As introduced in our former series of talks ‘LTE vs. Darwin‘ there are quite a few of holes in the LTE specs. Now, having our own Macro BaseStation (an eNodeB) on the desk, we will demonstrate practical approaches to and attacks on real life devices. More and more devices are using mobile radio networks such as GSM, UMTS and LTE and there has already been quite a bit of research on (in)securities on the radio part, but only few people have had a look behind the scenes. Luckily, we had the chance to have just this look and now we would like to raise the curtain for the community. Initially we will quickly cover our complete odyssey from starting up an eNodeB for the first time, checking out the available interfaces and emulating the core network through to starting attacks. In the main part of the talk we will give a rather practical insight into the (in-)security features of basestations. We will start with valid backend connections and how these connections can be abused to reconfigure both a single eNodeB and a complete subnet on a telco network. We will then continue with the ‘official’ maintenance approach with the vendor’s tools and web interfaces giving an attacker both local and remote access to the device. All in all the talk will cover general and specific vulnerabilities in both basestations and the backend network.
Hendrik Schmidt and Brian Butterly are seasoned security researchers with vast experiences in large and complex enterprise networks. Over the years they focused on evaluating and reviewing all kinds of network protocols and applications. They love to play with packets and use them for their own purposes. In this context they learned how to play around with telecommunication networks, wrote protocol buzzers and spoofers for testing their implementation and security architecture. Both are pentesters and consultants at the German based ERNW GmbH and will happily share their knowledge with the audience.