 All right, so This is the point where you see the scary talk and at the end you probably turn your phone off So these guys have presented for us before they've they've done some amazing research very soon Kind of like they did last year, which was a really really cool talk. I think you guys are in for a real treat Let's give these guys a big hand Thank you. Thank you guys. I really appreciate that. Oh, there's so many people. So last a year my team have Had about three presentations and we got the GPS spoofing You've got a film to sell and we also got you know, the ZigBee and I really have it to standing here right again and you know share something so Here's my talk and This is the LTE redirection. So people will know about the We People will know about you know, LTE is for generation first generation But people think it's more secure and then the two generation and the third generation. So today, let's Let's learn how to break it And My name is Houchi Shan and here is my colleague and his name is Wangqiao So we come from the Qihu 360 and the unicorn team Our team are focusing on, you know, their security issues in about such as wireless system and embedded hardware hardware. So This is a this topic is about LTE network it's We will show you how to force a target LTE cell phone Into a specific Unsafe network. So but don't worry. We didn't bring the device. So your phone is still in safe So fourth generation network is more advanced than it's a more advanced mobile network than to second generation and third generation but Absolutely, it's not absolutely secure. So there are already some papers Show how to expose these vulnerabilities of LTE networks and one of them has One of them is the presentations in the last year and if you guys had listened to it, it's on the Blackhead Europe. Yeah, so this presentation introduced the LTE emitter catcher and the LTE Cell phones tracking and the dots attack dots attack of your LTE cell phone so Let my colleague show you how to break your LTE cell phones network and in detail, please Hello, glad to see you. My name is Wangqiao and To start with let's have a look at the two comma attacks against LTE network The first one is emitter catcher. How does this work? From this picture, we can see the left tower is a real LTE network base station, which is controlled by operators Well, the right one is a fake LTE base station which cover by small which cover small space Okay, when the cell phone comes into the area of the fake LTE network It will immediately asked to report it is in this number by the fake base station Okay Well, you know the AIMS number stands for the user sorry Well, you know the AIMS number stands for the user identifier which can check user locations and movements This kind of device is mostly used by national security departments to check criminal suspects And I also hear that there are some illegal signals to use it for raising alert when some strangers approach Well, the other attack is called the denial of service attack After a fake base station gets the AIMS number always covered cell phone It can do further attack to cell phone It can send a reject message such as you are an illegal cell phone or there is no available network Well, when the cell phone gets this kind of message it usually turn into the no service status for a very long time What's more some cell phone can only recover by the booting But different kinds of cell phone reacting in different manners According to the experiments we have take the old iPhones and the majority or Android system Cell phones are influenced by their vulnerable elements Okay, now let's take a look at the new attack we have been working on at the picture shows There are two fake network one in the LTE base station Well, the other is a GSM fake base station when the cell phone Upload them then the adversely attaching the malicious LTE base station then Automatically then the malicious LTE base station will tell the phone go to my GSM network Okay, the cell phone has to follow its command and enters into the malicious GSM network Well, when the cell phone enters The malicious GSM network the malicious GSM network the attackers could do further attacks such as even stripping uncompositions Intercepting the SMS or analyzing data traffic Here is a demonstration platform we developed to verify the redirection attack. There are two computers with the USRPs the right one is a mini desktop computer with an USRP B210 and it runs an open LTE program and Create a fake LTE network. Well, the left one is Apple Mac laptop with the USRP B210 mini running the open BTS program Okay, let's show the video. It's done the video so we can put it in our PowerPoint So let's play it for you. It's just one minute Okay, you know the LTE The cell phone from the real 4G network to the fake 4G network to and then down to the GSM network at all is a faster procedure. So it's Very difficult to show this variation Pay attention to this short video. It lasts only one minute Okay, now let's check the computer with the 2G fake network Okay, we can see the aims number from the fake network Okay, in this video, we utilize the open BDS to build a fake network Which means the cell phone can't connect to the internet. In other words, it lose connection to the real world but The fake networks still can do some malicious attack such as making a call or sending SMS with any calling numbers Okay, besides there is a more advanced attack This attack utilize open the femtocell Yeah, a rogue network as a picturesious. This is already hacked by our team This is the femtocell and it was already hacked by our team last year My partner Hao Qi has given a presentation about how to hack this femtocell I know and you know the femtocell can connect to the operators real network But it can also controlled by attackers Then the attacker can it was drop all the traffic including voice and data Such drug femtocell can be 2g or even 3g Okay, let's now let's go further into the protocol to see how this attack is realized Here is the LT basic procedure When cell phone is powered on it firstly a third search the cell strong around it and choose the cell with With strong in signal to attach in this case The cell phone will initiate an RRC connection over the connection Cell phone will send a touch request the message to start authentication Okay, when the authentication procedure finish the RRC connection will enter a status With the secure will enter this will enter the status Okay Enter status with integrity and the suffering Protection in other words the basic station and the cell phone will establish a security network service But before this step all the message are not encrypted. So this are Accessorized a part is the attack space. Yeah, the balloon signalings Let's see how to realize in sketcher from the signaling process