Build a free cellular traffic capture tool with a vxworks based femoto

DEF CON 23

Presented by: Haoqi Shan, Yuwei Zheng
Date: Friday August 07, 2015
Time: 14:00 - 14:50
Location: Track One

In recent years, more and more products, are integrated with cellular modem, such as cars of BMW, Tesla, wearable devices, remote meters, i.e. Internet of things. Through this way, manufactories can offer remote service and develop a lot of attractive functions to make their product more valuable. However, many vulnerabilities have also been introduced into these systems.

It puts new questions to black-box penetration testing engineer. How to capture the SMS command between the cellular modem and the remote server? How to intercept the data link?

Some existing solutions, such as USRP based OpenBTS, commercial product nanoBTS can be used to build a fake base station and capture data traffic. However all of them cannot access the real operator's core network so that they cannot capture real SMS and voice traffic.

With the inspiration from social engineering, we got a femto-cell base station from a telecom operator. After a series of hacking and modifications, we built it as a powerful SMS, voice and data link inception tool. Furthermore, not like a fake station, it’s a legal base station and authorized to access the operator’s core network. By this tool, we can conveniently explore vulnerabilities of cellular modem inside products.

Yuwei Zheng

Yuwei Zheng is a senior security researcher concentrated in embedded systems over 10 years. He had reversed blackberry BBM, PIN, BIS push mail protocol , and decrypted the network stream successfully in 2011. After that, one year later, he finished a MITM attack for blackberry BES, which based on a modified ECMQV protocol of RIM. At the Qtr4 of 2014, he entered wireless security research group, Unicorn Team, in Qihoo 360 China. Now he is focusing on the security issues of embedded hardware and IOT systems. Twitter: @hwiosec

Haoqi Shan

Haoqi Shan is currently a wireless/hardware security researcher in Unicorn Team, Qihoo 360 Technology Corporation. He obtained bachelor degree of electronic engineering in Harbin Engineering University, China, in 2015. He focuses on Wi-Fi penetration, GSM system, router/switcher hacking etc. Other research interests include mobile phone application security, reverse engineering on embedded devices such as femto-cell base station, video cameras.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats