Introduction to Femtocells

20
. . introduction to femtocells Kévin Redon Technische Universität Berlin, Security in Telecommunications [email protected] OsmoDevCon 2012, Berlin, 24th March 2012

TAGS:

description

femtocells

Transcript of Introduction to Femtocells

  • ....... introduction to femtocells

    Kvin Redon

    Technische Universitt Berlin, Security in [email protected]

    OsmoDevCon 2012, Berlin, 24th March 2012

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)UMTS architecture

    SecT / TU-Berlin 2 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)femtocells: ooading technology

    technical name in 3G: Home Node B (HNB)technical name in 4G: Home evolved Node B (HeNB)trac ooad from public operator infrastructureimprove 3G coverage, particularly indoorcheap hardware compared to expensive 3Gequipmentthe user provides prower, Internet connection,maintenance, and still pays for the communicationdierent architecture (TS 25.467) more securityrequired (TS 33.302, TR 33.820)

    SecT / TU-Berlin 3 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)small cells

    SecT / TU-Berlin 4 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)Home Node B Subsystem (HNS)

    SecT / TU-Berlin 5 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)SFR femtocell

    39 femtocell oers over 24 countriestarget sold by SFR (2nd biggest operator in France)cost: mobile phone subscriptionhardware: ARM9 + FPGA for signal processingOS: embedded Linux kernel + proprietary servicesbuilt by external vendors (in our case Ubiquisys),congured by operator

    SecT / TU-Berlin 6 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)Command and Control

    HNB is not only an Node B, but also includes a miniRNC (TS 22.220)cell conguration is done by the HMS (TS 32.581)HNBHMS communicatio is tr-069 (aka ACS),using SOAP/XML/HTTPcells asks HMS, but HMS can also pushmost data provided one time, check at everyregistration, with rare updatesprovisioning data: SeGW address, HNB-GWaddress, MNC, MCC, ARFCN, GSC, ...

    SecT / TU-Berlin 7 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)3G IMSI-Catcher

    Howto build a 3G IMSI-Catcher:cell conguration is kindly provided as a feature offemtocellssome comfort provided ) hidden web interface

    we can catch any phone user of any operator intousing our boxroaming subscribers are allowed by SFR

    ) the femtocell is turned into a full 3G IMSI-Catcher

    SecT / TU-Berlin 8 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)mutual authentication

    classical approach in GSM: IMSI-Catcherfake operator BTS (MCC/MNC)acts as MitM between operator and victimphone usually can't detectused to track and intercept communication

    UMTS standard requires mutual authenticationmutual authentication is done with the homeoperator, not with the actual cellthe femtocell forwards the authentication tokensmutual authentication is performed even with arogue device

    SecT / TU-Berlin 9 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)HNBHNB-GW communication

    Iuh protocols:Iup: Iub over IPIMS/SIPGeneric Access Network (GAN)

    GAN:UMA specied by operators in 2004standardized by 4GPP in 2005 into GAN (TS44.318,TS 43.318)designed for MSMNO communication over IP(WiFi)borrowed for femtocells, but needs to be adapted

    SecT / TU-Berlin 10 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)Generic Access Network (GAN)

    device is communicating with operator via GANprotocol (UMA)

    TCP/IP mapped radio signalingencapsulates radio Layer3 messages (MM/CC) inGAN protocolone TCP connection per subscriberradio signaling maps to GAN messages are sentover this connection

    GAN usage is transparent for the phone

    SecT / TU-Berlin 11 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)but what about over-the-air encryption?

    only the phone , femtocell OTA trac is encrypted) encryption/decryption happens on the box

    femtocell acts as a combination of RNC andNode-B: receives cipher key and integrity key fromthe operator for OTA encryption

    reversing tells us: message is SECURITY MODECOMMAND (unspecied RANAP derivate), whichincludes the keys

    SecT / TU-Berlin 12 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)SECURITY MODE COMMAND

    derived from RANAP, but spec unknown

    SecT / TU-Berlin 13 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)plain text

    OTA encryption optionaltrac decoded in the HNBthe only the SeGW access it used forauthentication/encryption when connectionall trac in plain textsame in HeNB (with stronger trusted corerequirement)

    SecT / TU-Berlin 14 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)GAN proxy/client

    proxies all GAN connections/messagesrecongure femtocell to connect to our proxyinstead of real GANCproxy diers between GAN message typesattack client controls GAN proxy over extendedGAN protocol

    SecT / TU-Berlin 15 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)MitM

    interception (SMS in GAN, voice over RTP)modication (because of the point to point design)injection (need the phone for authentication)

    SecT / TU-Berlin 16 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)return of the IMSI detach

    IMSI detach DoS discovered by Sylvaint Munaut in2010 1) results in discontinued delivery of MT services(call, sms,...)) network assumes subscriber went oinedetach message is unauthenticatedhowever, this is limited to a geographical area(served by a specic VLR)user can not receive calls

    1http://security.osmocom.org/trac/ticket/2SecT / TU-Berlin 17 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)imsi detach in femtocell ecosystem

    proximity constraint not existent in femtocellnetworkdevices reside in various geographical areasbut all subscribers meet in one back-end system )and they are all handled by one femtocell VLR (atleast for SFR)

    we can send IMSI detach payloads via L3 msg inGAN) we can detach any femtocell subscriber, noproximity needed!

