SRLabs Template v12

Mobile threats evolution

Luca Melette <luca@srlabs.de>

Agenda

1

Attacks over the air

Attacks over the wire

How to protect yourself

Mobile communications have been secretly intercepted for decades

2

Stationary catcher

(1990)

Handheld catcher

(2015)

Portable catcher

(2000)

IMSI Catchers are the famous devices operated by police and intelligence agencies to locate and spy on mobile users, since the beginning of GSM

GSM interception is now available to the masses

3

Years of research unearthed important GSM vulnerabilities and produced low cost IMSI catchers and passive interception systems

OsmoSDR/AirprobeUSB DVB-T stick

< $10(2015)

CalypsoBTS/OsmocomBBMotorola C123

$20-$50(2010)

OpenBTS/AirprobeUSRP + RFX900

$1000(1998)

Listening to broadcast channels can disclose local user identities

4

Mitigation Avoid paging by IMSI as much as possible Frequently refresh TMSIs

Risk Detect user presence Use IMSIs for further attacks

Source code: git://git.osmocom.org/osmocom-bb

IMSI?

IMSI?

IMSI?IMSI?

Broadcast channel

Passive GSM intercept is still a major privacy risk in many countries

5

Mitigation Adopt randomization techniques Use a strong cipher (A5/3 or A5/4)

Risk Intecept calls and SMS Follow user movements

Tutorial: https://srlabs.de/decrypting_gsmSource code: https://opensource.srlabs.de/projects/a51-decrypt

In the past two years we found networks using no encryption in these countries:Cambodia, China, Hong Kong, India, Israel, Kyrgyzstan, Lebanon, Morocco, Myanmar, Pakistan, Vietnam

Voice/SMS

Encrypted frames

Decrypted voice/SMSKraken

The common GSM encryption standard A5/1 can be cracked with rainbow tables in a normal PC with a GPU and 2TB disk, while A5/2 can be cracked very quickly even only using bruteforce on a CPU

GPRS settings (mobile data) can greatly differ from voice and SMS

6

Mitigation Double check radio security settings Use a strong cipher (GEA/3 or GEA/4)

Risk Intecept mobile data traffic Follow user movements

Tutorial: https://srlabs.de/gprs

Mobile Internet

Some operators surprisingly forget to turn on encryption on GPRS (or even UMTS) leaving passive sniffers full access to mobile Internet

Missing authentication enable user impersonation and frauds

7

Mitigation Always require user authentication Move to a more recent radio generation

Risk Spoof caller ID for calls and SMS Send premium SMS (fraud)

No code available

SMS for TMSI 0x8a13b0cf

Call from TMSI 0x8a13b0cf

(1)

(3)

Step 1: Capture some call or SMS directed to the victim

(2)

Step 2: Recover the key if transaction was encrypted

Step 3: Start a call or send SMS impersonating the victim with TMSI and key

A similar attack can be applied to mobile terminated traffic

Rogue base stations can massively collect user identities

8

Mitigation Monitor radio traffic to detect anomalies Force mobile to use only 3G/4G networks

Risk Collect user identities in that area Use IMSIs for further attacks

Source code: http://openbts.org/get-the-code

CID 3 LAC 9

f 6

High power

LUR

Time IMSI IMEI LAC/TA

13:37:37 22288... 35612... 1 / 2

13:37:42 22201... 01851... 1 / 1

The catching process works as follows:

1. The victim is attracted by the catcher due to the strong signal.

2. The fake tower requests all the relevant information of the user and device

3. The victim is pushed back to the original cell and gets normal coverage as before

4. No evidence is left on the mobile but the catcher has a full log of users

More sophisticated fake cell towers can take full control of users

9

Mitigation Monitor radio traffic to detect anomalies Force mobile to use only 3G/4G networks

Risk Intercept voice/SMS/mobile data Manipulate traffic in both directions

No code available

Victim Real Network

Communication forced to weak encryption in order to crack the key in realtime

Call/SMS logging and manipulation

The real network can enforce strong encryption and perform authentication, as the victim can provide valid responses for any sort of request

Kraken

Persistent malware on the SIM can be remotely installed via SMS

10

Mitigation Patch vulnerable SIM cards Block binary SMS from unknown origins

Risk Intercept voice/SMS/mobile data User location tracking (fine-grained)

