Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Catching imsi catchers

1,924 views

Published on

Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Learn strategies to detect rogue cell phone towers and hear stories from adventures war walking Las Vegas during Defcon. Learn about IMSI catchers their capabilities, LTE to GSM downgrade attacks, and ways to protect yourself from these devices. Discover open source projects and other ways you can get involved to help make cellular technologies safer for users.

Video Link: https://www.youtube.com/watch?v=eivHO1OzF5E

Published in: Engineering
  • Be the first to comment

Catching imsi catchers

  1. 1. Catching IMSI Catchers Geoffrey Vaughan @mrvaughan Security Engineer
  2. 2. What you will learn today 1. What IMSI Catchers do and how they work 2. Detection Strategies 3. Hear an exciting tale of adventures in Vegas 4. Learn how to avoid being caught up in an IMSI Catcher
  3. 3. Whoami • Geoffrey Vaughan @MrVaughan • Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement • Travelled from Toronto to be here with you today
  4. 4. IMSI Catchers / Stingrays IMSI Catcher: Can be any rogue cellular device designed to capture cell phone data or traffic Often used by police/governments Stingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp IMSI: International mobile subscriber identity Your unique cell phone ID. Privacy constraints: Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
  5. 5. IMSI Catcher Specs • Can intercept 2G, 3G, 4G communication simultaneously as well as CMDA/GSM networks • Devices can launch attacks requesting devices connect over weaker channels (2G) • Operates in either passive or active mode • Passive mode – Simply captures all available traffic in the area • Active mode – Acts as a full duplex proxy forcing all traffic through the device then onward to a normal cellular tower
  6. 6. How they are used • Confirming presence of a device in a target’s home prior to a search thereof • Identifying an individual responsible for sending harassing text messages • Locating a stolen mobile device as a precursor to searching homes in the vicinity • Locating specific individuals by driving around a city until a known IMSI is found • Mounted on airplanes by the United States Marshall Service to sweep entire cities for a specific mobile device • To monitor all devices within range of a prison to determine whether prisoners are using cell phones • Reportedly at political protests to identify devices of individuals attending • To monitor activity in the offices of an independent Irish police oversight body Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report- Gone_Opaque.pdf
  7. 7. Where they are used • 1400+ cases confirmed use in Baltimore mapping show disproportionate use in predominately black neighborhoods' • http://www.citylab.com/crime/2016/10/racial-disparities-in-police- stingray-surveillance-mapped/502715/?utm_source=feed • Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused- of-illegal-mobile-spectrum-use-with-stingrays/
  8. 8. Manual Leak The Intercept acquired a device manual and published it: https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail- how-police-can-spy-on-phones/
  9. 9. Where to buy • Only sold to governments, police, and military • Alibaba: Good luck (mostly 2G only), Import laws, buyer assumes risk • But for ~1400USD you can build your own: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for- 4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love you https://julianoliver.com/output/stealth-cell-tower
  10. 10. How to find and detect an IMSI Catcher Current Detection Methods are entirely anomaly based 1. War walk your neighborhood and make note of all Cell Tower ID’s you find and their locations 2. Repeat this until you are sure you have all known devices cataloged 3. Constantly monitor your area to see if any new devices are added 4. Go find the new device
  11. 11. Tools to help you out OpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiers AISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes). • https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detection Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
  12. 12. Story Time
  13. 13. How hostile is it for your devices at Def Con? • Def Con = “Most hostile network on earth” ???? • Sure don’t use the hotel Wi Fi but how bad is it for your cell phones? • Personal experiment to see if I could find any IMSI Catchers
  14. 14. Setup • AIMSICD App • Burner Android Phone (rooted) • Next time: Pre-install opencellid.org data War Driving the Strip in style
  15. 15. Don’t Freak out! Pre Def Con War Walk Post Def Con Data
  16. 16. Lots of false positives • Devices on multiple floors? • Multiple redundant devices in same location • Potential issues with GPS accuracy
  17. 17. Still Unknown Devices Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
  18. 18. Caesar’s • 3 Nights in Caesar’s before Def Con • Lots of towers picked up • Suggest a sort of ‘drive by attack’ • Also observed a lot of LTE to GSM downgrade attacks, my device was hopping networks quite frequently
  19. 19. Caesar’s • At least 4 of these devices were previously not known to opencellid.org • There were a couple others that had only been seen once before
  20. 20. Defense • Depends on your personal threat model • Don’t use your device • Wi Fi calling with vpn? • Signal / OpenWhisper app for calling/SMS, although you would still be tracked • If all Wireless Carriers published the tower id’s you could at least know if an id did not match. • Device spoofing would still be possible • Pressure Wireless Carriers to implement mutual authentication between devices
  21. 21. Conclusions • The devices are very hard to detect, this is part of what makes them so dangerous • You rarely know when you are connected to these devices All data collected is available on my Github Page https://github.com/MrVaughan/Defcon2016GSMData
  22. 22. Shameless Plug • CMD+CTRL CTF Saturday Night • Accessible web app CTF for beginners and pros a like • Lots of challenges to keep you busy • Prizes
  23. 23. Thank you Geoffrey Vaughan @mrvaughan @SecurityInnovation

×