Wireless Networks

Table of Contents


Sort

  • Fix ToC
  • Add 101 stuff

http://umtrx.org/

Cellular Networks in Use:

  • In use in North America:
  • In use in Europe:
  • In use in Asia:
  • In use in Africa:
  • In use in South America:
End Sort

General


BlueTooth BlueTooth


Cellular Networks

  • 101
  • Educational
    • Guide to LTE Security - NIST Special Publication 800-187
    • Demystifying the Mobile Network by Chuck McAuley
      • Must watch video. Very informative.
    • LTE Security - How good is it?
    • Mobile self-defense - Karsten Nohl
    • Taming Mr Hayes: Mitigating Signaling Based Attacks on Smartphones
      • Malicious injection of cellular signaling traffic from mobile phones is an emerging security issue. The respective attacks can be performed by hijacked smartphones and by malware resident on mobile phones. Until today there are no protection mechanisms in place to prevent signaling based attacks other than implementing expensive additions to the cellular core network. In this work we present a protection system that resides on the mobile phone. Our solution works by partitioning the phone software stack into the application operating system and the communication partition. The application system is a standard fully featured Android sys tem. On the other side, communication to the cellular network is mediated by a flexible monitoring and enforcement system running on the communication partition. We implemented and evaluated our protection system on a real smartphone. Our evaluation shows that it can mitigate all currently know n signaling based attacks and in addition can protect users fr om cellular Trojans.
  • Tools
    • SiGploit
      • Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP. SiGploit a signaling security testing framework dedicated to Telecom Security professionals and reasearchers to pentest and exploit vulnerabilites in the signaling protocols used in mobile operators regardless of the geneartion being in use. SiGploit aims to cover all used protocols used in the operators interconnects SS7, GTP (3G), Diameter (4G) or even SIP for IMS and VoLTE infrastructures used in the access layer and SS7 message encapsulation into SIP-T. Recommendations for each vulnerability will be provided to guide the tester and the operator the steps that should be done to enhance their security posture
    • LTE-Cell-Scanner
      • This is a collection of tools to locate and track LTE basestation cells using very low performance RF front ends. For example, these tools work with RTL2832 based dongles (E4000, R820T, etc.) which have a noise figure of 20dB, only 8 bits in the A/D, and a crystal with a frequency error of about 100 ppm.
  • SIM Cards
  • FemtoCell
  • GSM
    • 101
    • Articles/Presentations/Talks/Writeups
    • Tools
      • GSM MAP
        • The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
      • gr-gsm
        • Gnuradio blocks and tools for receiving GSM transmissions
  • LTE
    • 101
    • Articles/Presentations/Talks/Writeups
      • LTE Security - How good is it?
      • 4G LTE Architecture and Security Concerns
      • LTEInspector : A Systematic Approach for Adversarial Testing of 4G LTE
        • In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model-based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, cate- gorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed
  • SS7
  • IMSI Catcher related
    • Android IMSI-Catcher Detector (AIMSICD)
      • Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks.
    • SnoopSnitch
      • SnoopSnitch is an Android app that collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates. With SnoopSnitch you can use the data collected in the GSM Security Map at gsmmap.org and contribute your own data to GSM Map. This application currently only works on Android phones with a Qualcomm chipset and a stock Android ROM (or a suitable custom ROM with Qualcomm DIAG driver). It requires root priviliges to capture mobile network data.

Dongles

  • FunCube dongle
  • RZUSBstick
    • The starter kit accelerates development, debugging, and demonstration for a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. The kit includes one USB stick with a 2.4GHz transceiver and a USB connector. The included AT86RF230 transceiver's high sensitivity supports the longest range for wireless products. The AT90USB1287 incorporates fast USB On-the-Go.
  • Gr0SMoSDR
  • PyBOMBS
    • PyBOMBS (Python Build Overlay Managed Bundle System) is the new GNU Radio install management system for resolving dependencies and pulling in out-of-tree projects. One of the main purposes of PyBOMBS is to aggregate out-of-tree projects, which means that PyBOMBS needs to have new recipes for any new project. We have done a lot of the initial work to get known projects into the PyBOMBS system as is, but we will need project developers for new OOT projects or other projects not currently listed to help us out with this effort.
  • UAV Transponders & Tracker Kits - UST

802.11 - WiFi


RFID - Radio Frequency Identification


RF RetroReflectors


Satellite Related


Software Defined Radio

Zigbee Wireless Networks

Z-Wave

  • 101
  • Articles/Presentations/Talks/Writeups
    • Stealthy and Persistent Back Door for Z-Wave Gateways
      • Z-Wave is a proprietary wireless protocol that is gaining market share in home automation and security systems. However, very little work has been done to investigate the security implications of these sub-GHz devices. In this talk we review recent work on hacking Z-Wave networks, and introduce a new attack that creates a persistent back door. This attack maintains a stealthy, parallel, and persistent control channel with all Z-Wave devices in the home. We will demonstrate the attack against a commercial Z-Wave security system.
    • Honey, I'm Home!! Hacking Z-Wave Home Automation Systems - video
  • Tools

Miscellaneous

  • Wireless Keyboard Sniffer
  • nexmon
    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.