Build a free cellular traffic capture tool with a vxworks based femoto

Presented at DEF CON 23 (2015), Aug. 7, 2015, 2 p.m. (60 minutes)

In recent years, more and more products, are integrated with cellular modem, such as cars of BMW, Tesla, wearable devices, remote meters, i.e. Internet of things. Through this way, manufactories can offer remote service and develop a lot of attractive functions to make their product more valuable. However, many vulnerabilities have also been introduced into these systems. It puts new questions to black-box penetration testing engineer. How to capture the SMS command between the cellular modem and the remote server? How to intercept the data link? Some existing solutions, such as USRP based OpenBTS, commercial product nanoBTS can be used to build a fake base station and capture data traffic. However all of them cannot access the real operator's core network so that they cannot capture real SMS and voice traffic. With the inspiration from social engineering, we got a femto-cell base station from a telecom operator. After a series of hacking and modifications, we built it as a powerful SMS, voice and data link inception tool. Furthermore, not like a fake station, it's a legal base station and authorized to access the operator's core network. By this tool, we can conveniently explore vulnerabilities of cellular modem inside products.

Presenters:

• Haoqi Shan - Wireless/hardware security researcher, Qihoo 360 Technology Co. Ltd.
  Haoqi Shan is currently a wireless/hardware security researcher in Unicorn Team, Qihoo 360 Technology Corporation. He obtained bachelor degree of electronic engineering in Harbin Engineering University, China, in 2015. He focuses on Wi-Fi penetration, GSM system, router/switcher hacking etc. Other research interests include mobile phone application security, reverse engineering on embedded devices such as femto-cell base station, video cameras.
• Yuwei Zheng - Senior security researcher, Qihoo 360 Technology Co. Ltd.
  Yuwei Zheng is a senior security researcher concentrated in embedded systems over 10 years. He had reversed blackberry BBM, PIN, BIS push mail protocol , and decrypted the network stream successfully in 2011. After that, one year later, he finished a MITM attack for blackberry BES, which based on a modified ECMQV protocol of RIM. At the Qtr4 of 2014, he entered wireless security research group, Unicorn Team, in Qihoo 360 China. Now he is focusing on the security issues of embedded hardware and IOT systems. Twitter: @hwiosec

Links:

• https://defcon.org/html/defcon-23/dc-23-speakers.html#Zheng
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Video and Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Video.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Zheng and Shan - Build a free cell traffic capture tool with vxworks based femoto - Video and Slides.mp4 (Video and Slides)

Similar Presentations:

• DEF CON 21 (2013) / I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell
• DEF CON China 1.0 (2019) / How to perform security analysis on IoT equipment through building a base station system
• ShellCon 2018 / Shells on Cells