value now we presume The phone is staying in the operators network. So we set up a fake network around it Then it find a better cell the fixed cell and try to connect to it to avoid easily Exposing the cell phone itself. It will not directly send the aims number, but Send a tricky arrow update request with a team's number The team's number stands for the temporary mobile subscriber identity Which is decided by base station if this is a normal cell Reslection procedure in normal network, then the base station should know the team's number and then complete Tricking error updating but obviously Fake LT base station doesn't know the cell phones identity. So it sends back Tricking error update reject message at the same time this message will cause a reason why network refuse cell phones request There are many kinds of causes for refusal and each cause has a number if we send the cause number line to cell phone Which is described in the specification? You e identity can't be drived by the network then the cell phone will initiate the attached procedure by sending attached request This message contains the information what the attacker's wants. Yes, the aims number We already know that there are mining cancel causes for refusal Well, when we guide the aims number we can do further attack to throw the next message In this case, we can send attached reject with some special causes. Here are several Here are several causes for typical does attack Number three number seven number eight and number 14 cause number three means illegal your E Cause number seven means EPS service and not allowed it Well cause numbers that eight means EPS service and the non EPS service and not allowed it cause number 14 means EPS service are not allowed it in this PLMN All of these causes may lead the cell phone to shut down their model and to keep off for very long time Okay, the third attack on RC redirection Follows the attack reject message from this picture. We can see the red words. Yeah The malicious networks and RRC connection release message additionally Well, the release message could carry extension information called Redirection create a redirection career info. The redirected career can be unattabled network 4g 3g or 2g so we could redirect a target cell phone into 2g or 3g network and redirect other cell phone into the neighboring 4g network Well, someone may argue that you just downgrade the cell phone into a safe network to 2g 3g or 2g but the We could use jamming tool as well and it's much easier than coding Yes jamming tool can also look like 4g network and workable and the downgrade cell phone into 3g or 2g by the point is in this minor So it will influence all cell phones. That's why we claim that our That's why we claim that the redirection attack could Accurately attack the target cell phone and do not influence any other cell phone They can still keep in the 4g network and don't need to worry about revealing information Okay, after knowing about the principle of the of this attack Let's talk about the method to build a set of demo system to verify this attack Well, here is a test platform. We use the common tool usrp plus a computer the motor of the usrp is B210 B210. Yeah, the computer is a gigabat and it's small enough to hide itself There are several open source LTE project. Well, I think these two project are most popular The first one is open-air interface Developed by Eurocom. This is the most the complicated This is the most completed open source LTE project and it has been developed for many years What's more it provides? it provides a connection between the real cell phone and Internet but the OAS system refers to a very complicated software architecture So there's a little difficult to modify is thus code Well, the second project is named open LTE Written by only one person Ben He was a Motorola engineer and joined a Google project long in last year Boone gives this project on a very beautiful coding style So it's quite easy to understand the whole architecture and to extend its function That's why it has a more popular situation in open in security research However, the shortcoming of this project is it hasn't achieved their stable LTE data connection But for our experiments the functionally is enough Yeah, to build a fake LTE network. I wrote a few slides to give the TEP and open LTE source code If you want to build a fake LTE network, just look at this thing Let's see the single list again in inkscatcher We need to send tricking arrow update reject message with special cost Yeah, in current open LTE software the TAU request isn't handled You can see the line not handling tricking arrow update request Luckily, we found the TAU reject message packing function is ready So in this part we can see this This part, MME packing arrow update reject message So what we need to do is just adding some cost to handle TAU keys with this function Okay, just like the principle Okay, when receiving the TAU request from cell phone We should firstly set the MME procedure as TAU request Then what we need to do is just writing a function to call a TAU reject message Yeah, when writing this TAU rejective function you can refer to the attached rejective function It was already too Then how about DOS attack? We can directly use this function Send attach reject as you see the highlighted line You can set your rejective cost here Yeah In the next message we can do further attack Sending attach reject with some special cost Okay, and the third case is the RLC redirection This is a little complicated You have to read the specification to know the message format And the insert the redirect the clear info into RLC connection release message From the red cycle we can see we written one to this function Yeah, it is because here. Yeah, this part is a 3GPP protocol about RLC connection release message We can see the top layer of this message Yeah, the red line the redirected clear info choice is optional So in this case, we just need to open this open this Choice and set one in this beat then we can modify the last code in in this manner Okay, that's all the method we need to modify now is how to spam less let me introduce why we do this Okay Okay, this yeah, sorry This picture is a cell phone screenshot and this this cell phone has logging capability and I use it to check whether it Really received my redirection info. So yes, it did receive The clear info is a GRIN Yeah, it means GSM network it And it's AI FC and frequency number is 14 to then the cell phone will firstly search this frequency Yeah This are almost all the source code you need to modify if you want to build a tech tool quite simple, right? Now is how to stem less he may introduce why we do this All right, thanks to my colleagues good work and I see actually she did most of the job Yeah, pretty awesome Thank you So actually