Skip to content

Instantly share code, notes, and snippets.

@adaburrows

adaburrows/cellular_and_wireless_security_reading.md

Last active April 28, 2023 16:36
Show Gist options
  • Save adaburrows/fda8711e468858fc5ace98daf2d73148 to your computer and use it in GitHub Desktop.
Save adaburrows/fda8711e468858fc5ace98daf2d73148 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
cellular_and_wireless_security_reading.md

Essential Reading For Coms Security and Open Source Infrastructure Efforts

Our current cellphone, wireless, and wired infrasture is insecure. And from the mistakes the industries continue to make it isn't showing many signs of getting better. One of the first steps we can take to make the current standards and implementations open. Once it's open it will become easier to see exactly what needs to be changed. Hopefully, it will also make it easier for the industries to adopt new standards by adopting one of multiple open implementations. This approach has shown promise in many countries which don't already have the infrastructure investment the US does.

TOC

  1. Coms Security & Privacy Reading List
  2. Towards Completely Open Source Basebands
  3. IMSI catcher software/detection

Coms Security & Privacy Reading List

  1. Slava Makkaveev. (2021) Security probe of Qualcomm MSM data services. Check Point Research. 6 May.
  2. (2021) Devices supporting Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure. Vulnerability Note VU#799380. 24 June.
  3. Goodin, D. (2020) Snapdragon chip flaws put >1 billion Android phones at risk of data theft. Ars Technica. 8 August.
  4. Ruge, J. (2020) Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag. ERNW Insinuator. 6 February.
  5. JSOF. (2020) Ripple20.
  6. Rupprecht, D., Kohls, K., Holz, T., & Pöpper, C. (2020, February). IMP4GT: IMPersonation Attacks in 4G NeTworks. In NDSS.
  7. Goodin, D. (2020) 4 vulnerabilities under attack give hackers full control of Android devices. Ars Technica. 19 June.
  8. Ruge, J., Classen, J., Gringoli, F., & Hollick, M. (2020). Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets. In 29th {USENIX} Security Symposium ({USENIX} Security 20) (pp. 19-36).
  9. Karim, I., Cicala, F., Hussain, S. R., Chowdhury, O., & Bertino, E. (2020). ATFuzzer: Dynamic Analysis Framework of AT Interface for Android Smartphones. Digital Threats: Research and Practice, 1(4), 1-29.
  10. Greenberg, A. (2020). This bluetooth attack can steal a Tesla model X in minutes. Wired. 23 November.
  11. ESET. (2019) Kr00k: A serious vulnerability deep inside Wi-Fi encryption. CVE-2019-15126.
  12. David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. Breaking LTE on Layer Two 2019. May.
  13. Roger Jover. Exploring LTE security with open-source tools, testing protocol exploits and analyzing their potential impact on 5G mobile networks. Virginia Tech Hume Center Intelligent Systems Lab Tech Talks. 2019. November 26.
  14. Liam Tung. Update WhatsApp now: Bug lets snoopers put spyware on your phone with just a call. ZDNet. 2019. May 14.
  15. Kirill Puzankov. Hidden Agendas: Bypassing GSMA Recommendations on SS7 Networks (PDF). 2019. May 9.
  16. Ralph Moonen. VoLTE Phreaking (PDF). Hack in the box. 2019. May 9.
  17. ‘COMSEC’ excerpt: How unsecure is your Smartphone? Learn the science behind the vulnerabilities. NEWSREP. 2019. May 8.
  18. Catalin Cimpanu. Researchers find 36 new security flaws in LTE protocol. Zero Day. ZDNet. 2019. March 23.
  19. Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE. Embedi. 2019. January 18.
  20. Seamus Burke. A Journey Into Hexagon Dissecting a Qualcom Baseband (VIDEO). DEF CON 26. 2018.
  21. Johnson and Stavrou. Vulnerable Out of the Box - Evaluation of Android Carrier Devices (VIDEO). DEF CON 26. 2018.
  22. Rowan Phipps. ThinSIM based Attacks on Mobile Money Systems (VIDEO). DEF CON 26. 2018.
  23. recompiler. Attacking Gotenna Networks (VIDEO). DEF CON 26. 2018.
  24. Lilly Hay Newman. Exploiting Decades-Old Telephone Tech to Break Into Android Devices. Wired. 2018. August 29.
  25. Sébastien Dudek. Modmobjam: Jam tomorrow, jam yesterday, but also jam today (PDF). SSTIC RUMP. 2018. June 14.
  26. New Vehicle Security Research by KeenLab: Experimental Security Assessment of BMW Cars. Tencent Keen Security Lab. 2018. May 22.
