LTE vs. Darwin @ Hackers to Hackers Conference 11

Hello Everybody and greetings from Sao Paulo,

We’re currently enjoying the Brazilian sunshine, waiting for H2H2 11’s closing remarks and decided to give you a few details on the past three days. The conference was opened by a short welcome by our fellow Trooper Rodrigo Rubira Branco and stuffed with loads of great talks. This year’s keynotes came from Daniel J. Bernstein and Halvar Flake and gave yet another insight into the ever changing world of InfoSec. The international lineup also included Travis Goodspeed, Sergej Bratus and Fernando Gont. H2HC was a great chance for us to talk to various Hackers from around the world and share our opinions and knowledge.We can only warmly recommend a visit to next year’s H2HC in Sao Paulo.
Many many thanks to Rodrigo, Laila and the rest of the team for an awesome weekend. And a quick hello to all new followers on, we’re looking forward to meeting you all again, soon.

We feel lucky to have been invited to present our research about LTE’s Self Organizing Networks at Sacicon) as well as H2HC. On H2HC we gave an updated version of our talk “LTE vs. Darwin”, we formerly presented at ShmooCon and HackiToErgoSum. This time we focused on two parts. The first part is an application for Android phones we developed for gathering information about LTE cells and information needed for the baseband to set up a working LTE connection. We plan to implement war driving scenarios to show to the people how such network architecture is implemented in reality. The App will be published here on the blog soon.
The second part was about Self Organizing Networks, what they are needed for and what attackers might do to abuse these. To demonstrate how dangerous those procedures are, we wrote some scripts as published before and showed the steps to set up a fake device into a provider’s network. That covers:
1.    S1 or X2 Setup Procedure (for initial registration process on an MME)
2.    eNodeB Configuration Update (to change information of other eNodeB’s)
3.    Handover and other procedures may be abused by attackers

On H2HC we only showed our tools and demonstrated that it real works. On Sacicon we presented some more technical information and showed how those packets are build up. We demonstrated it with our Dizzy Scripts for S1AP and X2AP like published before, but Daniel wrote the Tool S1AP_Enum like published in a former blog entry to do it more automatically.
The message behind is that providers really should be careful with such technologies and must take care of securing access to their network. Unfortunately a lot of providers are not aware of that and therefore might not only damage their own network. Think of roaming scenarios, therefore it might be possible that if one provider’s network is compromised, it might be possible to inject control messages over the roaming interface to several other providers.

This way to our final slide set! Enjoy!

So far, we hope that you enjoyed our talk, the same as we enjoyed the whole conference!
Brian & Hendrik