Chinese beauty hacker show attack LTE 4G network, mobile phone data to look at

Home > Sci-Tech

Chinese beauty hacker show attack LTE 4G network, mobile phone data to look at

2016-08-08 15:58:16 502 ℃

One of the most tragic things in the world,

No more than your girlfriend is a hacker.

Because you never know,

She really has what means to monitor you.

Today, a woman from China to the world of beauty hacker proof: she has a way to listen to the designated mobile phone all the communication data.

360 Unicorn Team Zhang Wanqiao

This beauty hacker named Zhang Wanqiao, from the 360 Unicorn team. She shared the "sad" study on CON DEF, the world's top hacker conference. And he announced the results of the hacker, is also from the 360 Unicorn Team single curiosity. (single curiosity had to be loyal to his girlfriend on her computer installed a monitor their own Trojan horse, perhaps this is the reason why Zhang pulled him together to study the technology it... Embarrassed)

Single curiosity (left) and Zhang Wanqiao in CON DEF to make a speech

Lie, deception, 4G pseudo base

Zhang Wanqiao told Lei Feng network, in order to intercept the information on the phone, all to do is to use a set of lies to deceive the target phone. The lie comes from a wolf in sheep's clothing: a pseudo base station.

You may have heard of pseudo base station this evil stuff, it is mainly used to send and receive spam messages, phishing information. However, most of the pseudo base station you are familiar with the following technical means:

1, with a high intensity of the interference signal shielding all of the 3G, 4G mobile phone signal within a region.

2, most of the phone can not connect 4G, 3G signals, will choose to automatically find 2G signal. At this point the phone is naturally led to the pseudo base 2G signal, and then unknowingly received fraud information.

The reason why the black signal is suppressed in the 2G, and not directly attack the 3G and 4G signals, because these communications are used in a more rigorous security model. However, the pattern of this kind of violence shielding signal, often cause a large area of mobile phone signal is interrupted, people will perceive the abnormal signal and try to leave the pseudo base area.

4G pseudo base station

And our beauty hacker, choose to start directly on the LTE 4G signal. She said:

Because LTE 4G signal using two-way authentication, meaning that the base station to verify the identity of the phone, and the phone to verify the identity of the base station. Once mutual authentication is successful, the two sides entered the encrypted communication mode, this time it is difficult to attack again. So my attack must be done before the authentication is complete.

The process of mutual authentication, become a Wanqiao hacked mobile phone network to provide a good opportunity for the few. In her speech, she explained in detail the three steps of the attack:

1, cheat to the phone number ID card"

IMSI, the word that doesn't sound sexy is very important for a mobile phone. It's the only identity code on the phone number on the carrier. That is to say, you see is your mobile phone number, and in the operator's database, your phone number corresponds to a IMSI code. It's like the "ID card" of a mobile phone, all of which are based on the authentication of the identity card.

The capture method of "ID card" IMSI of mobile phone number

For an attacker to set up a pseudo base, to get access to the phone's identity card, in order to carry out the next attack. However, IMSI on the phone like a pair of underwear: everyone has, but not just to look at."

Zhang Wanqiao told Lei Feng network:

In general, in order to be safe, mobile phone from a base station to switch to another base station, will give each other a TMSI code, this code is temporary, the validity is relatively short. And generally only when the first mobile phone search signal - such as shutdown restart - time, will give the base station to produce a permanent IMSI code.

This caused a thorny problem: when the black people of the phone, the general is not rushed to help others restart the phone.

In order to get the IMSI code to be attacked, she needs to make a 4G pseudo base station. 4G pseudo base station has no way to directly communicate with the phone, because it is not the identity of the phone's check. But before the mobile phone check station, base station can give mobile phone a run:

After the phone to the pseudo base station to produce TMSI code, pseudo base station can send messages to the phone, said I still can not determine your identity. And according to the communication protocol, this time the phone must show its IMSI code.

Popular terms, is a fake security standing in front of the gate, in any case not to allow visitors to go in, unless he shows his identity card. In this way, the pseudo base station finally lied to the phone number of the identity card".

