mbs-t10r les goldsmith ghosts in the network: ss7 and...
TRANSCRIPT
SESSIONID:
#RSAC
TrentSmith
GhostsintheNetwork:SS7andRFVulnerabili;esinCellularNetworks
MBS-T10R
DirectorofProjectOverwatchESDAmericaInc@trentatesd
LesGoldsmithChiefExecuFveOfficerESDAmericaInc@lesatesd
#RSAC
Whoarewe
2
ESDAmericaistheNorthAmerican&AsianDistributorofGSMKCryptophone.
5yearsagowecommencedajointresearchprojectintowaysthatgroupsliketheNSAhackcellphones.
TheresearchwasconductedonbehalfofamajorEuropeangovernmentcustomer.
TheresearchfocusedontwomainareasofaSack:TheSS7ProtocolonCellularNetworksOvertheairaSacksusingIMSICatchers
#RSAC
SS7Vulnerabili;es
3
#RSAC
SS7Vulnerabili;es
OurfocusisontheresultsoftesFngcellularnetworks
NotontheoreFcalaSacks
Firsttopresenttheseresultspublically
Tobenefitproviders,banking,governmentandothers
#RSAC
SS7Vulnerabili;es
5
InDecember2014TobiasEngelfromGSMKCryptophonedemonstratedmanyoftheaSacksattheChaosCommunicaFonsCongress.
#RSAC
SS7Vulnerabili;es
6
PTSecurity,Orange&AdapFveMobileallreleasedreportssupporFngthevulnerabiliFes.
GSMAformallyacknowledgedthevulnerabiliFestomembers
#RSAC
NetworkReac;ons
7
ManynetworkoperatorsrespondedimmediatelyandbeganlookingatwaystominimizethevulnerabiliFesdiscoveredoverSS7.
SomeoperatorsassumedtheirnetworkswerenotvulnerabletotheseaSacks.
#RSAC
NetworkReac;ons
8
SeniorexecuFvesgenerallyexpressedconcernregardingthepossiblevulnerabiliFes
HowevermanyofthepeopleresponsibleforSS7attheprovidersconsideredtheaSacksficFonal
#RSAC
ScaleofSS7Traffic
9
UnFlyoucanvisualizeallthedata,it’sdifficulttocomprehendthesheerscaleofSS7traffictraversingthenetworks.
#RSAC
Penetra;onTes;ng
10
InNovember2014wecommencedpenetraFontesFnginEurope.Overthefollowing12monthswerolledoutpenetraFontesFngworldwide.
Thereareover820networkoperatorsusingSS7.
Tothisdatelessthan5%ofnetworkoperatorshavebeenpenetraFontested.
#RSAC
Tracking&Intercep;onResults
11
#RSAC
TrackingviaSS7
12
SS7Interconnect
HLR VLRMSC
' � ����� �������������"�����!������������������ ��������%anyTimeInterrogation&
( ���������!������� ����!��������$���������!��������� ��� �������������"�����!�������������������� �������%provideSubscriberInfo&
) ��$�������� ����� ���������!������������������"���!�������������
* ������!�����������������
+ ������!��������������� ����
TheanyTimeInterroga-onrequestenablesaskingfortheGlobalCell-ID,aprivacyviolaFonbyanyaSackerwithSS7/MAPaccess
#RSAC
TrackingviaSS7
13
HowmanynetworkswerevulnerabletotrackingbythirdparFes?
����
#RSAC
ListeningviaSS7
14
SS7Interconnect
�������
����
�
����
�
����� ����
ThesameapproachcanbeusedforSMSdata
#RSAC
ListeningviaSS7
15
Howmanynetworkswerevulnerable?
����
#RSAC
Billing,Banking&Fraud
16
#RSAC
SMSBankingAuthen;ca;on
17
, � ���������������� ���!����������������#��������������������#����*updateLocation+
- � �����������$������ ���#�������������!����������
. �������������������� ����'��(��)� ������� �����%���*sendRoutingInfoForSM+
/ ���������"�������� ����*mtForwardSM+
SS7Interconnect
����
�� ����
��
� �
�
�
#RSAC
SMSBankingAuthen;ca;on
18
Couldthishappentoyou?
����
#RSAC
UnbilledCalls
19
) ������� �������������� ������������%����'deleteSubscriberData(
* ����������������������������������������������������
+ �����������"��������������������&�� �� ����������������������������� �����������$���!�����
SS7Interconnect
��� �������
� �� ���������������
��
�
#RSAC
UnbilledCalls
20
HowmuchmoneycanbelostthroughthisaSack?WithoneSIMcardanoperatorlost$250kin10minutes
TheamountofSIMcardsusedislimitless
#RSAC
USSDCodes
21
USSDcodescanbeexecutedforothersubscribers
SomecarriersoffertransferofprepaidcreditsviaUSSD
Callforwardingcanbeset/deleted
SwitchacFveSIMincaseofMulF-SIM
#RSAC
USSDCodes
22
Howmanynetworksdidthiseffect?