    SecT / TU-Berlin 18 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)the end

    thank you for your attention

    questions?

    SecT / TU-Berlin 19 / 20

  • Home Node B (HNB) Home Node B Subsystem (HMS) HNB Gateway (HNB-GW)contact us

    Nico Golde @iamnionKvin Redon Ravi Borgaonkar @raviborgaonkaror just [email protected]

    SecT / TU-Berlin 20 / 20

    Home Node B (HNB)Home Node B Subsystem (HMS)HNB Gateway (HNB-GW)


TOT Femtocells World Summit

TOT Femtocells World Summit

Secure and trusted Femtocells - 3G, 4G

Secure and trusted Femtocells - 3G, 4G

presentation concept and challenges of femtocells

presentation concept and challenges of femtocells

Femtocells presentation

Femtocells presentation

Self-Organizing Interference Mitigation for Femtocells ... · Self-Organizing Interference Mitigation for Femtocells ... Resource planning of OFDMA macrocells No interference ...

Self-Organizing Interference Mitigation for Femtocells ... · Self-Organizing Interference Mitigation for Femtocells ... Resource planning of OFDMA macrocells No interference ...

White Paper: Secure and Trusted Femtocells

White Paper: Secure and Trusted Femtocells

Identification of femtocells in mobile networks

Identification of femtocells in mobile networks

009 Interference Management in UMTS Femtocells

009 Interference Management in UMTS Femtocells

Enhanced handover algorithm in LTE femtocells networkejmtc.journals.ekb.eg/article_28152_b0a71c7d284182889b... · 2019-12-28 · Enhanced handover algorithm in LTE femtocells network

Enhanced handover algorithm in LTE femtocells networkejmtc.journals.ekb.eg/article_28152_b0a71c7d284182889b... · 2019-12-28 · Enhanced handover algorithm in LTE femtocells network

Femtocells .

Femtocells .

Femtocells - JABERTECH draft.pdf · Femtocell Technologies Among the technologies being investigated by MOs to increase their capacity, Femtocells, which are designed for deployment

Femtocells - JABERTECH draft.pdf · Femtocell Technologies Among the technologies being investigated by MOs to increase their capacity, Femtocells, which are designed for deployment

Femtocells: implementation challenges and solutionsglobecom2008.ieee-globecom.org/downloads/DD/DD15W2 Femtocells... · IEEE Globecomm 2008 December 03 Femtocells: implementation challenges

Femtocells: implementation challenges and solutionsglobecom2008.ieee-globecom.org/downloads/DD/DD15W2 Femtocells... · IEEE Globecomm 2008 December 03 Femtocells: implementation challenges

Introduction to Femtocells - Wiley · Introduction to Femtocells Simon Saunders 1.1 Introduction In this chapter we establish the basic ‘why, what and how’ for femtocells. All

Introduction to Femtocells - Wiley · Introduction to Femtocells Simon Saunders 1.1 Introduction In this chapter we establish the basic ‘why, what and how’ for femtocells. All

FemtoCells At Home: Integrated into the Home Gateway FemtoCells At Home: Integrated into the Home Gateway…

FemtoCells At Home: Integrated into the Home Gateway FemtoCells At Home: Integrated into the Home Gateway…

Next-generation Networks and Femtocells

Next-generation Networks and Femtocells

Ubiquisys at Femtocells Americas 11

Ubiquisys at Femtocells Americas 11

Femtocells: implementation challenges and solutions

Femtocells: implementation challenges and solutions

Mark reed femtocells

Mark reed femtocells

Energy Efficiency Impact of Cognitive Femtocells in ... · G.Gur et al, EE of Cognitive Femtocells, ACM CRAB 2013 14 whereas in a setting with only femtocells sharing the opera-tor’s

Energy Efficiency Impact of Cognitive Femtocells in ... · G.Gur et al, EE of Cognitive Femtocells, ACM CRAB 2013 14 whereas in a setting with only femtocells sharing the opera-tor’s

Immature Femtocells

Immature Femtocells