RUB-SysSec / mobile_sentinel

GNU General Public License v2.0
191 stars 54 forks source link

How the vulnerability is determined [Question] #9

Closed zapburp closed 4 years ago

zapburp commented 4 years ago

Hello! I'm wondering about the determination of vulnerable eNodeB. Not quite sure that got that part right from the source code... So, the app makes short dials, records traffic, parses it... and what parameters point to the vulnerability? Is it if we recieve the same DRB ID twice?

bedrankara commented 4 years ago

Yes, the tests include checking if the DRB ID we receive between each call is incrementing. If it does, then calls are made until the DRB ID is forced to make a wrap-around once the 5-bit range is reached. Once the DRB ID is being reset, the application checks if the base station does apply mechanisms to derive new encryption keys, as there is going to be a DRB ID reuse inevitably. These mechanisms include for example an inter-cell handover of the phone or the reception of an RRC SecurityModeCommand message. If this is not the case, then the base station is also identified as vulnerable.

zapburp commented 4 years ago

Thank you for the explanation :)