At 44CON in September 2014, MDSec presented “GreedyBTS: Hacking Adventures in GSM” where we discussed our research of 2.5G network attacks against mobile devices. We outlined many existing known weaknesses in the GSM protocol, discussed in detail how to build a safe simulation environment of 2.5G for security research and presented an overview of GreedyBTS.
GreedyBTS is a firmware image for use with USRP E-series devices to assist in performing 2.5G attacks against MS from a BTS. We demonstrated how calls, SMS and data from a subscriber MS could be trivially intercepted by a BTS. We are also able to launch exploits against a connected MS allowing for traditional IP based attacks to be launched against mobile devices.
GreedyBTS can be used to assist security researchers and analysts performing assessments of mobile connectivity in environments, as well as highlighting risks to organisations who may transfer potentially sensitive information over wireless devices. An increasing number of embedded systems have turned to GSM as a management channel, such as alarm panels, street lighting, safety systems and more, which could all be susceptible to man-in-the-middle and rogue BTS attacks.
The current state of baseband security means that it is difficult to detect and determine if you or your devices are being targeted by malicious BTS environments. The tools that do exist are aimed at power users which makes wider adoption by business or consumers an increasingly difficult task. By sharing information that can assist security researchers we hope to increase the overall security of mobile devices and cause people to re-think how they handle sensitive information over GSM environments.
The slides from our presentation are included here:
We have also included brief video demonstration outlining the capabilities of greedyBTS here:
If you want further information please see our 44CON 2014 presentation video which can be obtained by itself or as part of the DVD available at https://vimeo.com/ondemand/44con2014.