Mobile Device Hacking with SDR

Learn how to hack devices connected over a mobile subscriber network over the air with RF and SDR.

Training starting at

$1,800.00

with one of our subscriptions

Language

English

Day 1

Day 1 will introduce the mobile network, it's evolution, and will compare security features of 2G, 3G, 4G, and 5G. During this day, attendees will see how to make testbeds with Software-Defined Radio for the different cellular technologies, and be able to analyze communications. We will learn how to observe the signaling and the data exchanged between devices and the mobile network and how to perform tests on devices connected/IoT devices for example.

Theory
  • Introduction to mobile networks and protocols (2G/3G/4G/5G)
  • Evolution
  • Security
  • Attack surface on user equipment and core network
  • Setup 2G, 3G and 4G for specific need with Software-Defined Radio
  • Alternative to Software-Defined Radio
  • Configuring a SIM/USIM card
Assignment 1
  • Setting a GSM base station with OpenBTS, OsmoBTS and YateBTS depending on SDR devices
  • Isolating the base station with a custom faraday cage and some SDR setup
  • Testing the setup to send text message and voice
Assignment 2
  • Installing a GPRS base station
  • Capturing data packets of User Equipment
Assignment 3
  • Using a software SIM stack
  • Configuring a real SIM/USIM card
  • Using programmed secrets on the GSM station
Assignment 4
  • Installing a LTE eNodeB station
  • Testing the LTE eNodeB
  • Monitoring the setup

Additionally, participants will also get advice and see the limitations to circumvent when using an SDR device as a mobile station.

Day 2 and Day 3

Days 2 and 3 will focus on attacking mobile devices in a Blackbox context, without physical access to devices. This will lead to basic and smart-jamming attacks to downgrade communications and be able to intercept a device. We will also see ways to perform fuzzing tests on mobile protocol stacks to find vulnerabilities over-the-air but also other ways to optimize bugs hunting.

Theory
  • Attacking cell phones and IoT device using the mobile network
  • Using endpoints as primary targets
  • Find bugs in protocol stacks
  • Pentest 2G, 3G, 4G and 5G core networks
Assignment 5
  • Intercepting devices
  • Impersonating messages and calls
Assignment 6
  • Capturing a call
  • Cracking the call with precomputed tables
Assignment 7
  • Downgrading a 3G device to 2.5G
  • Interacting with devices and capturing events
  • Attacking endpoints
Assignment 8
  • Fuzzing GSM and LTE protocol stacks
  • Using emulation on firmwares to find bugs efficiently
Assignment 9
  • Attacking the core with M2M mobile network

Then we will also see how to test cells and vulnerabilities that could be found in the mobile networks and get access to several assets using real user equipment, but also emulated user equipment thanks to Software-Defined Radio.

Class Requirements

Students are encouraged to follow along and we will provide sufficient captures for students to work with even if they don't have any equipment available to them. However, to be able to reproduce all parts of all assignments, students will need the following equipment:

  • You will need a LimeSDR, a BladeRF or a USRP.
Training by Sébastien Dudek

Sébastien is a security researcher focusing on flaws in radio-communication systems. He has published attacks against mobile device baseband, Power-Line devices, as well as intercom systems.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.