Hijack IoT devices with USRP and OpenBTS | IoT Module fuzzing with OpenBTS Part ②

IMG_4715.JPG

图:2016 年摄

本文公开时间:2019-10-16

声明:内容仅供学习研究之用,并自备法拉第笼、切勿使用大功率功放影响正常通信,如有非法使用,造成后果须使用者自行承担!!!

 

DEF CON 26 – Zeng and Panel – Lora Smart Water Meter Security Analysis

PDF https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Yingtao-Zeng-Lin-Huang-Jun-Li-Lora-Water-Meter-Security-Analysis.pdf

通过Gr-GSM扫描附近基站的信息,选择一个信号较弱的基站,把其所有信息参数:ARFCN、Freq、CID、LAC、MCC、MNC导入到OpenBTS:

 

DCS1800频段:

Snip20180629_4

GSM900频段:

Snip20180629_3

用OpenBTS的较强信号覆盖该信号。
IMG_4714.JPG

snsg ggsn tmsis

 

GSM 鉴权通过后,OpenBTS的GPRS 鉴权不稳定,导致 IOT 设备端入网后分配不到 IP 地址(IOT 设备无法配置 APN),卒,遂改用 YateBTS 方案:

详情:

https://www.researchgate.net/publication/327971731_Hijack_IoT_devices_GSM_GPRS_MITMwith_SDR

 

 

One comment

发表评论

Fill in your details below or click an icon to log in:

WordPress.com 徽标

You are commenting using your WordPress.com account. Log Out /  更改 )

Google photo

You are commenting using your Google account. Log Out /  更改 )

Twitter picture

You are commenting using your Twitter account. Log Out /  更改 )

Facebook photo

You are commenting using your Facebook account. Log Out /  更改 )

Connecting to %s