Wednesday, 2 October 2019

4G LTE Man In The Middle Attacks With A Hacked Small Cells


Here is an interesting talk from recent HITBSecConf by Xiaodong Zou. HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues.

From the talk narrative:

Femtocells offer a user the ability to have a small base station located within their house or other area. These small base stations provide access to the core telecom network where poor reception from an eNodeB would normally prevent consistent coverage. Femtocells has been standardized in LTE since release 8, and is referred as Home eNodeB, or HeNB. HeNBs are mandated to have an IPsec connection back to a security gateway (SeGW) to protect traffic flowing into and out of a Mobile Network Operator (MNO)’s core network.

If the HeNB is within the physical possession of an attacker, this provides unlimited time to identify a flaw on the HeNB. A compromised HeNB can be used in a manner similar to a rogue base station, but will also provide the attacker access to clear text traffic before it is sent back to the core network. There are more than ten different types of HeNBs deployed in China. Ericsson ENC-nRBS01B40 is one of them – a TD-LTE base station working on band B40.

In this talk, we will cover:

1.) How to root a 4G LTE femtocell.
2.) How to make the femtocell portable.
3.) How to perform man-in-the-middle attack with the femtocell.
4.) Show the prototype of Hacking Box of S1 Interface (HBoS)

Slides and video embedded below:






Related Posts: