Presented on 6.11.2015 during the Tech and Law Center event (ITA) Intercettazioni: tutto quello che non avreste voluto sapere
http://www.techandlaw.net/news/intercettazioni-tutto-quello-che-non-avreste-voluto-sapere.html
3. Mobile communications have been secretly intercepted for decades
2
Stationary catcher
(1990)
Handheld catcher
(2015)
Portable catcher
(2000)
IMSI Catchers are the famous devices operated by police and intelligence
agencies to locate and spy on mobile users, since the beginning of GSM
4. GSM interception is now available to the masses
3
Years of research unearthed important GSM vulnerabilities and
produced low cost IMSI catchers and passive interception systems
OsmoSDR/Airprobe
USB DVB-T stick
< $10
(2015)
CalypsoBTS/OsmocomBB
Motorola C123
$20-$50
(2010)
OpenBTS/Airprobe
USRP + RFX900
$1000
(1998)
5. Listening to broadcast channels can disclose local user identities
4
Mitigation
Avoid paging by IMSI as much as possible
Frequently refresh TMSIs
Risk
Detect user presence
Use IMSIs for further attacks
Source code: git://git.osmocom.org/osmocom-bb
IMSI?
IMSI?
IMSI?
IMSI?
Broadcast
channel
6. Passive GSM intercept is still a major privacy risk in many countries
5
Mitigation
Adopt randomization techniques
Use a strong cipher (A5/3 or A5/4)
Risk
Intecept calls and SMS
Follow user movements
Tutorial: https://srlabs.de/decrypting_gsm
Source code: https://opensource.srlabs.de/projects/a51-decrypt
In the past two years
we found networks
using no encryption
in these countries:
Cambodia, China,
Hong Kong, India,
Israel, Kyrgyzstan,
Lebanon, Morocco,
Myanmar, Pakistan,
Vietnam
Voice/SMS
Encrypted
frames
Decrypted
voice/SMSKraken
The common GSM encryption standard
A5/1 can be cracked with rainbow tables
in a normal PC with a GPU and 2TB disk,
while A5/2 can be cracked very quickly
even only using bruteforce on a CPU
7. GPRS settings (mobile data) can greatly differ from voice and SMS
6
Mitigation
Double check radio security settings
Use a strong cipher (GEA/3 or GEA/4)
Risk
Intecept mobile data traffic
Follow user movements
Tutorial: https://srlabs.de/gprs
Mobile Internet
Some operators surprisingly forget to turn on
encryption on GPRS (or even UMTS) leaving
passive sniffers full access to mobile Internet
8. Missing authentication enable user impersonation and frauds
7
Mitigation
Always require user authentication
Move to a more recent radio generation
Risk
Spoof caller ID for calls and SMS
Send premium SMS (fraud)
No code available
SMS for TMSI
0x8a13b0cf
Call from TMSI
0x8a13b0cf
(1)
(3)
Step 1: Capture some call or
SMS directed to the victim
(2)
Step 2: Recover the key if
transaction was encrypted
Step 3: Start a call or send
SMS impersonating the
victim with TMSI and key
A similar attack can be applied to mobile terminated traffic
9. Rogue base stations can massively collect user identities
8
Mitigation
Monitor radio traffic to detect anomalies
Force mobile to use only 3G/4G networks
Risk
Collect user identities in that area
Use IMSIs for further attacks
Source code: http://openbts.org/get-the-code
CID 3
LAC 9
f 6
High power
LUR
Time IMSI IMEI LAC/TA
13:37:37 22288... 35612... 1 / 2
13:37:42 22201... 01851... 1 / 1
The catching process works as follows:
1. The victim is attracted by the catcher
due to the strong signal.
