The latest round of the Kiwicon binge-drinking/sheep-buggering-joke-laden/fear-mongering hui is imminent, and once again I find myself refusing to sit in a room full of several hundred people smarter than I am.  Maybe it’s just that I am an unsociable creature, but my psychologist suggests that it is more likely to be due to the fact that I am an egomaniac with an inferiority complex.  Ever wanting to improve both my mental health and my social stature (actually, scratch that – fuck everyone), I’ve decided to get in on the spirit as best I can by jotting down a few notes about Mobile 3G/4G Access in a security context.  I’ve been lucky enough to work in the mobile telecommunications industry for a while, including being paid at times to conduct security assessments of large networks containing many different 3GPP network interfaces and elements.  Here I desperately want to embark on a long tirade about the endless number of snake-oil merchants I’ve run into in this industry, but I’ll just have to cry and bitch and pitch a fit another day.

Snake Oil

A typical sec industry pundit

Anyone with a real interest will have seen and read the numerous analyses of 2G (primarily GSM) weaknesses, including some very sophisticated SIM cloning attacks against COMP128 (anyone want to buy me an electron microscope?), the cracking of A5/1, the OpenBTS project and associated subsequent network impersonation trickery etc., etc.  The ongoing ‘consumerisation’ of GSM hacking utilities and portable interception kits is still an interesting subject given the size of the underlying 2G deployment base, but the discussion has been done to death and has become a ‘less interesting’ topic as a result.

The 3GPP stepped up with the development of the 3G standards, including moving away from proprietary/closed algorithms to those published in the public domain for open scrutiny.  USIM technology as yet remains robust, and the cloning of MILENAGE based end-user secrets has not been proven possible to-date[1].  The development of UMTS introduced AKA, or mutual authentication between the UE and the network, rendering the network impersonation attacks disclosed in the 2G space close to impossible.  There have been inroads made into cryptographical weaknesses of the KASUMI algorithm, but the practicalities of applying these in a real-world threat context are negligible.

While the main focus of most mobile security researchers and BadGuys™ has been applied to theft of service (which makes sense), I’ve spent time over the last few years thinking on and off about what other avenues have not been explored in any particular depth.  My prediction-come-hypothesis, and the real guts of why I bothered to write this post in the first place, is that the shared medium of Mobile Access may be vulnerable to more than just disruption caused by creating a wall of noise across the radio interface.  If we look at other widely deployed shared-medium network access technologies, such as 802.11 Wi-Fi and wired Ethernet, we know there is a long history of pre-authentication security problems that have been widely exploited.  The nature of the majority of these issues has been Denial of Service (network disruption); a weakness that mobile networks can little afford, particularly where they carry traffic such as emergency calls, and where the coverage of the shared medium is far more expansive than your local wireless hot-spot.

I’ll dive in to one example, hopefully without this becoming a novel.  If we pull open the 3GPP TS 25.331 specification, Section 8.1.3, we look at the guts of the Radio Resource Control transaction required by all 3G UE in order to facilitate a network operation such as making a phone call, sending a text message or establishing a data session.  It’s probably also worth noting here that the RRC protocol is an essential part of LTE.  A high-level picture of the sequence required in order to establish a successful RRC connection is shown below:

RRC Connection Request

RRC Connection Request Procedure

This 3-way handshake is analogous to TCP’s SYN, SYN-ACK, ACK combination for connecting ports.  The contents of the RRC Connection Request message include the following mandatory parameters: Message Type, Initial UE Identity, Establishment Cause and Protocol Error Indicator.  The Initial UE Identity is populated as per Section 8.5.1 of 25.331, and is based on either the TMSI, P-TMSI or IMEI of the UE, depending on whichever is available to the handset.  Section 8.1.3.2 of the specification requires the UE to set a running timer (T300) once an RRC Connection Request has been successfully delivered to the underlying MAC layer.  The UE then evaluates a complex set of procedures to determine whether or not to resubmit an RRC connection request once this timer expires.

