This two-day workshop covers the evolution of mobile networks and the security features of 2G, 3G, 4G, and 5G. Through engaging assignments and hands-on activities, participants will learn how to make testbeds with Software-Defined Radio for different cellular technologies, analyze communications, observe signaling and data exchanged between devices and the mobile network, and perform tests on devices connected/IoT devices.
Day 1 covers the theory of mobile networks and protocols, evolution, security, attack surface on user equipment, alternative to Software-Defined Radio, jamming and redirection attacks, and programming secrets. Participants will complete assignments on using OSINT techniques to target a specific person, monitoring 2G cells, playing with pre-authentication messages, extracting secrets in 2G, setting a GSM base station, isolating the base station with a custom Faraday cage and some SDR setup, and testing the setup to send text message and voice, and configuring a GPRS base station and tricking UEs to connect to the fake base station.
- Introduction to mobile networks and protocols (2G/3G/4G/5G)
- Attack surface on user equipments
- Setup 2G, 3G and 4G for specific need with Software-Defined Radio
- Alternative to Software-Defined Radio
- Jamming and redirection attacks
- Programming secrets
- Cracking GSM and GPRS communications
- Using OSINT techniques to target a specific person
- Monitoring 2G cells
- Playing with pre-authentication messages
- Extracting secrets in 2G
- Setting a GSM base station with OpenBTS, OsmoBTS and YateBTS depending on SDR devices
- Isolating the base station with a custom faraday cage and some SDR setup
- Testing the setup to send text message and voice
- Configuring a GPRS base station
- Capturing data packets of User Equipments
- Tricking UEs to connect to the fake base station
Day 2 focuses on Blackbox hacking techniques without physical access to devices. Participants will learn how to perform to downgrade communications, intercept a device, and find vulnerabilities over-the-air by performing fuzzing tests on mobile protocol stacks. Topics covered include using endpoints as primary targets, finding bugs in protocol stacks, going further with 3G and IoT stacks, testing 5G NSA, and OpenRAN systems. Participants will complete assignments on using a software (U/I)SIM stack, configuring a real SIM/(U/I)SIM card, using programmed secrets on the GSM station, installing a LTE eNodeB station, monitoring and extracting secrets from a communication, testing 4G cells with an SDR, testing 5G SA cells, and testing 5G cells security with an SDR.
- Using endpoints as primary targets
- Find bugs in protocol stacks
- Going further with 3G and IoT stacks
- Testing 5G NSA
- OpenRAN introduction and security
- Hunting for baseband vulnerbilities
- Using a software SIM stack
- Configuring a real SIM/USIM card
- Using programmed secrets on the GSM station
- Installing a LTE eNodeB station
- Monitoring and extracting secrets from a communication
- Testing 4G cells with an SDR
- Configuring a 5G SA cell
- Testing 5G targets
- Testing 5G cells security with an SDR
Additionally, participants will also get advice and see the limitations to circumvent when using an SDR device as a mobile station.
Depending on time, the course will also introduce baseband vulnerbility hunting techniques we will cover in a dedicated training to show how far we can go in mobile security thanks to SDR.
- Suggested SDR hardware: bladeRF, LimeSDR, or USRP B or X version1
- Suggested target: Mobile phone with 5G SA stack (e.g OPPO Reno 5G)
- Alternatively a 5G Module