Skip to content

Latest commit

 

History

History
executable file
·
628 lines (554 loc) · 70.8 KB

Wireless.md

File metadata and controls

executable file
·
628 lines (554 loc) · 70.8 KB
Raw

Wireless Networks

Table of Contents

Sort

Bluetooth Low-Energy * https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/ * https://csrc.nist.gov/csrc/media/publications/sp/800-121/rev-2/draft/documents/sp800_121_r2_draft.pdf * https://obvi.us/presentation/rf-sig/

* https://www.usenix.org/system/files/conference/nsdi16/nsdi16-paper-vasisht.pdf
* https://github.com/gsmaxwell/DopplerFi
* https://github.com/seemoo-lab/nexmon
* https://www.arxiv-vanity.com/papers/1811.10948/
* https://arxiv.org/abs/1811.10948

https://github.com/hexway/apple_bleee

https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/

  • New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols - Ravishankar Borgaonkar, Lucca Hirschi∗, Shinjo Park, and Altaf Shaik

    • In this paper, we reveal a new privacy attack against allvariants of the AKA protocol, including 5G AKA, thatbreaches subscriber privacy more severely than knownlocation privacy attacks do. Our attack exploits a newlogical vulnerability we uncovered that would requirededicated fixes. We demonstrate the practical feasibilityof our attack using low cost and widely available setups.Finally we conduct a security analysis of the vulnerabil-ity and discuss countermeasures to remedy our attack

  • Security and Protocol Exploit Analysis of the 5GSpecifications - Roger Jover, Vuk Marojevic

    • ? Abstract—The Third Generation Partnership Project (3GPP)released its first 5G security specifications in March 2018.This paper reviews the proposed security architecture, its mainrequirements and procedures, and evaluates them in the contextof known and new protocol exploits. Although security hasbeen improved from previous generations, our analysis identifiesunrealistic 5G system assumptions and protocol edge cases thatcan render 5G communication systems vulnerable to adversarialattacks. For example, null encryption and null authentication arestill supported and can be used in valid system configurations.With no clear proposal to tackle pre-authentication messages,mobile devices continue to implicitly trust any serving network,which may or may not enforce a number of optional securityfeatures, or which may not be legitimate. Moreover, severalcritical security and key management functions are left outsideof the scope of the specifications. The comparison with known 4GLong-Term Evolution (LTE) protocol exploits reveals that the 5Gsecurity specifications, as of Release 15, Version 1.0.0, do not fullyaddress the user privacy and network availability challenges.Keywords–Security, 5G, 3GPP Release 15, LTE

  • A Formal Analysis of 5G Authentication

  • Component-Based Formal Analysis of 5G-AKA:Channel Assumptions and Session Confusion - Cas Cremers, Martin Dehnel-Wild

    • We perform fine-grained formal analysis of 5G’s main au-thentication and key agreement protocol (AKA), and providethe first models to explicitly consider all parties defined by theprotocol specification. Our analysis reveals that the security of5G-AKA critically relies on unstated assumptions on the innerworkings of the underlying channels. In practice this means thatfollowing the 5G-AKA specification, a provider can easily and ‘correctly’ implement the standard insecurely, leaving the protocolvulnerable to a security-critical race condition. We provide thefirst models and analysis considering component and channelcompromise in 5G, whose results further demonstrate the fragilityand subtle trust assumptions of the 5G-AKA protocol.We propose formally verified fixes to the encountered issues,and have worked with 3GPP to ensure these fixes are adopted.

  • add krack

  • Captive-Portal Identification Using DHCP or Router Advertisements (RAs) - RFC 7718

    • This document describes a DHCP option (and a Router Advertisement(RA) extension) to inform clients that they are behind some sort ofcaptive-portal device and that they will need to authenticate to getInternet access. It is not a full solution to address all of theissues that clients may have with captive portals; it is designed tobe used in larger solutions. The method of authenticating to andinteracting with the captive portal is out of scope for thisdocument https://wpa3.mathyvanhoef.com/#new https://news.ycombinator.com/item?id=6942389

  • RPL Attacks Framework

    • This project is aimed to provide a simple and convenient way to generate simulations and deploy malicious motes for a Wireless Sensor Network (WSN) that uses Routing Protocol for Low-power and lossy devices (RPL) as its network layer. With this framework, it is possible to easily define campaign of simulations either redefining RPL configuration constants, modifying single lines from the ContikiRPL library or using an own external RPL library. Moreover, experiments in a campaign can be generated either based on a same or a randomized topology for each simulation.

