Mobile Device Hacking with SDR (3-Day)

Day 1

Day 1 will introduce the mobile network, it's evolution, and will compare security features of 2G, 3G, 4G, and 5G. During this day, attendees will see how to make testbeds with Software-Defined Radio for the different cellular technologies, and be able to analyze communications. We will learn how to observe the signaling and the data exchanged between devices and the mobile network and how to perform tests on devices connected/IoT devices for example.

Theory

• Introduction to mobile networks and protocols (2G/3G/4G/5G)
• Evolution
• Security
• Attack surface on user equipment and core network
• Setup 2G, 3G and 4G for specific need with Software-Defined Radio
• Alternative to Software-Defined Radio
• Configuring a SIM/USIM card

Assignment 1

• Setting a GSM base station with OpenBTS, OsmoBTS and YateBTS depending on SDR devices
• Isolating the base station with a custom faraday cage and some SDR setup
• Testing the setup to send text message and voice

Assignment 2

• Installing a GPRS base station
• Capturing data packets of User Equipment

Assignment 3

• Using a software SIM stack
• Configuring a real SIM/USIM card
• Using programmed secrets on the GSM station

Assignment 4

• Installing a LTE eNodeB station
• Testing the LTE eNodeB
• Monitoring the setup

Additionally, participants will also get advice and see the limitations to circumvent when using an SDR device as a mobile station.

Day 2 and Day 3

Days 2 and 3 will focus on attacking mobile devices in a Blackbox context, without physical access to devices. This will lead to basic and smart-jamming attacks to downgrade communications and be able to intercept a device. We will also see ways to perform fuzzing tests on mobile protocol stacks to find vulnerabilities over-the-air but also other ways to optimize bugs hunting.

Theory

• Attacking cell phones and IoT device using the mobile network
• Using endpoints as primary targets
• Find bugs in protocol stacks
• Pentest 2G, 3G, 4G and 5G core networks

Assignment 5

• Intercepting devices
• Impersonating messages and calls

Assignment 6

• Capturing a call
• Cracking the call with precomputed tables

Assignment 7

• Downgrading a 3G device to 2.5G
• Interacting with devices and capturing events
• Attacking endpoints

Assignment 8

• Fuzzing GSM and LTE protocol stacks
• Using emulation on firmwares to find bugs efficiently

Assignment 9

• Attacking the core with M2M mobile network

Then we will also see how to test cells and vulnerabilities that could be found in the mobile networks and get access to several assets using real user equipment, but also emulated user equipment thanks to Software-Defined Radio.

Class Requirements

Students are encouraged to follow along and we will provide sufficient captures for students to work with even if they don't have any equipment available to them. However, to be able to reproduce all parts of all assignments, students will need the following equipment:

• You will need a LimeSDR, a BladeRF or a USRP.