Extending Scapy by a GSM Air Interface and Validating the implementation Using Classical and Novel Attacks presented at HackLu 2011

by Laurent 'kabel' Weber,

Summary : This presentation describes the enhancement of scapy, the powerful interactive packet manipulation program, by the layer-3 of the Global System for Mobile Communications (GSM) protocol.
Layer-3 of the GSM protocol is part of the UM-interface, which is the air interface connecting the mobile devices to the operators' network. In addition to the demonstration of the addon we will introduce new attacks on the GSM baseband, targeting the logic of the baseband state-machine. Thus far attacks on GSM were mainly directed to vulnerable code running directly on the phone. Recently a totally new attack-vector was successfully used to exploit mobile stations over the air, attacks on the baseband stack. Security researchers working on GSM baseband security lack of open-source tools to analyze the security of the baseband stack. This presentation introduces a scapy-addon allowing users to create GSM layer 3 packets using simple python syntax. Furthermore, this presentation will continue the effort of security researchers to test the security of the baseband stack, that has been, until now, neglected. This is done using and enhancing already existing open-source tools. In addition, possible scenarios of novel attacks on the GSM baseband stack are discussed. This presentation demonstrates attacks and tests on the logic of the GSM state-machine using our newly created addon. One of our results are that classical attacks, found in the literature have been successfully rebuild using our tool. Furthermore, possibly vulnerable parts of the GSM state-machine are explored and discussed in this talk. To the best knowledge of the author there is no prior work presenting a tool allowing to build the whole layer 3 of the GSM specification on the command line, as well as there is no work presenting attacks on the state-machine of the GSM baseband stack, so far. In a nutshell, while one focus is to introduce the new part of scapy, another focus is put on classical as well as on novel attacks.