we are our teams not a team that has very strong attack abilities We often said we you know like of imagination of doing some Balances we just to find the vulnerabilities, but we don't know how to use it We prefer to be a defender. So We tell ourselves that you know from this presentation and we will emphasize not only the risk of the vulnerabilities of your I just said LTE network You know from the attackers side, but also think about the background So the reasons why these vulnerabilities exists. So our question is Why is it double RC redirection message not encrypted as I suppose some of you will think of the same question First question is is this really a new problem We consult with several, you know, Huawei security. It's a really large company in China and the 3GPP standard experts so surprisingly She found she's fighting is not a new and the 3GPP knows risk about 10 years ago Really 10 years ago. So here is a document in generally in general and 26 26 years so which introduced a false handover attack So let's see this program. I don't know. Yeah, you can see it clearly So this compromise the basis station can be Can be in it a rig connection a reconfiguration Procedure to the UE directly to a cell or network chosen by the attacker. So this could be This could function as a denial of a device, you know If the target network cannot or will not offer to the UE device or to allow Choosing network to capture UES. So this document this document Rise this problem. I just mentioned before And then about 10 months later. So in November and 26, the 3GPP is met a decision So let's us read the two key points in this decision And the point one is, you know, the double RC is Integrated and the siphoning will be started only once Just once during the attached attached procedure and for example After the aka has been aka has been performed So it cannot be deactivated later And the point two is the WRC integrated and the suffering Oxygenism can only be changed in the case, you know after E node B handover. So you see here 3GPPs they give an expression on the WRC suffering and Here is a question. Why they did this? So, you know because some special in some special case Such as earthquake or during hot event There will be too many cell phones try to access one just one best Stations that make these best stations will be overloaded So to let a network load, you know balanced So this base station can ask the new calming cell phone to redirect to the another best station If we don't if you don't tell the cell phone, you know, which best station is light loaded the telephone will the cell phone will might Bindly and effectively To search one by one this cause a lot of powers. So finally increase The whole network loaded so 3GPPs they think the new best station should take a responsibility to You know to all these cell phone So they decide to encrypt they decide not to encrypt the WRC reduction procedure so I explain just explained the background reason of these three attack here and In the catcher they cannot avoid avoid be avoided because we need a global money And you have to firstly show you and fire and then to do the oath So Wi-Fi security system, you know, they have the similar Situation we all know that you know the Mac the Mac address people can use it to to track you yeah, so from iOS 8 and Windows 10 so there will be some you know Mac random session and This method that it will be used But actually, you know to factorize the network manager management random Mac address only enabled in a strict Condition yeah strict condition. So If a terminal use Wi-Fi hotspot such as 2.0. Yeah, the Wi-Fi hotspot 2.0 is a specific specification for the Wi-Fi Romani So in that case this Mac Realization will also be disabled. That's that's a little bit short. Let's be a bit. So global Romani and and if I and identity privacy is conflict and it's Need to shut off DOS attack and you know the battery energy 7 and 7 is another trade-off suppose this network is really really and Unusable and so if you if this cell phone keeps searching the network you will consume too much energies and Quickly come quickly consume out. So this is also a bad thing As you can see This network protocol designer they have to make many many Trader off between the basic connection Requirement under the high-level requirement the privacy the privacy is what we carry about So I gave the excuse of these vulnerabilities. I believe people should so do not mean I refuse to Fix this problem. So let's find out how to fix this In this slide Let's discuss this Yeah, let's discuss these contumers So firstly at the cell phone manufacturer side Since you know the standard and the modern side chipsets haven't fixed this problem So what are we can what they can do for example? is Such as yeah, don't follow the redirection command, but also auto search the other Available at the best station or you can say cell phone can follow the redirection command But you should give your users some alert Such as warning you are downgraded and to the lower security network, but I think it's really hard work So we know about the root of this problem is the unsafe gsm network So why don't we try to solve this problem? And the gsm network is still needed By the operators, you know, there's a lot of advice you need to just support the gsm network So you want to change it it need a long time. So from the Standard side they are making effort to fit, you know the weak point of the gsm network So here is a very fresh news Just a couple months ago 3GPB received a proposal of the gsm a So the basic idea of the upgrade the mobiles device security capability and since you know the older Network gsm network equipment we cannot or you can say difficult to upgrade it So gsm a they propose two methods. One is a mobile device, you know, they refuse one one way else and if they Visit a network is 3G capable and the second method is you know disable some weak encryption such as the a 1 a 5 1 yeah a file an algorithm in mobile so So these two proposal having a finally, you know standardized by the 3GPP because it's you want to be you want it to be a standard is really hard and Not quite easy but we see a good beginning is someone trying to fix this situation and Okay Yeah Actually, we show you how to show you how to break and choose how to fix this problem and We did the both way, but I Think there's some you know some cell phone manufacturers can learn something from this presentation and I hope so so here is our presentation today and We thank so many companies give us a lot of help such as Huawei and Qualcomm and Apple yeah Apple so If you had any questions about how to you know how to build your own LTE networks That's all some malicious and say or you can say unsafe network So please feel free to contact us and you're welcome to take a picture Thank you