2015.11.06. luca melette_mobile threats evolution
TRANSCRIPT
Agenda
1
Attacks over the air
Attacks over the wire
How to protect yourself
Mobile communications have been secretly intercepted for decades
2
Stationary catcher
(1990)
Handheld catcher
(2015)
Portable catcher
(2000)
IMSI Catchers are the famous devices operated by police and intelligence agencies to locate and spy on mobile users, since the beginning of GSM
GSM interception is now available to the masses
3
Years of research unearthed important GSM vulnerabilities and produced low cost IMSI catchers and passive interception systems
OsmoSDR/AirprobeUSB DVB-T stick
< $10(2015)
CalypsoBTS/OsmocomBBMotorola C123
$20-$50(2010)
OpenBTS/AirprobeUSRP + RFX900
$1000(1998)
Listening to broadcast channels can disclose local user identities
4
Mitigation Avoid paging by IMSI as much as possible Frequently refresh TMSIs
Risk Detect user presence Use IMSIs for further attacks
Source code: git://git.osmocom.org/osmocom-bb
IMSI?
IMSI?
IMSI?IMSI?
Broadcast channel
Passive GSM intercept is still a major privacy risk in many countries
5
Mitigation Adopt randomization techniques Use a strong cipher (A5/3 or A5/4)
Risk Intecept calls and SMS Follow user movements
Tutorial: https://srlabs.de/decrypting_gsmSource code: https://opensource.srlabs.de/projects/a51-decrypt
In the past two years we found networks using no encryption in these countries:Cambodia, China, Hong Kong, India, Israel, Kyrgyzstan, Lebanon, Morocco, Myanmar, Pakistan, Vietnam
Voice/SMS
Encrypted frames
Decrypted voice/SMSKraken
The common GSM encryption standard A5/1 can be cracked with rainbow tables in a normal PC with a GPU and 2TB disk, while A5/2 can be cracked very quickly even only using bruteforce on a CPU
GPRS settings (mobile data) can greatly differ from voice and SMS
6
Mitigation Double check radio security settings Use a strong cipher (GEA/3 or GEA/4)
Risk Intecept mobile data traffic Follow user movements
Tutorial: https://srlabs.de/gprs
Mobile Internet
Some operators surprisingly forget to turn on encryption on GPRS (or even UMTS) leaving passive sniffers full access to mobile Internet
Missing authentication enable user impersonation and frauds
7
Mitigation Always require user authentication Move to a more recent radio generation
Risk Spoof caller ID for calls and SMS Send premium SMS (fraud)
No code available
SMS for TMSI 0x8a13b0cf
Call from TMSI 0x8a13b0cf
(1)
(3)
Step 1: Capture some call or SMS directed to the victim
(2)
Step 2: Recover the key if transaction was encrypted
Step 3: Start a call or send SMS impersonating the victim with TMSI and key
A similar attack can be applied to mobile terminated traffic
Rogue base stations can massively collect user identities
8
Mitigation Monitor radio traffic to detect anomalies Force mobile to use only 3G/4G networks
Risk Collect user identities in that area Use IMSIs for further attacks
Source code: http://openbts.org/get-the-code
CID 3 LAC 9
f 6
High power
LUR
Time IMSI IMEI LAC/TA
13:37:37 22288... 35612... 1 / 2
13:37:42 22201... 01851... 1 / 1
The catching process works as follows:
