Routing area update reject is 10 (IMPLICITLY DETACHED)
Service attach reject for redirection : 2 (IMSI Unkown in HLR) or 17 (Network failure or user busy)
Service attach reject for Dos : 3,7,8,9,14 code
Service attach reject without denied of service : 15 (No suitable cells in this area)
- Classic flow
- IMSI-Catcher for non programmer without modification but with denied of service
- IMSI-Catcher for programmer with modification but without denied of service
- Redirect 1 : IMSI-Catcher for programmer with modification but with denied of service and redirection without getting IMSI over 3G
- Redirect 2 : IMSI-Catcher for programmer with modification but with denied of service and redirection and getting IMSI over 3G
- layakk rootedcon2016 rootedcon2016_v2
- fakebts3g pdf link
- fakebts3g_v2 pdf link
- videos1 videos2
- Protocol 3G in 28C3 videos3 videos4
- Location Update Reject or LUR pdf link
- List of uarfcn pdf
- Detailed AKA
- SIMPLE IMSI CATCHER
- UMTS DENIED OF SERVICE
- JAMMING
- BIDDING DOWN ATTACK
- UMTS REDIRECTOR
- CRYPTO HACKING USING RAINBOW TABLE
- FEMTOCELL_HACKING
- UMTS CBC(CELL BROADCAST CENTER)
- Just catch IMSI
- Finding all parameter1 (using android apps) MCC, MNC, RAU1 and UARFCN1 as same as operator like NodeB_Jammer
- Options 1 : launch NodeB_Jammer openbts_umts as parameter1
- Options 2 : launch NodeB_Jammer using Modmobmap or CleverJam with same frequency as UARCN1 and bandwith 5MHz
- Finding all parameter2 (using android apps) MCC, MNC, RAU2 and UARFCN2 as same as operator like NodeB_Collector
- Stop NodeB_Jammer
- launch NodeB_Collector as same as MCC, MNC, RAU3 different of RAU2 and UARFCN2 and location update reject with code 15 (No Suitable cells in area)
- launch NodeB_Jammer as same as options1 or options2
- Collect IMSI
- Sending Location Update Reject for making Denied of service having code number 3 "Illegal MS"
- For bidding down attack (bda2g) uses Location Update Reject having code number 14 "Service option temporarily out of order"
In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate3g videos1 videos2 videos3 videos4 videos5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.
Following the steps in the Getting_Started_with_3G tutorial, we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G/LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).
3G
femtocell nano3G (Sysmocom)
Osmocom 3G network, running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)
2G
BladeRF x40
YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)
Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:
- Disable the USIM entirely until power-off or USIM removal.
- Attach requests disable the USIM for packets domain until power-off or USIM removal.
- Periodic Location Update requests will trigger the UE to attempt GERAN instead. Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):
After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:
But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):
CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.
Advantages using active monitoring;
ciphering algorithms (UEA) usage
authentication parameters and rates
But on the other hand, there is a big disadvantage:
one SIM card and device per operator in order to scan all the 3G fake stations
Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.
Yes, there is a periodic location update timer in both 2G (osmo-bsc) and 3G (osmo-msc) T3212 with openbts-umts:
osmobsc-vty-reference.pdf: “1.15.45 periodic location update <6-1530>”
osmomsc-vty-reference.pdf: “1.14.9 periodic location update <6-1530>”
- Make a denied of service with redirectioncarrier info attack code
- Create a rainbow table for cracking crypto openbts-umts code
- Rooted the femtocell for having a mitm
- Could hack SS7
- Sending a fake panic attack (fake notification, emergency sms)
