26C3 - 26C3 1.15

26th Chaos Communication Congress
Here be dragons

Harald Welte
Day Day 3 - 2009-12-29
Room Saal1
Start time 17:15
Duration 01:00
ID 3535
Event type Lecture
Track Hacking
Language used for presentation English

Using OpenBSC for fuzzing of GSM handsets

With the recent availability of more Free Software for GSM protocols such as OpenBSC, GSM protocol hacking is no longer off-limits. Everyone can play with the lower levels of GSM communications.

It's time to bring the decades of TCP/IP security research into the GSM world, sending packets incompatible with the state machine, sending wrong length fields and actually go all the way to fuzz the various layers of the GSM protocol stack.

The GSM protocol stack is a communications protocol stack like any other. There are many layers of protocols, headers, TLV's, length fields that can "accidentially" be longer or shorter than the actual content. There are timers and state machines. Wrong messages can trigger invalid state transitions.

This protocol stack inside the telephone is implemented in C language on the baseband processor on a real-time operating system without any memory protection.

There are only very few commercial GSM protocol stack implementations, which are licensed by the baseband chipset companies. Thus, vulnerabilities discovered in one phone will likely exist in many other phones, even of completely different handset manufacturers.

Does that sound like the preamble to a security nightmare? It might well be! Those protocol stacks never have received the scrutiny of thousands of hackers and attack tools like the TCP/IP protocol suite on the Internet.

It's about time we change that.