mbs-t10r les goldsmith ghosts in the network: ss7 and...

SESSIONID:

#RSAC

TrentSmith

GhostsintheNetwork:SS7andRFVulnerabili;esinCellularNetworks

MBS-T10R

DirectorofProjectOverwatchESDAmericaInc@trentatesd

LesGoldsmithChiefExecuFveOfficerESDAmericaInc@lesatesd

#RSAC

Whoarewe

2

ESDAmericaistheNorthAmerican&AsianDistributorofGSMKCryptophone.

5yearsagowecommencedajointresearchprojectintowaysthatgroupsliketheNSAhackcellphones.

TheresearchwasconductedonbehalfofamajorEuropeangovernmentcustomer.

TheresearchfocusedontwomainareasofaSack:TheSS7ProtocolonCellularNetworksOvertheairaSacksusingIMSICatchers

#RSAC

SS7Vulnerabili;es

3

#RSAC

SS7Vulnerabili;es

OurfocusisontheresultsoftesFngcellularnetworks

NotontheoreFcalaSacks

Firsttopresenttheseresultspublically

Tobenefitproviders,banking,governmentandothers

#RSAC

SS7Vulnerabili;es

5

InDecember2014TobiasEngelfromGSMKCryptophonedemonstratedmanyoftheaSacksattheChaosCommunicaFonsCongress.

#RSAC

SS7Vulnerabili;es

6

PTSecurity,Orange&AdapFveMobileallreleasedreportssupporFngthevulnerabiliFes.

GSMAformallyacknowledgedthevulnerabiliFestomembers

#RSAC

NetworkReac;ons

7

ManynetworkoperatorsrespondedimmediatelyandbeganlookingatwaystominimizethevulnerabiliFesdiscoveredoverSS7.

SomeoperatorsassumedtheirnetworkswerenotvulnerabletotheseaSacks.

#RSAC

NetworkReac;ons

8

SeniorexecuFvesgenerallyexpressedconcernregardingthepossiblevulnerabiliFes

HowevermanyofthepeopleresponsibleforSS7attheprovidersconsideredtheaSacksficFonal

#RSAC

ScaleofSS7Traffic

9

UnFlyoucanvisualizeallthedata,it’sdifficulttocomprehendthesheerscaleofSS7traffictraversingthenetworks.

#RSAC

Penetra;onTes;ng

10

InNovember2014wecommencedpenetraFontesFnginEurope.Overthefollowing12monthswerolledoutpenetraFontesFngworldwide.

Thereareover820networkoperatorsusingSS7.

Tothisdatelessthan5%ofnetworkoperatorshavebeenpenetraFontested.

#RSAC

Tracking&Intercep;onResults

11

#RSAC

TrackingviaSS7

12

SS7Interconnect

HLR VLRMSC

' � ����� �������������"�����!������������������ ��������%anyTimeInterrogation&

( ���������!������� ����!��������$���������!��������� ��� �������������"�����!�������������������� �������%provideSubscriberInfo&

) ��$�������� ����� ���������!������������������"���!�������������

* ������!�����������������

+ ������!��������������� ����

TheanyTimeInterroga-onrequestenablesaskingfortheGlobalCell-ID,aprivacyviolaFonbyanyaSackerwithSS7/MAPaccess

#RSAC

TrackingviaSS7

13

HowmanynetworkswerevulnerabletotrackingbythirdparFes?

����

#RSAC

ListeningviaSS7

14

SS7Interconnect

�������

����

�

����

�

����� ����

ThesameapproachcanbeusedforSMSdata

#RSAC

ListeningviaSS7

15

Howmanynetworkswerevulnerable?

����

#RSAC

Billing,Banking&Fraud

16

#RSAC

SMSBankingAuthen;ca;on

17

, � ���������������� ���!����������������#��������������������#����*updateLocation+

- � �����������$������ ���#�������������!����������

. �������������������� ����'��(��)� ������� �����%���*sendRoutingInfoForSM+

/ ���������"�������� ����*mtForwardSM+

SS7Interconnect

����

�� ����

��

� �

�

�

#RSAC

SMSBankingAuthen;ca;on

18

Couldthishappentoyou?

����

#RSAC

UnbilledCalls

19

) ������� �������������� ������������%����'deleteSubscriberData(

* ����������������������������������������������������

+ �����������"��������������������&�� �� ����������������������������� �����������$���!�����

SS7Interconnect

��� �������

� �� ���������������

��

�

#RSAC

UnbilledCalls

20

HowmuchmoneycanbelostthroughthisaSack?WithoneSIMcardanoperatorlost$250kin10minutes

TheamountofSIMcardsusedislimitless

#RSAC

USSDCodes

21

USSDcodescanbeexecutedforothersubscribers

SomecarriersoffertransferofprepaidcreditsviaUSSD

Callforwardingcanbeset/deleted

SwitchacFveSIMincaseofMulF-SIM

#RSAC

USSDCodes

22

Howmanynetworksdidthiseffect?

