Closed zapburp closed 4 years ago
Yes, the tests include checking if the DRB ID we receive between each call is incrementing. If it does, then calls are made until the DRB ID is forced to make a wrap-around once the 5-bit range is reached. Once the DRB ID is being reset, the application checks if the base station does apply mechanisms to derive new encryption keys, as there is going to be a DRB ID reuse inevitably. These mechanisms include for example an inter-cell handover of the phone or the reception of an RRC SecurityModeCommand message. If this is not the case, then the base station is also identified as vulnerable.
Thank you for the explanation :)
Hello! I'm wondering about the determination of vulnerable eNodeB. Not quite sure that got that part right from the source code... So, the app makes short dials, records traffic, parses it... and what parameters point to the vulnerability? Is it if we recieve the same DRB ID twice?