Tutorial: https://srlabs.de/rooting-sim-cardsSource code: https://opensource.srlabs.de/git/SIMtester.git

Low security and software bugs provide the attacker a completely stealth remote location tracking system or decryption oracle

A special broken binary SMS transparently reaches the SIM and make the mobile send a signed response that is crackable by the attacker

Using rainbow tables DES signatures can be cracked and the attacker gains admin privilege on the SIM

Agenda

11

Attacks over the air

Attacks over the wire

How to protect yourself

Mobile operators share their subscribers data over trusted clouds

12

Voice, SMS, USSDSignalling (SS7)

Mobile Internet and MMS (GRX)

Net 1

Net 2

Net 3

Net 4

Country B

Country A

Only members of the GSM Association should have access to these clouds

Public Internet

User location tracking is cheap and widely available on the Internet

13

Mitigation Operators to deploy SMS home routing Block requests from untrusted sources

Risk User location retrieval (coarse position) Entirely stealth and remote tracking

Slides: https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf

Many providers online offer HLR lookups for just a few dollar centsTry on google:hlr lookup

Starting from a mobile number one can visualize which state and city the mobile user is currently visiting

Fine-grained position is obtainable with roaming related requests

14

Mitigation Deploy SS7 filtering at network borders Block requests from untrusted sources

Risk User location retrieval (fine-grained) Remote tracking (not always stealth)

Slides: http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf

SS7

Net 1Net 2

Victim

Dear Net 1, my subscriber Victim is currently roaming in

your network, could you tell me where and if it’s in a call?

Sure! Dear Net 2, your Victim is currently served by a cell near

the Tour Eiffel and it’s not in a call

Trusted network relations can ease spam and frauds attempts

15

Mitigation Check plausibility of user requests Block requests from untrusted sources

Risk User impersonation (call/SMS fraud) Mass SMS advertisement delivery

SS7

Net 1Net 2

Victim

Dear Net 1, your user Victim is visiting me, can you give me his full profile? And also, he wants

to send an SMS to ...

Dear Net 2, here is the profile and thanks for the SMS, I will try to deliver it and bill it to Victim

Strong encryption can be defeated by trusted key handovers

16

Mitigation Block internal-only SS7 requests Accept only speakers from a whitelist

Risk Capture and decrypt user traffic Reuse keys to spoof legitimate towers

Slides:https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf

SS7

Net 1Net 2

Victim

Dear Net 1, I need immediately the encryption key to connect a

call of your subscriber Victim that is coming towards me

Dear Net 2, sure! Here is the key and all the rest you need to keep

the call going, good luck!

Voice and SMS can be remotely intercepted in several ways

17

Mitigation Perform smart SS7 plausibility checks Accept only speakers from a whitelist

Risk Intercept calls and SMS Manipulate/spoof user traffic

Video: www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking

SS7

Net 1Net 2

Victim

Dear cell XXX, forget what Net 1 said about Victim, he wants now

to forward all his calls to me

Father

Father tries to call Victim but the call is immediately rerouted to the

attacker that can start recording and forward it to the Victim

Mobile data can also be remotely diverted, blocked and spoofed

18

Mitigation Block internal-only GTP requests Accept only speakers from a whitelist

Risk Intercept mobile data (Internet) Manipulate/spoof user traffic

Slides:https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/original/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf

GRX(or Internet)

Net 1Net 2

Victim

Dear Net 1, your user Victim is visiting me, can you give me his

current IP and make me the owner of it?

Dear Net 2, here is the current IP and connection settings for Victim, now it’s all yours, and here are some packets for him

Agenda

19

Attacks over the air

Attacks over the wire

How to protect yourself

GSM Map allows users to compare security in several countries

20

Security levels are summarized in a chart and detailed in a report

21

A similar world map shows risk levels associated to SS7 exposure

22

SnoopSnitch monitors network anomalies and attack attempts

23

It currently shows: network security levels (intercept, impersonation), IMSI catcher events, SS7 attacks, reception of malicious SMS (silent & binary)

Take aways

24

Questions?

Luca Melette <luca@srlabs.de>

Many vulnerabilities found in the past years are still a threat for mobile users

Network operators worldwide should improve their security to prevent abuse

Attack tools are available to researchers, and criminals are not far behind them