The RRC Connection Request is delivered over the Common Control Channel (CCCH) which is a shared radio access medium for all mobiles attempting to make use of the network.  Remember that prior to authenticating to the network, your handset needs to acquire the CCCH and establish an RRC connection in order to perform its first Location Update and associated authentication procedures.

Section 8.1.3.4 of TS 25.331 goes on to describe the requisite behaviours for the RNC on reception of such an RRC Connection Request message.  Early drafts of the specification describe a requirement for the RNC to set a timer known as T350 (or T352 in the event of an RRC Connection Re-Establishment Request), which decrements until such time as an RRC Connection Setup Complete message is received from the UE, completing the three-way transaction.  At one stage the default value for this timer was 3000ms, although this was always considered a configurable, implementation-specific parameter.  This timer is analogous to the TCP wait timer set by networking stacks on SYN-ACK reply transmission to an incoming SYN request.  More recent versions of the specification do not make any mention of T350/T352, and as such, one can only assume that the management and release of these RRC connection resources is left to the discretion of the implementor.  Note that 3GPP TS 25.331 also assumes that only a single RRC state machine can exist per UE (analagous to how PPP might be managed by a BRAS for example).

An attacker with the ability to send arbitrary RRC Connection Requests into the mobile network[2] could send a stream of messages, each containing unique “Initial UE Identity” parameters.  The RNC will then allocate internal state and associated resources for each incoming request.  These resources are effectively controlled by the connecting UE in an unsolicited fashion; remembering that no network authentication has been performed at this point.  This scenario is somewhat analogous to a TCP SYN-flood, with the “Initial UE Identity” comparable to a randomized source IPv4 address.  The attacker will never respond to the RRC Connection Request Setup messages returned from the RNC (in part by ignoring T300).

The RNC resources consumed, however, may be of least concern if the goal of the attacker is simply a DoS of the local cell resources.  Okay, you could potentially save yourself time and effort by buying a cheap and nasty UMTS signal blocker (assuming you can get it past customs) and jam the hell out of the RF interface, but as illustrated below, this ‘half-open RRC attack’ triggers the allocation of radio bearers inside the UTRAN.  The consequence being resource exhaustion on the local NodeB, along with the obvious increase in load at the RNC.

3G Call Setup

3G Call Setup Sequence

The effectiveness of this attack will be partly dependent on the attacker’s ability to send sufficient levels of fake RRC Connection Request messages within the T350/T352 (or equivalent) timeframe; however there is still a fundamental issue in that the network must allocate more resources than have been required on the part of the attacker.  The attacker may need multiple UE in order to consume all available network RRC processing queue resources, but this just opens things up to thinking about the distribution of such attacks across discrete NodeB’s, clusters or Location Areas.  Depending on the behaviour of the RRC state machine management inside the network RNC, control of the Iub interface may be required in order for the attacker to simulate a large number of connections (see [2] below).

Similarly, for the CM/MM/GMM protocols atop RRC, exposures are likely.  It may be harder to deliver anything malformed all the way through to the VLR, but attacks in the same vein, where protocol state is intentionally broken by the malicious UE, are bound to exist.  The Initial Direct Transfer procedure for authentication is one example where resources are allocated inside the target network; resources that may only be freed at a rate below that which an attacker can deliver the requests.

Hopefully I’m several years behind the 8-ball and someone has already looked long and hard at some of this stuff.  The 3GPP Security Working Group seems like a fairly smart bunch, and I’m sure they will have discussed this subject.  I know for a fact that there is some mitigation in the software running on particular vendors equipment (agressive T3XX timers, partitioning of RRC context availability pools across limited clusters of NBs, etc.), so it has obviously been given consideration at some point.  If you are a mobile network god, and you know for certain why this suspect deficiency in the RRC protocol doesn’t exist, or why what I am suggesting is impossible, please let me know!  The only real way the TCP gods managed to mitigate this type of issue was by using SYN-cookies.  Perhaps the 3GPP could consider an equivalent for RRC?  Should I quickly try and drop in a patent for RRC-cookies??