  27. Marc Lichtman, Raghunandan M. Rao, Vuk Marojevic, Jeffrey H. Reed, Roger Piqueras Jover. 5G NR Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation. arXiv preprint. 2018. April 8.
  28. Marc Lichtman, Raghunandan M. Rao, Vuk Marojevic, Jeffrey H. Reed, Roger Piqueras Jover. 5G NR Jamming, Spoofing, and Sniffing: Threat Assessment and Mitigation. (PDF, slides)
  29. Lily Hay Newman. DC's Stingray Mess Won't Get Cleaned Up. Wired. 2018. April 6.
  30. Tencent Blade Team. Exploring Qualcomm Baseband via ModKit (PDF). CanSecWest. 2018.
  31. Your ISP is Probably Spying On You. Harrison's Sandbox. 2018. February 14.
  32. Zuk Avraham. Mobile Pwn2Own 2017 Results and the Economics of Mobile Exploits. Medium. 2017. November 13.
  33. Cell-Site Simulators/IMSI Catchers. Street-Level Surveillance. Electronic Frontier Foundation. 2017. August 28.
  34. Richard Thieme. When Privacy Goes Poof! Why It's Gone and Never Coming Back (VIDEO). DEF CON 25. 2017.
  35. Yuwue Zheng, Lin Huang. Ghost Telephonist Impersonates You Through LTE CSF (VIDEO). DEF CON 25. 2017.
  36. Denton Gentry. I Know What You Are By the Smell of Your Wi-Fi. DEF CON 25 presentation (PDF). 2017.
  37. Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi, Jean-Pierre Seifert. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. arXiv preprint. 2017. August 7.
  38. György Miru. Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices. 2017. July 28.
  39. Andy Greenburg. How a Bug in an Obscure Chip Exposed a Billion Smartphones to Hackers. Wired. 2017. July 27.
  40. Nitay Artenstein. Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets. 2017. July 26.
  41. Park S, Shaik A, Borgaonkar R, Martin A, Seifert J-P. White-Stingray: Evaluating IMSI Catchers Detection Applications (PDF). USENIX. 2017. June, 27.
  42. Nitay Artenstein. Broadpwn: Remotely Compromising Android and iOS (PDF). BlackHat. 2017.
  43. Huang Lin, Zou Xiaodong. Hacking Cellular Networks. Open Air Interface Workshop (PDF). 2017. April 27.
  44. Tom Spring. Baseband Zero Day Exposes Millions of Mobile Phones to Attack. Threatpost. 2017. April 7.
  45. Gal Beniamini. Over The Air: Exploiting Broadcom’s Wi-Fi Stack (Part 1). Google Project Zero. 2017. April 4.
  46. Qidan He, Gengming Liu. Pwning the Nexus™ of Every Pixel™ (PDF). CanSecWest. 2017.
  47. Holger Freyther, Harald Welte. Dissecting modern (3G/4G) cellular modems (VIDEO). Chaos Computer Congress. 2016Slides
  48. Curtis Waltman. Here's How Much a StingRay Cell Phone Surveillance Tool Costs. Vice Motherboard. 2016. December 8.
  49. Piers O'Hanlon, Ravishankar Borgaonkar. WiFi-Based IMSI Catcher (PDF). BlackHat. 2016. November 3.
  50. JusticeBeaver. Discovering and Triangulating Rogue Cell Towers (VIDEO). DEF CON 24. 2016.
  51. Haoqi Shan, Wanqiao Zhang. Forcing a Targeted LTE phone into Unsafe Network (VIDEO). DEF CON 24. 2016.
  52. Hendrik Schmidt, Brian Butterly. Attacking BaseStations (VIDEO). DEF CON 24. 2016.
  53. Ashmastaflash. SITCH:Inexpensive Coordinated GSM Anomaly Detection (VIDEO). DEF CON 24. 2016.
  54. Grant Bugher. Bypassing Captive Portals and Limited Networks (VIDEO). DEF CON 24. 2016.
  55. Lucian Armasu. Qualcomm Firmware Vulnerabilities Expose 900 Million Devices, Including Security-Focused Smartphones. Tom's Hardware. 2016. August 9.
  56. Roger Piqueras Jover. LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv preprint. 2016. July 18.
  57. Marc Lichtman, Roger Piqueras Jover, Mina Labib, Raghunandan Rao, Vuk Marojevic, Jeffrey H. Reed. LTE/LTE-A Jamming, Spoofing and Sniffing: Threat Assessment and Mitigation. IEEE Communications Magazine. Special issue on Critical Communications and Public Safety Networks. 2016. April.
  58. evilsocket. How to Build Your Own Rogue GSM BTS for Fun and Profit. 2016. March, 31.
  59. Guang Gong. Pwn a Nexus Device With a Single Vulnerability (PDF). CanSecWest. 2016.
  60. Qualcomm Retains Lion's Share Of LTE Baseband Market; Further Gains Expected In 2016. Forbes. 2016. February 24.
  61. Voice over LTE implementations contain multiple vulnerabilities: Vulnerability Note VU#943167. CMU. 2015. October, 16.
  62. Justin Engler. Secure Messaging for Normal People (VIDEO). DEF CON 23. 2015.
  63. Ian Kline. LTE Recon and Tracking with RTLSDR (VIDEO). DEF CON 23. 2015.
  64. Freddy Martinez. IMSI Catchers (VIDEO). DEF CON 23. 2015.