2, acting fake security

After the mobile phone number ID card in, this "false security" (pseudo base station) is not good. He will tell the mobile phone: building is full, can not allow you to enter the.

And this time, the phone still did not opportunity to recognize each other "false security" identity, and mistakenly think that really is fully loaded network.

Because the signal strength of the pseudo base station is very large, covering the real signal. So this time for the phone, there is no other available network. In order to save electricity, the cell phone will enter a state of shutdown signal until the next time you restart your phone.

At this time, the mobile phone is often forced Meng long time in a state of no signal, until the main notice and manually restart the machine. This creates a "denial of service attack" (DoS).

I believe you also think, no identity out security can do further.

3, fall into the trap

Zhang Wanqiao told Lei Feng network, in the LTE 4G communication protocol, there is a wonderful regulation:

When a base station that their load is too large, you can guide the phone to visit the designated base station. So we can use the 4G pseudo base station to guide the phone to a 2G pseudo base station.

Back to the security example. Which from the false security told visitors, in the building next to it there is a young Lou, you in there can also handle your business.

Yes, it is a small building, false - 2G hackers build pseudo base station.

Then, after such a big circle, poor mobile phone finally fell to the 2G pseudo base station. Because in the 2G network, the phone has no right to determine the authenticity of the base station, so it will not keep the information to the pseudo base. The pseudo base station can even be used as a "intermediary" to the integrity of the communication information to the true base station. In the user's opinion, his communication is not a problem, but the actual situation is that all of his communication content is the "middle" of the eavesdropping.

3GPP calendar year specified communication protocol

Wonderful Provisions come from?

Maybe you will ask, why do you have to follow the command of the base station to jump to the designated new base station?

Zhang Wanqiao said the flaw is not a flaw in some way. Because as early as 2005, the 4G protocol's agency 3GPP internal experts have been aware of the rules in theory could lead to attacks. But the deal did not block the rule.

It is possible that all phones will be connected to the same base station at the same time as an emergency in an earthquake or fire. This will cause the base station overload and collapse. Mobile phones are very "silly", often only search near the strongest signal of the station, this time, you need to phone obey orders, obey the base station dispatching connected to another base station the specified.

In the case of the communication protocol has not changed, all of the mobile phone is in the possibility of being so attack.

Kind of hacker

For a Wanqiao, her boyfriend for monitoring the communication records completely not interested in what. To be exact, as a white hat hacker, she has strict limits and values.

Her research on LTE 4G technology is to find a way to protect the mobile phone network, to avoid this kind of attack is the real bad guys use.

At present, it is difficult to completely avoid this attack without modifying the international general LTE 4G protocol, the only one to make improvements in this regard, is the mobile phone manufacturers. For example:

1, due to the attack would eventually go to 2G pseudo base station, and 2G pseudo base have some of their own characteristics, if you add some recognition conditions in the phone, you can identify most of the pseudo base, then you can remind the user, or simply refuse the connection.

2, 4G pseudo base station denial of service attacks, you can let the phone in this state every half hour, and even less time automatically re connected to a network, it will not make the case of growth time off network.

Zhang Wanqiao on Lei Feng network (search Lei Feng network public concern) said that the study of the LTE 4G of many of the underlying logic build, in fact, mainly due to the Unicorn Team of wireless communications expert Huang Lin. These two proposals have been submitted to our own team mobile phone, corresponding rules should be being prepared.

Although in real life, there is no evidence that such attacks have occurred. But Zhang Wanqiao and single curious tell people that 4G network security is not a trifling matter. This attack is difficult to detect and lethal huge. When this kind of attack really starts to happen on a large scale, it will be hard to measure the cost of the people.

P.S. Zhang Wanqiao special thanks: single teammate curiosity, unicorn team communication, Daniel Huang Lin Unicorn team chief Yang Qing hacker.Research results for the team to complete.

Attached is Indoorsman, siege of the scene after a Wanqiao lecture