Talk: Extending Scapy by a GSM Air Interface

René Pfeiffer/ October 16, 2011/ Conference

Scapy is the „Swiss Army tool“ among security software. Scapy is a powerful interactive packet manipulation program. It is used for scanning, probing, testing software implementations, tracing network packets, network discovery, injecting frames, and other tasks. So it’s a security power tool useful for a lot of tasks in security research. Wouldn’t it be nice to add some capabilities on layer 3 of the Global System for Mobile Communications (GSM) protocol? This layer covers the UM interface that connects mobile network clients over the air interface to the base stations. Capturing packets on this link alone would be a great benefit to security researchers. Laurent ‘kabel’ Weber of the Ruhr-Universität Bochum will talk about Extending Scapy by a GSM Air Interface and Validating the Implementation Using Novel Attacks at DeepSec 2011.

Laurent’s talk describes the enhancement of Scapy and the validation of the implementation by using new attacks on the GSM baseband, targeting the logic of the baseband state-machine. Recent attacks on GSM were mainly directed to vulnerable code running directly on the phone, but a totally new attack-vector was successfully used to exploit mobile stations over the air, attacks on the baseband stack (such as „All Your Baseband are belong to Us“ presented by Ralf Philipp Weinmann at DeepSec 2010). The GSM baseband is a fertile ground for security research, but researchers lack tools to aid their research. The Scapy add-on allows users to create GSM layer 3 packets using simple Python syntax. The talk will provide examples how the add-on can be used and what results in terms of baseband security have been obtained. Furthermore, possibly vulnerable parts of the GSM state-machine are explored and discussed in this talk.

When it comes to attack and defence some tools will be used for both cases. If you are interested in debugging or analysing GSM, then this talk is for you. It also serves as an example how researchers gain access to networks protected by „obscurity“. For anyone wishing to gain knowledge about the latest attacks against GSM/GPRS networks, we recommend attending the „Attacks on GSM Networks“ workshop, too.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.