ndice

ndice

Prlogo ........................................................................................................11
Introduccin y objetivos ............................................................................13
Captulo I Seguridad en comunicaciones GSM.......................................15
1. Arquitectura de GSM ...............................................................................................15
MS Mobile Station ................................................................................................................ 16
BSS Base Station Subsystem ................................................................................................. 16
NSS Network and Switching Subsystem .............................................................................. 17
,GHQWLFDGRUHVGHODV06 .......................................................................................................... 18
Pila de protocolos ...................................................................................................................... 19
Protocolos MSBTS .............................................................................................................. 19
Protocolos BTSBSC ............................................................................................................. 20
Protocolos BSCMSC ............................................................................................................ 20

2. Nivel fsico ..................................................................................................................21

Descripcin ............................................................................................................................... 21
Modulacin ............................................................................................................................... 22
MAC: subnivel de acceso al medio........................................................................................... 25
%DQGDVGHIUHFXHQFLD*60 ....................................................................................................... 26
)'0$GLYLVLyQGHODEDQGDGHIUHFXHQFLDV ............................................................................. 26
TDMA: multiplexacin en el tiempo ........................................................................................ 32
&DQDOHVItVLFRV\FDQDOHVOyJLFRV .............................................................................................. 34

3. El nivel de Red...........................................................................................................42
Modo idle y modo dedicado...................................................................................................... 42
Nivel RR.................................................................................................................................... 44
Nivel MM .................................................................................................................................. 50
JJJ

Hacking y seguridad en comunicaciones mviles GSM/GPRS/UMTS/LTE

4. Short Messages Services ...........................................................................................53

Arquitectura del servicio ........................................................................................................... 53
Contenido de un SMS ............................................................................................................... 53
WAP Wireless Application Protocol ...................................................................................... 53
MMS Multimedia Messaging Service ................................................................................... 55

5. El interfaz ME-MS....................................................................................................56
6. Aspectos de seguridad contemplados en GSM .......................................................58
6HJXULGDGGHOSURWRFROR*60................................................................................................... 58
$XWHQWLFDFLyQ*60................................................................................................................... 58
&LIUDGRGHODVFRPXQLFDFLRQHV*60 ........................................................................................ 62

7. Ataques contra comunicaciones GSM.....................................................................69

'HELOLGDGHV*60 ...................................................................................................................... 69
,QOWUDFLyQHQODUHGGHORSHUDGRU ............................................................................................. 70
Escucha del canal de radio (sealizacin)................................................................................. 71
Escucha del canal de radio (datos) ............................................................................................ 74
$WDTXHFRQWUDOD6,0SDUDREWHQHU.LFRQDFFHVRItVLFR ....................................................... 75
$WDTXHVFULSWRJUiFRV............................................................................................................... 75
Ataques mediante SMS ............................................................................................................. 85
Suplantacin de usuarios ........................................................................................................... 87
$WDTXHPHGLDQWHHVWDFLyQEDVHIDOVD ......................................................................................... 88
Ataques a la banda Banda Base .............................................................................................. 102

Captulo II GPRS .....................................................................................103

1. Introduccin a GPRS..............................................................................................103
Dominio de conmutacin de circuitos versus dominio de conmutacin de paquetes ............ 104
$UTXLWHFWXUDGH*356 ............................................................................................................. 105
(OWUiFRGHGDWRV*356 ......................................................................................................... 107
('*( ...................................................................................................................................... 108
*3565RXWLQJ$UHD ................................................................................................................ 110
3LODJHQHUDOGHSURWRFRORV*356 .............................................................................................111

2. Nivel Fsico............................................................................................................... 112

TDMA ..................................................................................................................................... 112
Canales lgicos........................................................................................................................ 112
0DSHRGHFDQDOHVOyJLFRVDFDQDOHVItVLFRV............................................................................. 114
JJJ

ndice

,QIRUPDFLyQGHEURDGFDVW ........................................................................................................ 116

3. Nivel RR ................................................................................................................... 117

TBF (Temporary Block Flow) ................................................................................................ 119

4. Nivel LLC ................................................................................................................120

5. Nivel GMM ..............................................................................................................121
3URFHGLPLHQWRVGHOQLYHO*00 .............................................................................................. 122
Coordinacin de los niveles MM*00 .......................................................................... 122
,GHQWLFDGRUHVGH06HQHOQLYHO*00 ................................................................................. 122
(VWDGRV*00 ......................................................................................................................... 123
Seleccin y reseleccin de celda ............................................................................................. 124
3URFHGLPLHQWR*356$WWDFK ................................................................................................... 125
Procedimiento Routing Area Update ...................................................................................... 127

6. Direcciones IP ..........................................................................................................130
Contextos PDP ........................................................................................................................ 130
(OLQWHUID]6*61**61*73 ...................................................................................... 132

7. Aspectos de seguridad de GPRS ............................................................................132

&RQGHQFLDOLGDGGHODLGHQWLGDGGHOXVXDULR .......................................................................... 132
Autenticacin del usuario........................................................................................................ 133
&LIUDGR..................................................................................................................................... 133

8. Ataques .....................................................................................................................136
Ataques activos contra la red core .......................................................................................... 136
Ataques pasivos y semipasivos ............................................................................................... 139
$WDTXHVDFWLYRVPHGLDQWHHVWDFLyQEDVHIDOVD ......................................................................... 141

