2015.11.06. Luca Melette_Mobile threats evolution

SRLabs Template v12
Mobile threats evolution
Luca Melette <luca@srlabs.de>

Agenda
1
 Attacks over the air
 Attacks over the wire
 How to protect yourself

Mobile communications have been secretly intercepted for decades
2
Stationary catcher
(1990)
Handheld catcher
(2015)
Portable catcher
(2000)
IMSI Catchers are the famous devices operated by police and intelligence
agencies to locate and spy on mobile users, since the beginning of GSM

GSM interception is now available to the masses
3
Years of research unearthed important GSM vulnerabilities and
produced low cost IMSI catchers and passive interception systems
OsmoSDR/Airprobe
USB DVB-T stick
< $10
(2015)
CalypsoBTS/OsmocomBB
Motorola C123
$20-$50
(2010)
OpenBTS/Airprobe
USRP + RFX900
$1000
(1998)

Listening to broadcast channels can disclose local user identities
4
Mitigation
 Avoid paging by IMSI as much as possible
 Frequently refresh TMSIs
Risk
 Detect user presence
 Use IMSIs for further attacks
Source code: git://git.osmocom.org/osmocom-bb
IMSI?
IMSI?
IMSI?
IMSI?
Broadcast
channel

Passive GSM intercept is still a major privacy risk in many countries
5
Mitigation
 Adopt randomization techniques
 Use a strong cipher (A5/3 or A5/4)
Risk
 Intecept calls and SMS
 Follow user movements
Tutorial: https://srlabs.de/decrypting_gsm
Source code: https://opensource.srlabs.de/projects/a51-decrypt
In the past two years
we found networks
using no encryption
in these countries:
Cambodia, China,
Hong Kong, India,
Israel, Kyrgyzstan,
Lebanon, Morocco,
Myanmar, Pakistan,
Vietnam
Voice/SMS
Encrypted
frames
Decrypted
voice/SMSKraken
The common GSM encryption standard
A5/1 can be cracked with rainbow tables
in a normal PC with a GPU and 2TB disk,
while A5/2 can be cracked very quickly
even only using bruteforce on a CPU

GPRS settings (mobile data) can greatly differ from voice and SMS
6
Mitigation
 Double check radio security settings
 Use a strong cipher (GEA/3 or GEA/4)
Risk
 Intecept mobile data traffic
 Follow user movements
Tutorial: https://srlabs.de/gprs
Mobile Internet
Some operators surprisingly forget to turn on
encryption on GPRS (or even UMTS) leaving
passive sniffers full access to mobile Internet

Missing authentication enable user impersonation and frauds
7
Mitigation
 Always require user authentication
 Move to a more recent radio generation
Risk
 Spoof caller ID for calls and SMS
 Send premium SMS (fraud)
No code available
SMS for TMSI
0x8a13b0cf
Call from TMSI
0x8a13b0cf
(1)
(3)
Step 1: Capture some call or
SMS directed to the victim
(2)
Step 2: Recover the key if
transaction was encrypted
Step 3: Start a call or send
SMS impersonating the
victim with TMSI and key
A similar attack can be applied to mobile terminated traffic

Rogue base stations can massively collect user identities
8
Mitigation
 Monitor radio traffic to detect anomalies
 Force mobile to use only 3G/4G networks
Risk
 Collect user identities in that area
 Use IMSIs for further attacks
Source code: http://openbts.org/get-the-code
CID 3
LAC 9
f 6
High power
LUR
Time IMSI IMEI LAC/TA
13:37:37 22288... 35612... 1 / 2
13:37:42 22201... 01851... 1 / 1
The catching process works as follows:
1. The victim is attracted by the catcher
due to the strong signal.
2. The fake tower requests all the relevant
information of the user and device
3. The victim is pushed back to the original
cell and gets normal coverage as before
4. No evidence is left on the mobile but
the catcher has a full log of users

More sophisticated fake cell towers can take full control of users
9
Mitigation
 Monitor radio traffic to detect anomalies
 Force mobile to use only 3G/4G networks
Risk
 Intercept voice/SMS/mobile data
 Manipulate traffic in both directions
No code available
Victim Real
Network
Communication
forced to weak
encryption in
order to crack the
key in realtime
Call/SMS logging
and manipulation
The real network can enforce
strong encryption and perform
authentication, as the victim
can provide valid responses for
any sort of request
Kraken

