Transcript of "Crash course of Mobile (SS7) privacy and security"
COVER The Athens Affair How some extremely smart hackers pulled off the most audacious cell-network break-in ever By VASSILIS PREVELAKIS, DIOMIDIS SPINELLIS / JULY 2007 On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months. The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy [see sidebar "CEOs, MPs, & a PM."] The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the countrys largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded. Even before Tsalikidiss death, investigators had found rogue software Photo: Fotoagentur/Alamy installed on the Vodafone Greece phone network by parties unknown. Some extraordinarily knowledgeable people either penetrated the network from outside or subverted it from within, aided by an agent or mole. In either case, the software at the heart of the phone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen before Crash course of Mobile (SS7) or since. A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability privacy and security to hackers and moles. Its also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate. Even among major criminal infiltrations, the Athens affair stands out because it may have involved state secrets, and itMonday, October 3, 2011 targeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly. The most notorious
$ whoarewe • Arturo Filastò • Jacob Appelbaum • The Tor Project • The Tor Project • A Random • I break bad software GlobaLeaks and build better Developer alternatives • I hack on stuff for • Understanding censorship fun and proﬁt! @hellais @ioerrorMonday, October 3, 2011
What technologies can be intercepted? • GSM • CDMA • iDEN • Thuraya • BGAN/Inmarsat • VSATMonday, October 3, 2011
Who? • Law enforcement • National Secret Service • Foreign Secret Service • Large corporations • Outsourced intelligence service providers • Organized crime • Military organizationsMonday, October 3, 2011
Targets of Interception • A person • A medium (think wire tap) • A device (think rootkit) • Parametric • Keywords (snifﬁng for triggers) • Perimeter (area snifﬁng)Monday, October 3, 2011
Why? • The architecture is designed for it • To suppress uprisings • To collect intelligence • Monitor behaviorMonday, October 3, 2011
How is this possible? • The security is outdated; take GSM... • No effort has been made to ﬁx it • A5/1 is broken • A5/2 is purposefully broken • A5/3 is a bit better but not implemented (http://security.osmocom.org/trac/ticket/ 4)Monday, October 3, 2011
Walled Garden • For accessing SS7 there used to be: • High costs • Strict peering agreements • Not designed with security in mindMonday, October 3, 2011
The GSM network OsmocommBB OpenBTS BSC APIs to HLRsubscriber BTS BSC MSC VLR HLR SMSC OpenBSC VLR MSC SMS InjectionMonday, October 3, 2011
Macro Area Geolocation • With network interrogations • A feature to SMS sending • The level of detail goes from 1km in cities to 200km in rural areasMonday, October 3, 2011
More detail is possible • Other privacy invading queries exists • PSI, ATI • Reach a level of detail of ~100m • Require, more strict agreements with telcos • If you know where to ask... • ... you will get them • (that means if you have the $$$)Monday, October 3, 2011
Denial of Service • You just want to stop that or those people communicating.Monday, October 3, 2011
Help! • Ok, so you have scared me. Now what should I do? • be aware of patterns and realities • use software on top of what is available • Tor, RedPhone, TextSecure, PrivateGSM, etc • Avoid bad software - eg: UltraSurf, SMS • Resist giving your ID for a SIM card! • If you are really worried or privacy and security don’t use mobile phones. • Until we create a free telco, we’re doomed.Monday, October 3, 2011
Thanks for listening! Any questions?Monday, October 3, 2011
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.