can then record an encrypted conversation, then immediately call the victim after that conversation. The attacker can now access the encrypted keystream, and as the keystream is identical to the first conversation, the first conversation can now be decoded. 

The Ars Technica article, the original paper and a website created about the ReVoLTE technique and software go into detail about how the attack works. On the website the team explain the attack in simple terms:

The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.

The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of a vulnerable base station. Shortly after the first call ends, the attacker calls Alice and engages her in a conversation. We name this second call, or keystream call. For this call, the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound (known plaintext).

For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker's phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call's ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.

The ReVoLTE Attack

Demonstration of the ReVoLTE attack in a commerical LTE network.

Electrosense+: Global Network of RTL-SDR Sensors with Decoding of FM/AM ADS-B AIS LTE ACARS

Back in late 2019 we posted about the Electrosense network which is an open source project aiming to deploy radio spectrum sensors worldwide. The idea is to help analyze and understand radio spectrum usage across the globe. Each sensor consists of an RTL-SDR, Raspberry Pi and an optional downconverter to receive the higher bands.

Recently Dr. Sofie Pollen wrote in and informed us that they have recently upgraded Electrosense and now users can use any sensor on the network to actually decode signals remotely over a web browser. The currently supported demodulators/decoders include FM/AM, ADS-B, AIS, LTE base station info and ACARS. This makes the Electrosense network kind of similar to the KiwiSDR or OpenWebRX SDR network where there are also various decoders built into the web software.

To test it out you need to create an Electrosense account at electrosense.org. Once logged in, go to "My Electrosense" on the top right, and choose "Spectrum Decoder". You can then choose from a number of Electrosense contributors stationed around the world. Once the waterfall is displayed you can click on signals to decode and listen to them, or change the decoder. Changing to ADS-B or AIS will bring up a map with decoded aircraft or boat positions. Changing to ACARS or LTE will show a text window with the decoded information.

A full electrosense kitset can be purchased from Jetvision, however Sofie notes that they do ship free sensors to some people who cannot afford the kit, and you can apply to increase coverage in your area via this link.

Currently active electrosense sensors
Currently active Electrosense sensors
Electrosense web GUI decoding a wideband FM signal
Electrosense web GUI decoding a wideband FM signal

Using a Software Defined Radio to Send Fake Presidential Alerts over LTE

Modern cell phones in the USA are all required to support the Wireless Emergency Alert (WEA) program, which allows citizens to receive urgent messages like AMBER (child abduction) alerts, severe weather warnings and Presidential Alerts.

In January 2018 an incoming missile alert was accidentally issued to residents in Hawaii, resulting in panic and disruption. More recently an unblockable Presidential Alert test message was sent to all US phones. These events have prompted researchers at the University of Colorado Boulder to investigate concerns over how this alert system could be hacked, potentially allowing bad actors to cause mass panic on demand (SciHub Paper).

Their research showed that four low cost USRP or bladeRF TX capable software defined radios (SDR) with 1 watt output power each, combined with open source LTE base station software could be used to send a fake Presidential Alert to a stadium of 50,000 people (note that this was only simulated - real world tests were performed responsibly in a controlled environment). The attack works by creating a fake and malicious LTE cell tower on the SDR that nearby cell phones connect to. Once connected an alert can easily be crafted and sent to all connected phones. There is no way to verify that an alert is legitimate.

Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.
Spoofed Presidential Alerts Received on a Galaxy S8 and iPhone X.

SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SIGINTOS IMSI Catcher
SigintOS IMSI Catcher

Upcoming Book “Inside Radio: An Attack and Defense Guide”

Unicorn team are information security researchers who often also dabble with wireless security research. Recently they have been promoting their upcoming text book titled "Inside Radio: An Attack and Defense Guide".

Judging from the blurb and released contents the book will be an excellent introduction to anyone interested in today's wireless security issues. They cover topics such as RFID, Bluetooh, ZigBee, GSM, LTE and GPS. In regards to SDRs, the book specifically covers SDRs like the RTL-SDR, HackRF, bladeRF and LimeSDR and their role in wireless security research. They also probably reference and show how to use those SDRs in the  chapters about replay attacks, ADS-B security risks, and GSM security.

The book is yet to be released and is currently available for pre-order on Amazon or Springer for US$59.99. The expected release date is May 9, 2018, and copies will also be for sale at the HITB SECCONF 2018 conference during 9 - 13 April in Amsterdam.

The blurb and released contents are pasted below. See their promo page for the full contents list:

This book discusses the security issues in a wide range of wireless devices and systems, such as RFID, Bluetooth, ZigBee, GSM, LTE, and GPS. It collects the findings of recent research by the UnicornTeam at 360 Technology, and reviews the state-of-the-art literature on wireless security. The book also offers detailed case studies and theoretical treatments – specifically it lists numerous laboratory procedures, results, plots, commands and screenshots from real-world experiments. It is a valuable reference guide for practitioners and researchers who want to learn more about the advanced research findings and use the off-the-shelf tools to explore the wireless world.

Authors:
Qing YANG is the founder of UnicornTeam & the head of the Radio Security Research Department at 360 Technology. He has vast experience in information security area. He has presented at Black Hat, DEFCON, CanSecWest, HITB, Ruxcon, POC, XCon, China ISC etc.

Lin HUANG is a senior wireless security researcher and SDR technology expert at 360 Technology. Her interests include security issues in wireless communication, especially cellular network security. She was a speaker at Black Hat, DEFCON, and HITB security conferences. She is 360 Technology’s 3GPP SA3 delegate.

This book is a joint effort by the entire UnicornTeam, including Qiren GU, Jun LI, Haoqi SHAN, Yingtao ZENG, and Wanqiao ZHANG etc.

 

DEFCON 23 – LTE Recon and Tracking with RTLSDR

Back on Dec 5 we posted about some Defcon 23 talks that were released from the Wireless Village set of talks. Recently some more talks from other tracks have been released and one of interest to our blog is the talk by Ian Kline titled “LTE Recon and Tracking with RTLSDR”. The talk’s blurb reads:

Since RTLSDR became a consumer grade RX device, numerous talks and open source tools enabled the community to monitor airplanes, ships, and cars… but come on, what we really want to track are cell phones. If you know how to run cmake and have $50 to pick up an RTLSDR-E4000, I’ll make sure you walk out of here with the power to monitor LTE devices around you on a slick Kibana4 dashboard. You’ll also get a primer on geolocating the devices if you’ve got a second E4000 and some basic soldering skills.

DEF CON 23 – Ian Kline – LTE Recon and Tracking with RTLSDR

Analyzing TD-LTE with the RTL-SDR

TD-LTE is a mobile phone standard acronym for Time Division Long Term Evolution. It is one of two variants of LTE technology, with the other being FD-LTE (Frequency Division LTE).

Over in China where TD-LTE is commonly used, Jiao Xianjun discovered that the current LTE-Cell-Scanner Linux program did not support TD-LTE, so he made a fork which does support TD-LTE. LTE-Cell-Scanner is a program which can decode LTE cell tower data which contains information like the cell ID, transmit frequency and transmit strength. With his modified LTE-Cell-Scanner, some MATLAB scripts he wrote and an RTL-SDR, Jiao was able to decode the cell information from 10 TD-LTE signals and 2 FD-LTE signals. He has uploaded a video showing this too.

TD-LTE, LTE FDD, scanning/demodulation results in Beijing, China