����

#RSAC

MoreTes;ng

23

MorepenetraFontesFngisneeded

Withinthenext12monthsweexpecttotestanother40to60providers

InsomecasesgovernmentmaybeneededtoaddressnaFonalsecurityconcerns

#RSAC

IMSICatchers&CellManipula;on

#RSAC

What’saIMSICatcher

25

IMSI-IndividualMobileSubscriberIdenFty

AIMSICatcherisadevicethatpretendstobeacelltowerinordertotrickyourphoneintoconnecFngtoit.

Intruth,yourphonehasnoideatheIMSICatcherisnotpartoftherealnetwork.

#RSAC

Whydophonestrustthem

26

CellphonesaredesignedtolookforothertowerswithbeSerrecepFon.

TheIMSICatcheroperatormustadjustsegngstoreplicateacelltowerinyourarea.

ThephonewillconnecttotheIMSIcatcherifit’smadetolookmore‘aSracFve’thantherealnetwork.

#RSAC

Howdotheywork

27

Acatch-allIMSICatcherisconfiguredtotellallcellphoneswithinrangethatitistheonlyavailablecelltower.

TrickingyourphoneintothinkingitstheonlyavailableconnecFon.

Acatch-allIMSICatchercanbeusedforcollecFngIMSI’sfromaparFcularareaortodenyservicetocellphoneusers.

BynotconfiguringtheIMSICatchertopasscallstothenetworkstheusersphonecan’tcallout.

#RSAC

TrackingwithIMSICatchers

28

TheycanbeusedforcollecFngIMSI’sfromaparFcularareaortodenyservicetocellphonesthatconnecttoit.

MostIMSICatchersusedbylocallawenforcementareusedfortracking.

ByknowingatargetsIMSI,theoperatorcanprogramtheIMSICatchertoonlyconnectwiththattarget’sphonewheninrange.

OnceconnectedtheoperatoruseaprocessofRFMappingtodirecFonfindthetarget.

#RSAC

CanaIMSICatcherlistentocalls

29

AbasicIMSIcatcherjustcapturesthecellphone’sIMSInumber.

TointerceptcallsaitwouldrequireanumberofaddiFonalfeatureschargedforseparatelybymanufacturers

2Gcallsareeasytolistento.Systemsforthishavebeenavailableforoveradecadeandcanbebuiltforlessthan$1500.

Thepriceofthesecallinterceptsystemsarebaseonthenumberofcellularbands(2G/3G/4G),effecFverange,decrypFonspeed.

#RSAC

Are3G&4Gcallssafe

30

Yes,kindof.3Gand4GusebeSerencrypFonforcallsthan2G.But..

IMSICatcherscanfeatureadd-onsthattricka3Gor4GphoneintothinkingthoseconnecFonsareunavailable.

Your3Gor4Gphoneisthenforcedtodropdowntotheweaker2GencrypFon.Ripeandreadyformonitoring.

‘Forced’byeithertellingphonetoswitch,orjamming3/4Gnetworkssoonlythe2GsignalfromtheIMSIcatcherisavailable.

WithSS7accesstheaSackercangetthekeyneededtodecryptyour3G/4GcommunicaFons.

#RSAC

Detec;ngIMSICatchers

31

NetworkOperatorssomeFmesseetheanomaliesbutcannotlocatethemorverifywhattheyare.

TheFCChasteamsofpeopletodealwithnetworkanomalies.HoweverknowledgeofIMSICatcheroperaFonandresponseFmesareanissue.

CellphoneusersomendownloadappstodetectIMSIcatchers.Butmostofthesecannotverifywhatsignalisreceivedovertheradiostack.

#RSAC

IMSICatchersacrosstheUSA

32

78IMSICatchersdetectedin2015

8ofthoseweremobileattheFmeofdetecFon

80CelltowerswithencrypFondisabled

7casesofoperatorsusingthesamechannelinacoveragearea

#RSAC

LosAngeles

33

Detected20differentcasesofcellularjamming

7IMSICatchers

#RSAC

WashingtonDC

34

9IMSICatchersinjust3daysofsurveys

3ofthosefocusedonthesametargetarea

#RSAC

NewYork

35

11CasesofCellJammingover3days

7IMSICatchersdeployedacrossBrooklyn,ManhaSan&FinancialDistrict

#RSAC

AroundtheWorld

36

Morethan140IMSICatchersdetected

HundredsofcelltowerswithencrypFondisabled

Detected7IMSICatchersoperaFnginoneMiddleEasterncityin45minutes

#RSAC

Whatcanbedone

37

InrealitynetworkoperatorsneedtoconsidertheeffectonIMSICatchersoncustomerservices

GovernmentneedstotakeaproacFveroleindetecFngandprosecuFngusersofIMSICatchers

PromptinvesFgaFonofpotenFalthreatsisrequired

TodefendagainstIMSICatchers,youneedtobeabletofindthemfirst.

#RSAC

Ques;ons

38

info@esdamerica.com

esdamerica.com