RRC Cookies

How I propose the 3GPP implements RRC-Cookies

[1] This is always going to be an arms-race scenario.  As modern electron microscopy technology improves, and with the flourishing nanotechnology industry, it is almost certain that advances will be made in the field of reverse engineering K secrets from modern USIMs.  Someone will discover some new side-channel attacks; it is certainly only a matter of time, and the big question will be whether or not this can be achieved within the lifetime of the target network.  This would be a fascinating area of study.

[2] Obtaining a full baseband UMTS chipset would be a fun way of doing this, although coding the air interface channel allocation feature-set would be a serious undertaking (think GNUradio / OpenBTS scale and beyond).  Better would be to build a device along the lines of the ones demonstrated already in the 2G hacking world – an inline device sitting across the Iub interface, avoiding the MAC/PHY layers, with a basic FP/RLC state machine and the associated higher level stacks that the attacker is looking to target (RRC as an example).  Depending on the underlying transport you may require TDM, ATM or IP/Ethernet interfaces in your kit.  The practicalities of tapping an Iub might be best saved for another post, suffice to say that it probably requires doing something highly illegal.  The more honest approach would be with the baseband chipset – or some very clever stop instruction management of a running phone chipset.  Building this sort of capability would be an investment mainly in time, but once created, would open a world of possibilties.  Think fuzzers.  Think about the fact that a number of the devices in the mobile access path run flavours of embedded Linux.  Keep thinking pre-authentication.

Memoirs From Siberia

October 5, 2011

My Great Grandfather was an amazing man.  He was an architect, an artist, a soldier who fought for Germany in World War I, a Jew who had to flee Europe in the 1930’s, a linguist and a great pragmatist.  I’m sure he was many other things also, but I have only been able to build a picture based on the bits and pieces of information I’ve been able to glean from his writing and from discussions with my Grandmother.  He fought on the Eastern Front in what is now the Ukraine as a part of the notorious Brusilov Offensive, considered one of the most lethal battles in all of world history.  In a botched gas attack against a Russian patrol, he was machine gunned through the legs and left behind by his retreating unit to be captured.  He did not describe in any detail where or how he received medical treatment, but ultimately he was transported all the way east to Siberia where he was held as a POW in a camp near Krasnoyarsk.  It took him 3 and half years to get back home to Germany, after which time he detailed his experiences in a fascinating memoir.

Ernest Gerson

Ernest Gerson, my Great Grandfather.

I am grateful not only for the fact that he survived and that ultimately in turn, I am alive, but also most thankful that he took the time and effort to document this enthralling and obviously world-changing period of his life.  There are frustating moments in the memoirs such as when, after describing some of the more colourful fellow prisoners in detail, he writes “…and as this is written for friends and family, it is not necessary to describe myself”, although in many ways this only serves to add further intrigue in terms of trying to understand exactly who this man was.

He provides fascinating insight into the behaviour and personality of some of his captive comrades, as well as his captors.  He makes humorous references to some of the stereotypical traits of the various nationalities imprisoned along with him, probably bordering on what could be considered non-politically correct in today’s world, and to his credit he isn’t shy about giving a bit of stick to his own tribe either:

The uneducated Germans in their multidialectal arguments quickly lost their tempers and abused one another with rude words.  Such disputes ended frequently in a brawl much to the amusement of the onlookers.  Others passing the barracks would say, “Listen how the Germans love one another”.

The story itself may be less interesting to anyone who is either not a historian, or not a blood relative, but I think there are some genuine gems in here.  It moves between absolute horror and hardship, to comedy gold, right through to sheer disbelief on the part of the reader (particularly when he describes how frequently the Russian soldiers themselves are in a worse situation than he is!).  Things go from sublime to ridiculous as he and another prisoner end up on a “maid run”, a sojourn by horse and cart through the rolling Siberian hills during the nicest weather of the year in search of the best (read: prettiest) Siberian girl they can find to become their live-in housekeeper.  After promising all the less-than-desirable ones that they ‘have the job’, they move on to the next village in hope of finding the ultimate beauty.