Persistent malware on the SIM can be remotely installed via SMS
10
Mitigation
 Patch vulnerable SIM cards
 Block binary SMS from unknown origins
Risk
 Intercept voice/SMS/mobile data
 User location tracking (fine-grained)
Tutorial: https://srlabs.de/rooting-sim-cards
Source code: https://opensource.srlabs.de/git/SIMtester.git
Low security and software
bugs provide the attacker a
completely stealth remote
location tracking system or
decryption oracle
A special broken binary SMS
transparently reaches the
SIM and make the mobile
send a signed response that
is crackable by the attacker
Using rainbow tables
DES signatures can
be cracked and the
attacker gains admin
privilege on the SIM

Agenda
11

Mobile operators share their subscribers data over trusted clouds
12
Voice, SMS, USSD
Signalling (SS7)
Mobile Internet
and MMS (GRX)
Net 1
Net 2
Net 3
Net 4
Country B
Country A
Only members of the GSM Association
should have access to these clouds
Public
Internet

User location tracking is cheap and widely available on the Internet
13
Mitigation
 Operators to deploy SMS home routing
 Block requests from untrusted sources
Risk
 User location retrieval (coarse position)
 Entirely stealth and remote tracking
Slides: https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf
Many providers
online offer HLR
lookups for just a
few dollar cents
Try on google:
hlr lookup
Starting from a
mobile number
one can visualize
which state and
city the mobile
user is currently
visiting

Fine-grained position is obtainable with roaming related requests
14
Mitigation
 Deploy SS7 filtering at network borders
Risk
 User location retrieval (fine-grained)
 Remote tracking (not always stealth)
Slides: http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf
SS7
Net 1
Net 2
Victim
Dear Net 1, my subscriber
Victim is currently roaming in
your network, could you tell me
where and if it’s in a call?
Sure! Dear Net 2, your Victim is
currently served by a cell near
the Tour Eiffel and it’s not in a call

Trusted network relations can ease spam and frauds attempts
15
Mitigation
 Check plausibility of user requests
Risk
 User impersonation (call/SMS fraud)
 Mass SMS advertisement delivery
SS7
Net 1
Net 2
Victim
Dear Net 1, your user Victim is
visiting me, can you give me his
full profile? And also, he wants
to send an SMS to ...
Dear Net 2, here is the profile
and thanks for the SMS, I will try
to deliver it and bill it to Victim

Strong encryption can be defeated by trusted key handovers
16
Mitigation
 Block internal-only SS7 requests
 Accept only speakers from a whitelist
Risk
 Capture and decrypt user traffic
 Reuse keys to spoof legitimate towers
Slides:https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/or
iginal/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf
SS7
Net 1
Net 2
Victim
Dear Net 1, I need immediately
the encryption key to connect a
call of your subscriber Victim
that is coming towards me
Dear Net 2, sure! Here is the key
and all the rest you need to keep
the call going, good luck!

Voice and SMS can be remotely intercepted in several ways
17
Mitigation
 Perform smart SS7 plausibility checks
Risk
 Intercept calls and SMS
 Manipulate/spoof user traffic
Video: www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking
SS7
Net 1
Net 2
Victim
Dear cell XXX, forget what Net 1
said about Victim, he wants now
to forward all his calls to me
Father
Father tries to call Victim but the
call is immediately rerouted to the
attacker that can start recording
and forward it to the Victim

Mobile data can also be remotely diverted, blocked and spoofed
18
Mitigation
 Block internal-only GTP requests
Risk
 Intercept mobile data (Internet)
 Manipulate/spoof user traffic
Slides:https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/origi
nal/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf
GRX
(or Internet)
Net 1
Net 2
Victim
Dear Net 1, your user Victim is
visiting me, can you give me his
current IP and make me the
owner of it?
Dear Net 2, here is the current IP and
connection settings for Victim, now it’s all
yours, and here are some packets for him

Agenda
19

GSM Map allows users to compare security in several countries
20

Security levels are summarized in a chart and detailed in a report
21

A similar world map shows risk levels associated to SS7 exposure
22

SnoopSnitch monitors network anomalies and attack attempts
23
It currently shows: network security levels (intercept, impersonation), IMSI
catcher events, SS7 attacks, reception of malicious SMS (silent & binary)

Take aways
24
Questions?
Luca Melette <luca@srlabs.de>
 Many vulnerabilities found in the past
years are still a threat for mobile users
 Network operators worldwide should
improve their security to prevent abuse
 Attack tools are available to researchers,
and criminals are not far behind them

2015.11.06. Luca Melette_Mobile threats evolution

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to 2015.11.06. Luca Melette_Mobile threats evolution

Similar to 2015.11.06. Luca Melette_Mobile threats evolution (20)

More from Tech and Law Center

More from Tech and Law Center (15)

Recently uploaded

Recently uploaded (20)

2015.11.06. Luca Melette_Mobile threats evolution