1. The victim is attracted by the catcher due to the strong signal.
2. The fake tower requests all the relevant information of the user and device
3. The victim is pushed back to the original cell and gets normal coverage as before
4. No evidence is left on the mobile but the catcher has a full log of users
More sophisticated fake cell towers can take full control of users
9
Mitigation Monitor radio traffic to detect anomalies Force mobile to use only 3G/4G networks
Risk Intercept voice/SMS/mobile data Manipulate traffic in both directions
No code available
Victim Real Network
Communication forced to weak encryption in order to crack the key in realtime
Call/SMS logging and manipulation
The real network can enforce strong encryption and perform authentication, as the victim can provide valid responses for any sort of request
Kraken
Persistent malware on the SIM can be remotely installed via SMS
10
Mitigation Patch vulnerable SIM cards Block binary SMS from unknown origins
Risk Intercept voice/SMS/mobile data User location tracking (fine-grained)
Tutorial: https://srlabs.de/rooting-sim-cardsSource code: https://opensource.srlabs.de/git/SIMtester.git
Low security and software bugs provide the attacker a completely stealth remote location tracking system or decryption oracle
A special broken binary SMS transparently reaches the SIM and make the mobile send a signed response that is crackable by the attacker
Using rainbow tables DES signatures can be cracked and the attacker gains admin privilege on the SIM
Agenda
11
Attacks over the air
Attacks over the wire
How to protect yourself
Mobile operators share their subscribers data over trusted clouds
12
Voice, SMS, USSDSignalling (SS7)
Mobile Internet and MMS (GRX)
Net 1
Net 2
Net 3
Net 4
Country B
Country A
Only members of the GSM Association should have access to these clouds
Public Internet
User location tracking is cheap and widely available on the Internet
13
Mitigation Operators to deploy SMS home routing Block requests from untrusted sources
Risk User location retrieval (coarse position) Entirely stealth and remote tracking
Slides: https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
Many providers online offer HLR lookups for just a few dollar centsTry on google:hlr lookup
Starting from a mobile number one can visualize which state and city the mobile user is currently visiting
Fine-grained position is obtainable with roaming related requests
14
Mitigation Deploy SS7 filtering at network borders Block requests from untrusted sources
Risk User location retrieval (fine-grained) Remote tracking (not always stealth)
Slides: http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
SS7
Net 1Net 2
Victim
Dear Net 1, my subscriber Victim is currently roaming in
your network, could you tell me where and if it’s in a call?
Sure! Dear Net 2, your Victim is currently served by a cell near
the Tour Eiffel and it’s not in a call
Trusted network relations can ease spam and frauds attempts
15
Mitigation Check plausibility of user requests Block requests from untrusted sources
Risk User impersonation (call/SMS fraud) Mass SMS advertisement delivery
SS7
Net 1Net 2
Victim
Dear Net 1, your user Victim is visiting me, can you give me his full profile? And also, he wants
to send an SMS to ...
Dear Net 2, here is the profile and thanks for the SMS, I will try to deliver it and bill it to Victim
Strong encryption can be defeated by trusted key handovers
16
Mitigation Block internal-only SS7 requests Accept only speakers from a whitelist
Risk Capture and decrypt user traffic Reuse keys to spoof legitimate towers
Slides:https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/original/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
SS7
Net 1Net 2
Victim
Dear Net 1, I need immediately the encryption key to connect a
call of your subscriber Victim that is coming towards me
Dear Net 2, sure! Here is the key and all the rest you need to keep
the call going, good luck!
Voice and SMS can be remotely intercepted in several ways
17
Mitigation Perform smart SS7 plausibility checks Accept only speakers from a whitelist
Risk Intercept calls and SMS Manipulate/spoof user traffic
Video: www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking
SS7
Net 1Net 2
Victim
Dear cell XXX, forget what Net 1 said about Victim, he wants now
to forward all his calls to me
Father
Father tries to call Victim but the call is immediately rerouted to the
attacker that can start recording and forward it to the Victim
Mobile data can also be remotely diverted, blocked and spoofed
18
Mitigation Block internal-only GTP requests Accept only speakers from a whitelist
Risk Intercept mobile data (Internet) Manipulate/spoof user traffic
Slides:https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/original/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf
GRX(or Internet)
Net 1Net 2
Victim
Dear Net 1, your user Victim is visiting me, can you give me his
current IP and make me the owner of it?
Dear Net 2, here is the current IP and connection settings for Victim, now it’s all yours, and here are some packets for him
Agenda
19
Attacks over the air
Attacks over the wire
How to protect yourself
GSM Map allows users to compare security in several countries
20
Security levels are summarized in a chart and detailed in a report
21
A similar world map shows risk levels associated to SS7 exposure
22
SnoopSnitch monitors network anomalies and attack attempts
23
It currently shows: network security levels (intercept, impersonation), IMSI catcher events, SS7 attacks, reception of malicious SMS (silent & binary)
Take aways
24
Questions?
Luca Melette <[email protected]>
Many vulnerabilities found in the past years are still a threat for mobile users
Network operators worldwide should improve their security to prevent abuse
Attack tools are available to researchers, and criminals are not far behind them