  • Funtenna - Transmitter: XYZ Embedded device + RF Funtenna Payload https://github.com/steve-m/fl2k-examples https://osmocom.org/projects/osmo-fl2k/wiki

https://wpa3.mathyvanhoef.com/#new

https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html?m=1 https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html https://blade.tencent.com/en/advisories/qualpwn/

https://devtty0.io/pwning-wireless-peripherals/

https://www.blackhat.com/asia-17/arsenal.html#damn-vulnerable-ss7-network

General

BlueTooth BlueTooth

Cellular Networks

  • 101
  • Educational
    • Guide to LTE Security - NIST Special Publication 800-187
    • Demystifying the Mobile Network by Chuck McAuley
      • Must watch video. Very informative.
    • LTE Security - How good is it?
    • Mobile self-defense - Karsten Nohl
    • Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
      • Malicious injection of cellular signaling traffic from mobile phones is an emerging security issue. The respective attacks can be performed by hijacked smartphones and by malware resident on mobile phones. Until today there are no protection mechanisms in place to prevent signaling based attacks other than implementing expensive additions to the cellular core network. In this work we present a protection system that resides on the mobile phone. Our solution works by partitioning the phone software stack into the application operating system and the communication partition. The application system is a standard fully featured Android sys tem. On the other side, communication to the cellular network is mediated by a flexible monitoring and enforcement system running on the communication partition. We implemented and evaluated our protection system on a real smartphone. Our evaluation shows that it can mitigate all currently know n signaling based attacks and in addition can protect users fr om cellular Trojans.
  • Tools
    • SiGploit
      • Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP. SiGploit a signaling security testing framework dedicated to Telecom Security professionals and reasearchers to pentest and exploit vulnerabilites in the signaling protocols used in mobile operators regardless of the geneartion being in use. SiGploit aims to cover all used protocols used in the operators interconnects SS7, GTP (3G), Diameter (4G) or even SIP for IMS and VoLTE infrastructures used in the access layer and SS7 message encapsulation into SIP-T. Recommendations for each vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security posture
    • LTE-Cell-Scanner
      • This is a collection of tools to locate and track LTE basestation cells using very low performance RF front ends. For example, these tools work with RTL2832 based dongles (E4000, R820T, etc.) which have a noise figure of 20dB, only 8 bits in the A/D, and a crystal with a frequency error of about 100 ppm.
    • UmTRX
      • UmTRX is a dual-channel wide-band SDR platform with gigabit Ethernet connectivity, that is developed by Fairwaves and designed to be used as a transceiver (TRX) with OpenBTS and OsmoBTS GSM base stations.
  • SIM Cards
  • FemtoCell
  • GSM
    • 101
    • Articles/Presentations/Talks/Writeups
    • Tools
      • GSM MAP
        • The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen �in the wild�. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
      • gr-gsm
        • Gnuradio blocks and tools for receiving GSM transmissions
  • LTE
    • 101
    • Articles/Presentations/Talks/Writeups
      • LTE Security - How good is it?
      • 4G LTE Architecture and Security Concerns
      • LTEInspector : A Systematic Approach for Adversarial Testing of 4G LTE
        • In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, cate- gorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed
      • Breaking LTE on Layer Two
        • Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol. On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard. In the following, we provide an overview of the website fingerprinting and aLTE attack, and explain how we conducted them in our lab setup. Our work will appear at the 2019 IEEE Symposium on Security & Privacy and all details are available in a pre-print version of the paper.
  • SMS
  • SS7
  • IMSI Catcher related
    • Android IMSI-Catcher Detector (AIMSICD)
      • Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks.
    • SnoopSnitch
      • SnoopSnitch is an Android app that collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates. With SnoopSnitch you can use the data collected in the GSM Security Map at gsmmap.org and contribute your own data to GSM Map. This application currently only works on Android phones with a Qualcomm chipset and a stock Android ROM (or a suitable custom ROM with Qualcomm DIAG driver). It requires root priviliges to capture mobile network data.

Dongles

  • FunCube dongle
  • RZUSBstick
    • The starter kit accelerates development, debugging, and demonstration for a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. The kit includes one USB stick with a 2.4GHz transceiver and a USB connector. The included AT86RF230 transceiver's high sensitivity supports the longest range for wireless products. The AT90USB1287 incorporates fast USB On-the-Go.
  • Gr0SMoSDR
  • PyBOMBS
    • PyBOMBS (Python Build Overlay Managed Bundle System) is the new GNU Radio install management system for resolving dependencies and pulling in out-of-tree projects. One of the main purposes of PyBOMBS is to aggregate out-of-tree projects, which means that PyBOMBS needs to have new recipes for any new project. We have done a lot of the initial work to get known projects into the PyBOMBS system as is, but we will need project developers for new OOT projects or other projects not currently listed to help us out with this effort.
  • UAV Transponders & Tracker Kits - UST

802.11 - WiFi

RFID - Radio Frequency Identification

RF RetroReflectors

Satellite Related

Software Defined Radio

Zigbee Wireless Networks

Z-Wave

  • 101
  • Articles/Presentations/Talks/Writeups
    • Stealthy and Persistent Back Door for Z-Wave Gateways
      • Z-Wave is a proprietary wireless protocol that is gaining market share in home automation and security systems. However, very little work has been done to investigate the security implications of these sub-GHz devices. In this talk we review recent work on hacking Z-Wave networks, and introduce a new attack that creates a persistent back door. This attack maintains a stealthy, parallel, and persistent control channel with all Z-Wave devices in the home. We will demonstrate the attack against a commercial Z-Wave security system.
    • Honey, I'm Home!! Hacking Z-Wave Home Automation Systems - video
  • Tools

Miscellaneous

  • Wireless Keyboard Sniffer
  • nexmon
    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.