Attacking BaseStations - an Odyssey through a Telco's Network presented at Defcon 2016

by Brian Butterly, Henrik Schmidt,

Summary : As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor's tools and webinterfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network.