Crash course of Mobile (SS7) privacy and security

COVER The Athens Affair How some extremely smart hackers pulled off the most audacious cell-network break-in ever By VASSILIS PREVELAKIS, DIOMIDIS SPINELLIS / JULY 2007 On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months. The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy [see sidebar "CEOs, MPs, & a PM."] The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the countrys largest cellular service provider; Tsalikidis was in charge of network planning at the company. A connection seemed obvious. Given the list of people and their positions at the time of the tapping, we can only imagine the sensitive political and diplomatic discussions, high-stakes business deals, or even marital indiscretions that may have been routinely overheard and, quite possibly, recorded. Even before Tsalikidiss death, investigators had found rogue software Photo: Fotoagentur/Alamy installed on the Vodafone Greece phone network by parties unknown. Some extraordinarily knowledgeable people either penetrated the network from outside or subverted it from within, aided by an agent or mole. In either case, the software at the heart of the phone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen before Crash course of Mobile (SS7) or since. A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphone service provider, sheds considerable light on the measures networks can and should take to reduce their vulnerability privacy and security to hackers and moles. Its also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations of any kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate. Even among major criminal infiltrations, the Athens affair stands out because it may have involved state secrets, and itMonday, October 3, 2011 targeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly. The most notorious

$ whoarewe • Arturo Filastò • Jacob Appelbaum • The Tor Project • The Tor Project • A Random • I break bad software GlobaLeaks and build better Developer alternatives • I hack on stuff for • Understanding censorship fun and proﬁt! @hellais @ioerrorMonday, October 3, 2011

Once upon a time...Monday, October 3, 2011

The 3 issues • Interception • Geolocation • Denial of ServiceMonday, October 3, 2011

Interception • Can be lawful or unlawful • Tactical vs Non-TacticalMonday, October 3, 2011

“Lawful Intercept”Monday, October 3, 2011

What technologies can be intercepted? • GSM • CDMA • iDEN • Thuraya • BGAN/Inmarsat • VSATMonday, October 3, 2011

Who? • Law enforcement • National Secret Service • Foreign Secret Service • Large corporations • Outsourced intelligence service providers • Organized crime • Military organizationsMonday, October 3, 2011

Targets of Interception • A person • A medium (think wire tap) • A device (think rootkit) • Parametric • Keywords (snifﬁng for triggers) • Perimeter (area snifﬁng)Monday, October 3, 2011

Why? • The architecture is designed for it • To suppress uprisings • To collect intelligence • Monitor behaviorMonday, October 3, 2011

How is this possible? • The security is outdated; take GSM... • No effort has been made to ﬁx it • A5/1 is broken • A5/2 is purposefully broken • A5/3 is a bit better but not implemented (http://security.osmocom.org/trac/ticket/ 4)Monday, October 3, 2011

IMSI catchersMonday, October 3, 2011

Active IMSI catchersMonday, October 3, 2011

More accessible • This equipment used to be very expensive • But with projects such as USRP and OsmocomBB this is no longer trueMonday, October 3, 2011

Passive GSM sniffers + =Monday, October 3, 2011

Passive GSM sniffers + = Interception for 50$Monday, October 3, 2011

Geolocation • Where are you? • Various technologies give various levels of accuracy • SS7 (HLR, ATI) • Stingray and AmberJackMonday, October 3, 2011

Location TrackingMonday, October 3, 2011

Walled Garden • For accessing SS7 there used to be: • High costs • Strict peering agreements • Not designed with security in mindMonday, October 3, 2011

The GSM network OsmocommBB OpenBTS BSC APIs to HLRsubscriber BTS BSC MSC VLR HLR SMSC OpenBSC VLR MSC SMS InjectionMonday, October 3, 2011

Macro Area Geolocation • With network interrogations • A feature to SMS sending • The level of detail goes from 1km in cities to 200km in rural areasMonday, October 3, 2011

More detail is possible • Other privacy invading queries exists • PSI, ATI • Reach a level of detail of ~100m • Require, more strict agreements with telcos • If you know where to ask... • ... you will get them • (that means if you have the $$$)Monday, October 3, 2011

Denial of Service • You just want to stop that or those people communicating.Monday, October 3, 2011

Monday, October 3, 2011

JammersMonday, October 3, 2011

Help! • Ok, so you have scared me. Now what should I do? • be aware of patterns and realities • use software on top of what is available • Tor, RedPhone, TextSecure, PrivateGSM, etc • Avoid bad software - eg: UltraSurf, SMS • Resist giving your ID for a SIM card! • If you are really worried or privacy and security don’t use mobile phones. • Until we create a free telco, we’re doomed.Monday, October 3, 2011

Thanks for listening! Any questions?Monday, October 3, 2011

http://arabloggers.com	1297
http://dowdellresearch.blogspot.com	415
http://dowdellresearch.blogspot.com	415
http://paper.li	206
http://paper.li	206
http://a0.twimg.com	28
http://a0.twimg.com	28
http://us-w1.rockmelt.com	13
http://us-w1.rockmelt.com	13
http://feeds.feedburner.com	3
http://dowdellresearch.blogspot.co.nz	2
http://twitter.com	1
http://www.twylah.com	1

Crash course of Mobile (SS7) privacy and security

by Arturo Filastò on Oct 03, 2011

Accessibility

Categories

Upload Details

Usage Rights

13 Embeds 2,628

Statistics

Crash course of Mobile (SS7) privacy and security — Presentation Transcript