  65. Dave Aitel, Matt Blaze, Nate Cardozo, Jim Denaro, Mara Tam, Catherine “Randy” Wheeler. Licensed to Pwn: Weaponization and Regulation of Security Research (VIDEO). DEF CON 23. 2015.
  66. Mickey Shkatov, Jesse Michael. Scared Poopless –LTE and your laptop (PDF). DEF CON 23. 2015.
  67. Yuwei Zheng and Haoqi Shan. Build a free cell traffic capture tool with vxworks (VIDEO). DEF CON 23. 2015.
  68. Lin Huang and Qing Yang. Low cost GPS simulator: GPS spoofing by SDR (VIDEO). DEF CON 23. 2015.
  69. Christos Xenakis, Christophoros Ntantogian. Attacking the Baseband Modem of Mobile Phones to Breach the users’ Privacy and network Security (PDF). 7th International Conference on Cyber Conflict. 2015.
  70. Stingrays. ACLU of New York. 2015. April 6.
  71. Reverse engineering a Qualcomm baseband processor. Hacker News Post. 2014.
  72. Dr. Philip Polstra. Am I Being Spied On? (VIDEO). DEF CON 22. 2014.
  73. Pierce and Loki. NSA Playset:GSM Sniffing (VIDEO). DEF CON 22. 2014.
  74. Mathew Solnik, Marc Blanchou. Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol (PDF). Black Hat Conference. 2014.
  75. Paul Kocialkowski. Replicant developers find and close Samsung Galaxy backdoor. Free Software Foundation Community Blog. 2014. March 12.
  76. April Glaser. After NSA Backdoors, Security Experts Leave RSA for a Conference They Can Trust. Electronic Frontier Foundation. 2014. January 30.
  77. Sebastian Anthony. The secret second operating system that could make every mobile phone insecure. Extreme Tech. 2013. November 13.
  78. Karl Koscher and Eric Butler. The Secret Life of SIM Cards (VIDEO). DEF CON 21. 2013.
  79. Hunter Scott. Hacking Wireless Networks of the Future (VIDEO). DEF CON 21. 2013.
  80. Michael Robinson and Chris Taylor. Spy vs Spy: Spying on Mobile Device Spyware (VIDEO). DEF CON 20. 2012.
  81. Ralf-Philipp Weinmann. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks (PDF). 2012.
  82. c1de0x. AT&T Microcell FAIL. failOverflow. 2012. March, 21.
  83. Marcia Hofmann. Legal Issues in Mobile Security Research (PDF). CanSecWest. 2012. March 8.
  84. Galina Pildush, PhD. UnVeiling LTE Cloud Security (PDF). CanSecWest. 2012.
  85. Collin Mulliner, Nico Golde and Jean-Pierre Seifert. SMS of Death: from analyzing to attacking mobile phones on a large scale (PDF). 2011.
  86. Guillaume Delugre. Reverse engineering a Qualcomm baseband (PDF). Chaos Computer Congress. 2011.
  87. Eric Fulton. Cellular Privacy: A Forensic Analysis of Android Network Traffic (VIDEO). DEF CON 19. 2013.
  88. Chris Paget. Practical Cellphone Spying (VIDEO). DEF CON 18. 2010.
  89. Percoco & Papathanasiou. This is Not the Droid You're Looking For... (VIDEO). DEF CON 18. 2010.
  90. Ralf-Philipp Weinmann. All your baseband are belong to us by (VIDEO). DeepSec. 2010.
  91. Sherri Davidoff. Death of Anonymous Travel (VIDEO). DEF CON 17. 2009.
  92. Wesley Tanner and Nick Lane-Smith. End-to-End Voice Encryption over GSM (VIDEO). DEF CON 13. 2005.
  93. Roberto Preatoni. The Future Frontiers of Hacking - UMTS Mobile Phone (VIDEO). DEF CON 11. 2003.
  94. Brett Neilson. Malicious Code & Wireless Networks (VIDEO). DEF CON 11. 2003.
  95. Ken Caruso. Community Wireless Networks, Friend or Foe to the Telecom Industry (VIDEO). DEF CON 10. 2002.

Towards Completely Open Source Basebands

  1. OpenCellular. Telecom Infra Project. 2018. September 4.
  2. OsmocomBB SDR PHY. Osmocom. 2018. September 4.
  3. Vadim Yanitskiy. How to assemble a GSM phone based on SDR. Positive Technologies. 2018. March 13.
  4. Andrew Back. Open Source LTE. MyriadRF. 2013. December 12.
  5. Cellular Network Infrastructure. Osmocom.
  6. srsLTE. Software Radio Systems.
  7. yateBTS. Legba Incorporated.
  8. OpenBTS. Range Networks.
  9. Harald Welte. Open Source Mobile Communications Free Software Projects.

IMSI catcher software/detection

  1. Building a Passive IMSI Catcher. Harrison's Sandbox. 2019. April 27.
  2. Modmodmap
  3. Passive IMSI Catcher
  4. IMSI-catcher
  5. Android-IMSI-Catcher-Detector
  6. LTE-Cell-Scanner

Note, passive IMSI catcher cannot be detected, but a few of them can still be used to track you as you move around.

Jamming

  1. Modmobjam - Presented in the corresponding slides in the first section.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment