COVER                          The Athens Affair                          How some extremely smart hackers pulled off the ...
$ whoarewe                    • Arturo Filastò       • Jacob Appelbaum                    • The Tor Project      • The Tor...
Once upon a time...Monday, October 3, 2011
The 3 issues                    • Interception                    • Geolocation                    • Denial of ServiceMond...
Interception                    • Can be lawful or unlawful                    • Tactical vs Non-TacticalMonday, October 3...
“Lawful Intercept”Monday, October 3, 2011
What technologies can                     be intercepted?                    • GSM                    • CDMA              ...
Who?                    •     Law enforcement                    •     National Secret Service                    •     Fo...
Targets of Interception                    • A person                    • A medium (think wire tap)                    • ...
Why?                    • The architecture is designed for it                    • To suppress uprisings                  ...
How is this possible?                    • The security is outdated; take GSM...                    • No effort has been m...
IMSI catchersMonday, October 3, 2011
Active IMSI catchersMonday, October 3, 2011
More accessible                    • This equipment used to be very expensive                    • But with projects such ...
Passive GSM sniffers                                   +                                   =Monday, October 3, 2011
Passive GSM sniffers                                    +                                    =                           I...
Geolocation                    • Where are you?                    • Various technologies give                          va...
Location TrackingMonday, October 3, 2011
Walled Garden                    • For accessing SS7 there used to be:                     • High costs                   ...
The GSM network         OsmocommBB                                                 OpenBTS                                ...
Macro Area                                 Geolocation                    • With network interrogations                   ...
More detail is possible                    •     Other privacy invading queries exists                          •   PSI, A...
Denial of Service                                • You just want to stop                                  that or those pe...
Monday, October 3, 2011
JammersMonday, October 3, 2011
JammersMonday, October 3, 2011
Help!                    •     Ok, so you have scared me. Now what should I do?                          •   be aware of p...
Thanks for listening!                                 Any questions?Monday, October 3, 2011
Upcoming SlideShare
Loading in...5
×

Crash course of Mobile (SS7) privacy and security

6,814

Published on

We will discuss the three main aspects related to mobile security: Interception, Geolocation, Denial of Service.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
6,814
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
87
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Crash course of Mobile (SS7) privacy and security

  1. 1. COVER The Athens Affair How some extremely smart hackers pulled off the most audacious cell-network break-in ever By VASSILIS PREVELAKIS, DIOMIDIS SPINELLIS / JULY 2007 On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months. The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy [see sidebar "CEOs, MPs, & a PM."] The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the countrys largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded. Even before Tsalikidiss death, investigators had found rogue software Photo: Fotoagentur/Alamy installed on the Vodafone Greece phone network by parties unknown. Some extraordinarily knowledgeable people either penetrated the network from outside or subverted it from within, aided by an agent or mole. In either case, the software at the heart of the phone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen before Crash course of Mobile (SS7) or since. A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability privacy and security to hackers and moles. Its also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate. Even among major criminal infiltrations, the Athens affair stands out because it may have involved state secrets, and itMonday, October 3, 2011 targeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly. The most notorious
  2. 2. $ whoarewe • Arturo Filastò • Jacob Appelbaum • The Tor Project • The Tor Project • A Random • I break bad software GlobaLeaks and build better Developer alternatives • I hack on stuff for • Understanding censorship fun and profit! @hellais @ioerrorMonday, October 3, 2011
  3. 3. Once upon a time...Monday, October 3, 2011
  4. 4. The 3 issues • Interception • Geolocation • Denial of ServiceMonday, October 3, 2011
  5. 5. Interception • Can be lawful or unlawful • Tactical vs Non-TacticalMonday, October 3, 2011
  6. 6. “Lawful Intercept”Monday, October 3, 2011
  7. 7. What technologies can be intercepted? • GSM • CDMA • iDEN • Thuraya • BGAN/Inmarsat • VSATMonday, October 3, 2011
  8. 8. Who? • Law enforcement • National Secret Service • Foreign Secret Service • Large corporations • Outsourced intelligence service providers • Organized crime • Military organizationsMonday, October 3, 2011
  9. 9. Targets of Interception • A person • A medium (think wire tap) • A device (think rootkit) • Parametric • Keywords (sniffing for triggers) • Perimeter (area sniffing)Monday, October 3, 2011
  10. 10. Why? • The architecture is designed for it • To suppress uprisings • To collect intelligence • Monitor behaviorMonday, October 3, 2011
  11. 11. How is this possible? • The security is outdated; take GSM... • No effort has been made to fix it • A5/1 is broken • A5/2 is purposefully broken • A5/3 is a bit better but not implemented (http://security.osmocom.org/trac/ticket/ 4)Monday, October 3, 2011
  12. 12. IMSI catchersMonday, October 3, 2011
  13. 13. Active IMSI catchersMonday, October 3, 2011
  14. 14. More accessible • This equipment used to be very expensive • But with projects such as USRP and OsmocomBB this is no longer trueMonday, October 3, 2011
  15. 15. Passive GSM sniffers + =Monday, October 3, 2011
  16. 16. Passive GSM sniffers + = Interception for 50$Monday, October 3, 2011
  17. 17. Geolocation • Where are you? • Various technologies give various levels of accuracy • SS7 (HLR, ATI) • Stingray and AmberJackMonday, October 3, 2011
  18. 18. Location TrackingMonday, October 3, 2011
  19. 19. Walled Garden • For accessing SS7 there used to be: • High costs • Strict peering agreements • Not designed with security in mindMonday, October 3, 2011
  20. 20. The GSM network OsmocommBB OpenBTS BSC APIs to HLRsubscriber BTS BSC MSC VLR HLR SMSC OpenBSC VLR MSC SMS InjectionMonday, October 3, 2011
  21. 21. Macro Area Geolocation • With network interrogations • A feature to SMS sending • The level of detail goes from 1km in cities to 200km in rural areasMonday, October 3, 2011
  22. 22. More detail is possible • Other privacy invading queries exists • PSI, ATI • Reach a level of detail of ~100m • Require, more strict agreements with telcos • If you know where to ask... • ... you will get them • (that means if you have the $$$)Monday, October 3, 2011
  23. 23. Denial of Service • You just want to stop that or those people communicating.Monday, October 3, 2011
  24. 24. Monday, October 3, 2011
  25. 25. JammersMonday, October 3, 2011
  26. 26. JammersMonday, October 3, 2011
  27. 27. Help! • Ok, so you have scared me. Now what should I do? • be aware of patterns and realities • use software on top of what is available • Tor, RedPhone, TextSecure, PrivateGSM, etc • Avoid bad software - eg: UltraSurf, SMS • Resist giving your ID for a SIM card! • If you are really worried or privacy and security don’t use mobile phones. • Until we create a free telco, we’re doomed.Monday, October 3, 2011
  28. 28. Thanks for listening! Any questions?Monday, October 3, 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×