����
#RSAC
MoreTes;ng
23
MorepenetraFontesFngisneeded
Withinthenext12monthsweexpecttotestanother40to60providers
InsomecasesgovernmentmaybeneededtoaddressnaFonalsecurityconcerns
#RSAC
IMSICatchers&CellManipula;on
#RSAC
What’saIMSICatcher
25
IMSI-IndividualMobileSubscriberIdenFty
AIMSICatcherisadevicethatpretendstobeacelltowerinordertotrickyourphoneintoconnecFngtoit.
Intruth,yourphonehasnoideatheIMSICatcherisnotpartoftherealnetwork.
#RSAC
Whydophonestrustthem
26
CellphonesaredesignedtolookforothertowerswithbeSerrecepFon.
TheIMSICatcheroperatormustadjustsegngstoreplicateacelltowerinyourarea.
ThephonewillconnecttotheIMSIcatcherifit’smadetolookmore‘aSracFve’thantherealnetwork.
#RSAC
Howdotheywork
27
Acatch-allIMSICatcherisconfiguredtotellallcellphoneswithinrangethatitistheonlyavailablecelltower.
TrickingyourphoneintothinkingitstheonlyavailableconnecFon.
Acatch-allIMSICatchercanbeusedforcollecFngIMSI’sfromaparFcularareaortodenyservicetocellphoneusers.
BynotconfiguringtheIMSICatchertopasscallstothenetworkstheusersphonecan’tcallout.
#RSAC
TrackingwithIMSICatchers
28
TheycanbeusedforcollecFngIMSI’sfromaparFcularareaortodenyservicetocellphonesthatconnecttoit.
MostIMSICatchersusedbylocallawenforcementareusedfortracking.
ByknowingatargetsIMSI,theoperatorcanprogramtheIMSICatchertoonlyconnectwiththattarget’sphonewheninrange.
OnceconnectedtheoperatoruseaprocessofRFMappingtodirecFonfindthetarget.
#RSAC
CanaIMSICatcherlistentocalls
29
AbasicIMSIcatcherjustcapturesthecellphone’sIMSInumber.
TointerceptcallsaitwouldrequireanumberofaddiFonalfeatureschargedforseparatelybymanufacturers
2Gcallsareeasytolistento.Systemsforthishavebeenavailableforoveradecadeandcanbebuiltforlessthan$1500.
Thepriceofthesecallinterceptsystemsarebaseonthenumberofcellularbands(2G/3G/4G),effecFverange,decrypFonspeed.
#RSAC
Are3G&4Gcallssafe
30
Yes,kindof.3Gand4GusebeSerencrypFonforcallsthan2G.But..
IMSICatcherscanfeatureadd-onsthattricka3Gor4GphoneintothinkingthoseconnecFonsareunavailable.
Your3Gor4Gphoneisthenforcedtodropdowntotheweaker2GencrypFon.Ripeandreadyformonitoring.
‘Forced’byeithertellingphonetoswitch,orjamming3/4Gnetworkssoonlythe2GsignalfromtheIMSIcatcherisavailable.
WithSS7accesstheaSackercangetthekeyneededtodecryptyour3G/4GcommunicaFons.
#RSAC
Detec;ngIMSICatchers
31
NetworkOperatorssomeFmesseetheanomaliesbutcannotlocatethemorverifywhattheyare.
TheFCChasteamsofpeopletodealwithnetworkanomalies.HoweverknowledgeofIMSICatcheroperaFonandresponseFmesareanissue.
CellphoneusersomendownloadappstodetectIMSIcatchers.Butmostofthesecannotverifywhatsignalisreceivedovertheradiostack.
#RSAC
IMSICatchersacrosstheUSA
32
78IMSICatchersdetectedin2015
8ofthoseweremobileattheFmeofdetecFon
80CelltowerswithencrypFondisabled
7casesofoperatorsusingthesamechannelinacoveragearea
#RSAC
LosAngeles
33
Detected20differentcasesofcellularjamming
7IMSICatchers
#RSAC
WashingtonDC
34
9IMSICatchersinjust3daysofsurveys
3ofthosefocusedonthesametargetarea
#RSAC
NewYork
35
11CasesofCellJammingover3days
7IMSICatchersdeployedacrossBrooklyn,ManhaSan&FinancialDistrict
#RSAC
AroundtheWorld
36
Morethan140IMSICatchersdetected
HundredsofcelltowerswithencrypFondisabled
Detected7IMSICatchersoperaFnginoneMiddleEasterncityin45minutes
#RSAC
Whatcanbedone
37
InrealitynetworkoperatorsneedtoconsidertheeffectonIMSICatchersoncustomerservices
GovernmentneedstotakeaproacFveroleindetecFngandprosecuFngusersofIMSICatchers
PromptinvesFgaFonofpotenFalthreatsisrequired
TodefendagainstIMSICatchers,youneedtobeabletofindthemfirst.