Mobile Hacking with SDR

Day 1

Day 1 will introduce the mobile network and its evolution and compare the security features of 2G, 3G, 4G, and 5G. During this day, attendees will see how to make testbeds with Software-Defined Radio for the different cellular technologies and be able to analyze communications. In addition, we will learn how to observe the signaling and the data exchanged between devices and the mobile network and perform tests on connected devices/IoT devices, for example.

Theory

• Introduction to mobile networks and protocols (2G/3G/4G/5G)
• Evolution
• Security
• Attack surface on user equipment and core network
• Setup 2G, 3G, and 4G for specific needs with Software-Defined Radio
• Alternative to Software-Defined Radio
• Configuring a SIM/USIM/ISIM cards

Assignment 1

• Setting a GSM base station with OpenBTS, OsmoBTS, and YateBTS depending on SDR devices
• Isolating the base station with a custom Faraday cage and some SDR setup
• Testing the setup to send text messages and getting voice working

Assignment 2

• Installing a GPRS base station
• Capturing data packets of User Equipment

Assignment 3

• Using a software SIM stack
• Configuring a custom SIM/USIM card
• Using programmed secrets on the GSM station

Assignment 4

• Installing an LTE eNodeB station
• Testing the LTE eNodeB
• Monitoring the setup

Participants will also get advice to use an SDR device as a mobile station efficiently.

Day 2 and 3

Days 2 and 3 will focus on attacking mobile devices in a Blackbox context without physical access to devices. These parts will lead to fundamental and smart-jamming attacks to downgrade communications and be able to intercept a device. We will also see ways to perform fuzzing tests on mobile protocol stacks to find vulnerabilities over the air but also other ways to optimize bugs hunting.

Theory

• Attacking cell phones and IoT devices using the mobile network
• Using endpoints as primary targets
• Find bugs in protocol stacks
• Pentest 2G, 3G, 4G, and 5G core networks

Assignment 5

• Intercepting devices
• Impersonating messages and calls

Assignment 6

• Capturing a call
• Cracking the call with precomputed tables

Assignment 7

• Downgrading a 3G device to 2G
• Interacting with devices and capturing events
• Attacking endpoints

Assignment 8

• Fuzzing GSM and LTE protocol stacks
• Using emulation on firmware to find bugs efficiently

Assignment 9

• Attacking the core with M2M mobile network

Going further on 5G-NR radio & NewCore

• Feedback of our past missions and security challenges
• Introduction 5G-NR devices assessments
• Our tools

The content of private trainings can be arranged depending on your needs. We also provide additional content as follows:

• Practical 5G security radio communication testing
• Practical 5G core network assessment and use of our tools
• Fuzzing the core network protocol stacks
• etc.

• Knowledge of Linux and a programming language such as C, C++, C# or Python is necessary
• Understanding of pentesting (network and applications) or Red teaming is also a plus
• All attendees must have a laptop running Linux, with 8GB of RAM min.
• Basic knowledge of radio is not mandatory but is a plus