Captulo III UMTS ..................................................................................149

1. Introduccin a UMTS .............................................................................................149
Arquitectura............................................................................................................................. 149
Protocolos................................................................................................................................ 153
Organizacin jerrquica .......................................................................................................... 155

2. El nivel fsico............................................................................................................156
Esquema de acceso de radio.................................................................................................... 156
Establecimiento de un canal de radio (RRC protocol) ............................................................ 159
&DQDOHVItVLFRVOyJLFRV\GHWUDQVSRUWH .................................................................................. 161
HSPA ....................................................................................................................................... 162
JJJ

Hacking y seguridad en comunicaciones mviles GSM/GPRS/UMTS/LTE

3. El nivel MM .............................................................................................................164
*HVWLyQGHPRYLOLGDG .............................................................................................................. 164
Reglas de medicin ................................................................................................................. 164
Reseleccin de celda Intra-RAT .............................................................................................. 165
5HVHOHFFLyQGHFHOGDLQWHU5$7FDVR*(5$1UTRAN ..................................................... 165
Reseleccin de celda inter-RAT, caso UTRAN*(5$1 ..................................................... 167
Handover ................................................................................................................................. 169

4. Aspectos de seguridad .............................................................................................169

&RQGHQFLDOLGDGGHODLGHQWLGDGGHOXVXDULR .......................................................................... 170
Autenticacin y establecimiento de clave ............................................................................... 172
&LIUDGR..................................................................................................................................... 178
Proteccin de integridad.......................................................................................................... 182
Datos de autenticacin en el paso entre celdas ....................................................................... 184
Datos de autenticacin en el handover .................................................................................... 186

5. Ataques .....................................................................................................................189
Ataque pasivo contra handover ............................................................................................... 189
Ataque activo contra handover................................................................................................ 189
$WDTXHPHGLDQWHHVWDFLyQEDVHIDOVD*60D86,0FRQVRSRUWHSDUDDXWHQWLFDFLyQ*60 ... 190
$WDTXHPHGLDQWHHVWDFLyQEDVHIDOVD*60D86,0VLQVRSRUWHSDUDDXWHQWLFDFLyQ*60 ..... 191
$WDTXHPHGLDQWHHVWDFLyQEDVHIDOVD8076IHPWRFHOGD ..................................................... 194
2WURVDWDTXHVEDVDGRVHQIHPWRFHOGDV8076 ........................................................................ 196
$WDTXHVPHGLDQWHHVWDFLyQEDVHIDOVD8076 ......................................................................... 198
9LDELOLGDGGHXQDLPSOHPHQWDFLyQSUiFWLFDGHORVDWDTXHVFRQHVWDFLyQEDVHIDOVD* ......... 204

Captulo IV 4G .........................................................................................205
1. Introduccin a 4G ...................................................................................................205
Predecesores y tecnologas candidatas .................................................................................... 206
LTE y LTE-Advanced ............................................................................................................. 207
E-UTRAN ............................................................................................................................... 208
SAE ......................................................................................................................................... 212

2. Seguridad en 4G ......................................................................................................213
Aspectos generales .................................................................................................................. 213
Contexto de seguridad EPS ..................................................................................................... 216
Jerarqua de claves .................................................................................................................. 217
JJJ

ndice

3URFHGLPLHQWRGHDXWHQWLFDFLyQ\HVWDEOHFLPLHQWRGHOFLIUDGR(36$.$ ........................... 218

&RQGHQFLDOLGDGGHODLGHQWLGDGGHOXVXDULR .......................................................................... 219
&RQGHQFLDOLGDGGHORVGDWRVGHVHxDOL]DFLyQ\XVXDULR ........................................................ 219
Integridad ................................................................................................................................ 220
Ataques contra LTE ................................................................................................................. 223

Captulo V Conclusiones y recomendaciones ........................................225

1. Resumen del estado de la seguridad en las comunicaciones mviles 2G/3GUMTS/4G-LTE ............................................................................................................225
2. Recomendaciones para mitigar las vulnerabilidades estudiadas .......................226
&RQJXUDFLyQGHOWHUPLQDOSDUDTXHVyORXWLOLFH*RVXSHULRU ............................................. 226
'HVDUUROORGHVRIWZDUHGHDYLVRGHOPRGRGHFLIUDGRSDUDWHUPLQDOHV ................................... 227
6ROXFLRQHVEDVDGDVHQODGHWHFFLyQGHHVWDFLRQHVEDVHIDOVDV ................................................ 228
6ROXFLRQHVEDVDGDVHQFLIUDGRDWUDYpVGHORVFDQDOHV&6'GH*60 ..................................... 229
6ROXFLRQHVEDVDGDVHQ9R,3FLIUDGR ........................................................................................ 230
Proteccin de las comunicaciones de datos en niveles superiores .......................................... 230
,QVWDODFLyQGHVRIWZDUHGHSURWHFFLyQHQORVGLVSRVLWLYRVKDELOLWDGRVSDUDFRPXQLFDFLRQHVGH
datos mviles........................................................................................................................... 231
Inclusin de los dispositivos con conexin a redes mviles en las polticas de seguridad de las
organizaciones ......................................................................................................................... 232

Referencias................................................................................................233
ndice alfabtico .......................................................................................259
Otros libros de inters..............................................................................267

JJJ