“I wish we had taken the hunchback at Teplorietshka or one of the old women in Savedienje.”

The truth is, it was a bizarre scenario he had ended up in.  At some point during his ‘imprisonment’ in Siberia, the Treaty of Brest-Litovsk was signed, ending Russia’s involvement in WWI.  Unfortunately, that treaty did not include any provision for the return of German POWs, so he was left in a strange state as a quasi-prisoner with no trivial means of returning west.  Just to keep things interesting, the tail-end of the first World War gave birth to the Russian Civil War, and he was yet again forced to escape from what would have ultimately been forced conscription into the armies of the White Forces.  Understanding the complex geopolitical environment in which he was surviving is difficult at times, and even after multiple reads of the memoirs and much pouring over books concerning the political history of the Russian Empire, it can still be confusing to me.

His journey back home included walking many hundreds of miles with little food, working odd jobs including being a full-time Typhus victim nurse and subsequent body stacker, contracting the disease and nearly dying from it himself, and many many months of careful operating within the bounds of the various state police edicts and civil war constraints that controlled Russia at that time.

“We undressed them completely in the snow in front of the building.  There they lay, the emaciated, unclean bodies, bitten all over by the poisonous lice, mottled and spotted.  Two of us had to carry them inside, gripping their hands and feet.  If the shed was already too full with these stiffly frozen corpses to throw them on top of the pile, we had to climb on top of it.  To do so required indescribable moral effort.  This remains one of my most terrible war memories.”

The memoir’s themselves were first written in 1920 once he had returned to Hamburg.  In 1963 he translated them into English, and there were three known typed copies in existance in our family.  A cousin helped to type these into the computer, and a significant editing job was required due to the large volume of typewriter copy errors present on the originals.  I spent several months in 2009 going through the document, first highlighting the various place names and other Russian or Tartar words, and then going back to try and decipher these.  Nearly 100 years is a long time, and the Russian’s have a great habit of changing place names every time a new leader comes to the fore, so in many instances the task of working out exactly where he had been was non-trivial.  Most of the place names had only been heard by spoken word, so he had to write them back down phonetically, first into German and then later into English.  I trawled Google Earth for hours at a time, often getting out the ruler to gauge the ‘150 miles south’ or equivalent that had been described in the memoirs.  Wikipedia was more than handy for finding the historical names of places, some of which had changed as many as 3 or 4 times since he was there.  The language he uses is old-fashioned, and at times obviously written or translated by a non-native English speaker, but for the most part this just helps to add to the authenticity and feeling of the document.  I made a few edits to try and improve the readability, but kept things as original as possible wherever I could.

Places of Interest

The 7,000+ kilometre journey home

There are a number of small villages I haven’t been able to track down.  There is the odd word that I still don’t understand, and the odd timing or directional discrepancy that doesn’t make exact sense.  Most annoying are just the missing pieces leading up to his capture.  I know he wrote letters home both before and after he was shot, so perhaps if these are still in existance somewhere they will surface one day and answer a bunch of questions.

Long after his return to Germany in 1920, my Great Grandfather was smart enough to see what was happening with the rise to power of the Nazi party, and he moved his entire family out of the country and into what was then Yugoslavia.  From there they moved to Bulgaria and applied for Visas to the UK, USA and New Zealand.  The NZ Visa came back first, and they boarded a ship which arrived in Wellington just around the outbreak of WWII in 1939.  Being German, they were treated as enemy aliens and imposed with travel restrictions and a requirement to attend regular ‘interviews’.  My Great Grandfather eventually found work as an architect, forging a very successful career and becoming well regarded for bringing European influence to the houses he designed – something that prior to that time did not feature much in the New Zealand building scene.

If you’ve read this far, and if you are at all interested, you can read an edited copy of the 100-odd paged memoirs here.  If you are a Hollywood pundit and you think you could make this into a film, contact me and I’ll flick over my bank account details (all proceeds to go to the wider whanau of course).  :>