2. The fake tower requests all the relevant
information of the user and device
3. The victim is pushed back to the original
cell and gets normal coverage as before
4. No evidence is left on the mobile but
the catcher has a full log of users
10. More sophisticated fake cell towers can take full control of users
9
Mitigation
Monitor radio traffic to detect anomalies
Force mobile to use only 3G/4G networks
Risk
Intercept voice/SMS/mobile data
Manipulate traffic in both directions
No code available
Victim Real
Network
Communication
forced to weak
encryption in
order to crack the
key in realtime
Call/SMS logging
and manipulation
The real network can enforce
strong encryption and perform
authentication, as the victim
can provide valid responses for
any sort of request
Kraken
11. Persistent malware on the SIM can be remotely installed via SMS
10
Mitigation
Patch vulnerable SIM cards
Block binary SMS from unknown origins
Risk
Intercept voice/SMS/mobile data
User location tracking (fine-grained)
Tutorial: https://srlabs.de/rooting-sim-cards
Source code: https://opensource.srlabs.de/git/SIMtester.git
Low security and software
bugs provide the attacker a
completely stealth remote
location tracking system or
decryption oracle
A special broken binary SMS
transparently reaches the
SIM and make the mobile
send a signed response that
is crackable by the attacker
Using rainbow tables
DES signatures can
be cracked and the
attacker gains admin
privilege on the SIM
13. Mobile operators share their subscribers data over trusted clouds
12
Voice, SMS, USSD
Signalling (SS7)
Mobile Internet
and MMS (GRX)
Net 1
Net 2
Net 3
Net 4
Country B
Country A
Only members of the GSM Association
should have access to these clouds
Public
Internet
14. User location tracking is cheap and widely available on the Internet
13
Mitigation
Operators to deploy SMS home routing
Block requests from untrusted sources
Risk
User location retrieval (coarse position)
Entirely stealth and remote tracking
Slides: https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
Many providers
online offer HLR
lookups for just a
few dollar cents
Try on google:
hlr lookup
Starting from a
mobile number
one can visualize
which state and
city the mobile
user is currently
visiting
15. Fine-grained position is obtainable with roaming related requests
14
Mitigation
Deploy SS7 filtering at network borders
Block requests from untrusted sources
Risk
User location retrieval (fine-grained)
Remote tracking (not always stealth)
Slides: http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
SS7
Net 1
Net 2
Victim
Dear Net 1, my subscriber
Victim is currently roaming in
your network, could you tell me
where and if it’s in a call?
Sure! Dear Net 2, your Victim is
currently served by a cell near
the Tour Eiffel and it’s not in a call
16. Trusted network relations can ease spam and frauds attempts
15
Mitigation
Check plausibility of user requests
Block requests from untrusted sources
Risk
User impersonation (call/SMS fraud)
Mass SMS advertisement delivery
SS7
Net 1
Net 2
Victim
Dear Net 1, your user Victim is
visiting me, can you give me his
full profile? And also, he wants
to send an SMS to ...
Dear Net 2, here is the profile
and thanks for the SMS, I will try
to deliver it and bill it to Victim
17. Strong encryption can be defeated by trusted key handovers
16
Mitigation
Block internal-only SS7 requests
Accept only speakers from a whitelist
Risk
Capture and decrypt user traffic
Reuse keys to spoof legitimate towers
Slides:https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/or
iginal/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
SS7
Net 1
Net 2
Victim
Dear Net 1, I need immediately
the encryption key to connect a
call of your subscriber Victim
that is coming towards me
Dear Net 2, sure! Here is the key
and all the rest you need to keep
the call going, good luck!
18. Voice and SMS can be remotely intercepted in several ways
17
Mitigation
Perform smart SS7 plausibility checks
Accept only speakers from a whitelist
Risk
Intercept calls and SMS
Manipulate/spoof user traffic
Video: www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking
SS7
Net 1
Net 2
Victim
Dear cell XXX, forget what Net 1
said about Victim, he wants now
to forward all his calls to me
Father
Father tries to call Victim but the
call is immediately rerouted to the
attacker that can start recording
and forward it to the Victim
19. Mobile data can also be remotely diverted, blocked and spoofed
18
Mitigation
Block internal-only GTP requests
Accept only speakers from a whitelist
Risk
Intercept mobile data (Internet)
Manipulate/spoof user traffic
Slides:https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/origi
nal/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf
GRX
(or Internet)
Net 1
Net 2
Victim
Dear Net 1, your user Victim is
visiting me, can you give me his
current IP and make me the
owner of it?
Dear Net 2, here is the current IP and
connection settings for Victim, now it’s all
yours, and here are some packets for him
23. A similar world map shows risk levels associated to SS7 exposure
22
24. SnoopSnitch monitors network anomalies and attack attempts
23
It currently shows: network security levels (intercept, impersonation), IMSI
catcher events, SS7 attacks, reception of malicious SMS (silent & binary)
25. Take aways
24
Questions?
Luca Melette <luca@srlabs.de>
Many vulnerabilities found in the past
years are still a threat for mobile users
Network operators worldwide should
improve their security to prevent abuse
Attack tools are available to researchers,
and criminals are not far behind them