Security
What your phone won’t tell you
Uncovering fake base stations on iOS devices
Your phone’s internal communication contains precious data. It can be analyzed to detect fake base stations used in cellular attacks. For that, we reverse-engineered a proprietary communication channel between the phone’s OS and modem.
Connecting to cellular networks around the world is a highly complex task. iPhones contain a baseband chip (also referred to as a modem) for that purpose. It communicates via a high-level interface with the smartphone’s application processor running iOS. So far, Apple hasn’t been able to build such basebands in-house. Instead, starting from the iPhone 12, they exclusively rely on Qualcomm basebands.
Qualcomm’s basebands use a proprietary protocol for external communication, the Qualcomm MSM Interface. We reverse-engineered its iOS implementation and built a framework to extract the protocol’s packet structures from iOS firmware. Our iOS Wireshark dissector uses these packet structures and enables us to monitor the flow of packets between the baseband and iOS. This allows us to gain new insights into the iPhone’s wireless communication infrastructure, including its satellite connectivity. Our tooling also provides a novel way to directly interact with the baseband chip in jailbroken iPhones, bypassing iOS and unlocking hidden capabilities of the baseband.
Fake or Rouge base stations can be set up by individuals using readily available software-defined radios. Adversaries can utilize them to capture IMSIs of nearby smartphones, track their location, or exploit vulnerable basebands. iPhone users usually don’t notice such attacks, and there are (almost) no protection mechanisms implemented in iOS.
During our research, we discovered Apple’s internal cell location database, which is intended for determining approximate positions. Our CellGuard iOS app combines this database with the QMI analysis framework to monitor various parameters of connected cells, verify their authenticity, and alert users in case there’s suspicious activity. The app even works on non-jailbroken iPhones. We evaluated the app in a lab environment with SDRs and real-world tests since February 2023 and are steadily improving it for a release next year.
Additional information
| Live Stream | https://streaming.media.ccc.de/37c3/eins |
|---|---|
| Type | lecture |
| Language | English |
More sessions
| 12/27/23 |
Hardware hacking tooling for the new iPhone generation If you've followed the iPhone hacking scene you probably heard about cables such as the Kanzi Cable, Kong Cable, Bonobo Cable, and so on: Special cables that allow access to hardware debugging features on Lightning-based iPhones such as UART and JTAG. However with the iPhone 15, all of those tools became basically useless: USB-C is here, and with that we need new hardware and software tooling. This talk gives you a brief history of iPhone ...
|
| 12/27/23 |
The importance and relevance of vehicles in investigations are increasing. Their digital capabilities are rapidly growing due to the introduction of additional services and features in vehicles and their ecosystem. In this talk on automotive digital forensics, you will embark on a journey through the cutting-edge world of automotive technology and the critical role digital forensics plays in this domain. We will explore the state-of-the-art methods and tools to investigate modern vehicles, ...
|
| 12/27/23 |
Tesla's driving assistant has been subject to public scrutiny for good and bad: As accidents with its "full self-driving" (FSD) technology keep making headlines, the code and data behind the onboard Autopilot system are well-protected by the car manufacturer. In this talk, we demonstrate our voltage-glitching attack on Tesla Autopilot, enabling us root privileges on the system.
|
| 12/27/23 |
Imagine discovering a zero-click attack targeting Apple mobile devices of your colleagues and managing to capture all the stages of the attack. That’s exactly what happened to us! This led to the fixing of four zero-day vulnerabilities and discovering of a previously unknown and highly sophisticated spyware that had been around for years without anyone noticing. We call it Operation Triangulation. We've been teasing this story for almost six months, while thoroughly analyzing every stage of ...
|
| 12/27/23 |
Elektronische Arbeitsunfähigkeitsbescheinigungen (eAU), Arztbriefe, medizinische Diagnosen, all diese sensiblen Daten werden heute mittels KIM – Kommunikation im Gesundheitswesen – über die Telematikinfrastruktur (TI) verschickt. Aber ist der Dienst wirklich sicher? Wer kann die Nachrichten lesen, wo werden die E-Mails entschlüsselt und wie sicher ist die KIM-Software? Im Live-Setup einer Zahnarztpraxis haben wir Antworten auf diese Fragen gesucht.
|
| 12/27/23 |
This talk will present details of the TETRA:BURST vulnerablities - the result of the first public in-depth security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, military, and critical infrastructure relying on secret cryptographic algorithms which we reverse-engineered and published in August 2023. Adding to our initial disclosure, this talk will present new details on our deanonymization attack and provide ...
|
| 12/27/23 |
We present an analysis and recovery method for files encrypted by Black Basta, the "second most used ransomware in Germany". We analysed the behaviour of a ransomware encryptor and found that the malware uses their keystream wrongly, rendering the encryption vulnerable to a known-plaintext attack which allows for recovering affected files. We confirmed the finding by implementing tools for recovering encrypted files. We have made our tools for decrypting files without access to the actual key ...
|
