SlideShare a Scribd company logo

Catching IMSI Catchers

Download as PPTX, PDF
Security Innovation
Security Innovation

Read Geoffrey Vaughan's presentation of DSS ITSEC 2016 on how IMSI Catchers work, detection strategies, and how to avoid being caught up in one.

Technology
1 of 24
Catching IMSI Catchers Geoffrey Vaughan @mrvaughan Security Engineer
What you will learn today 1. What IMSI Catchers do and how they work 2. Detection Strategies 3. Hear an exciting tale of adventures in Vegas 4. Learn how to avoid being caught up in an IMSI Catcher
Whoami • Geoffrey Vaughan @MrVaughan • Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement • Travelled from Toronto to be here with you today
IMSI Catchers / Stingrays IMSI Catcher: Can be any rogue cellular device designed to capture cell phone data or traffic Often used by police/governments Stingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp IMSI: International mobile subscriber identity Your unique cell phone ID. Privacy constraints: Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
IMSI Catcher Specs • Can intercept 2G, 3G, 4G communication simultaneously as well as CMDA/GSM networks • Devices can launch attacks requesting devices connect over weaker channels (2G) • Operates in either passive or active mode • Passive mode – Simply captures all available traffic in the area • Active mode – Acts as a full duplex proxy forcing all traffic through the device then onward to a normal cellular tower
How they are used • Confirming presence of a device in a target’s home prior to a search thereof • Identifying an individual responsible for sending harassing text messages • Locating a stolen mobile device as a precursor to searching homes in the vicinity • Locating specific individuals by driving around a city until a known IMSI is found • Mounted on airplanes by the United States Marshall Service to sweep entire cities for a specific mobile device • To monitor all devices within range of a prison to determine whether prisoners are using cell phones • Reportedly at political protests to identify devices of individuals attending • To monitor activity in the offices of an independent Irish police oversight body Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report- Gone_Opaque.pdf
Where they are used • 1400+ cases confirmed use in Baltimore mapping show disproportionate use in predominately black neighborhoods' • http://www.citylab.com/crime/2016/10/racial-disparities-in-police- stingray-surveillance-mapped/502715/?utm_source=feed • Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused- of-illegal-mobile-spectrum-use-with-stingrays/
Manual Leak The Intercept acquired a device manual and published it: https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail- how-police-can-spy-on-phones/
Where to buy • Only sold to governments, police, and military • Alibaba: Good luck (mostly 2G only), Import laws, buyer assumes risk • But for ~1400USD you can build your own: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for- 4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love you https://julianoliver.com/output/stealth-cell-tower
How to find and detect an IMSI Catcher Current Detection Methods are entirely anomaly based 1. War walk your neighborhood and make note of all Cell Tower ID’s you find and their locations 2. Repeat this until you are sure you have all known devices cataloged 3. Constantly monitor your area to see if any new devices are added 4. Go find the new device
Tools to help you out OpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiers AISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes). • https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detection Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
Story Time
How hostile is it for your devices at Def Con? • Def Con = “Most hostile network on earth” ???? • Sure don’t use the hotel Wi Fi but how bad is it for your cell phones? • Personal experiment to see if I could find any IMSI Catchers
Setup • AIMSICD App • Burner Android Phone (rooted) • Next time: Pre-install opencellid.org data War Driving the Strip in style
Don’t Freak out! Pre Def Con War Walk Post Def Con Data
Lots of false positives • Devices on multiple floors? • Multiple redundant devices in same location • Potential issues with GPS accuracy
Still Unknown Devices Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
Caesar’s • 3 Nights in Caesar’s before Def Con • Lots of towers picked up • Suggest a sort of ‘drive by attack’ • Also observed a lot of LTE to GSM downgrade attacks, my device was hopping networks quite frequently
Caesar’s • At least 4 of these devices were previously not known to opencellid.org • There were a couple others that had only been seen once before
Defense • Depends on your personal threat model • Don’t use your device • Wi Fi calling with vpn? • Signal / OpenWhisper app for calling/SMS, although you would still be tracked • If all Wireless Carriers published the tower id’s you could at least know if an id did not match. • Device spoofing would still be possible • Pressure Wireless Carriers to implement mutual authentication between devices
Conclusions • The devices are very hard to detect, this is part of what makes them so dangerous • You rarely know when you are connected to these devices All data collected is available on my Github Page https://github.com/MrVaughan/Defcon2016GSMData
Shameless Plug • CMD+CTRL CTF Saturday Night • Accessible web app CTF for beginners and pros a like • Lots of challenges to keep you busy • Prizes
Thank you Geoffrey Vaughan @mrvaughan @SecurityInnovation

Recommended

IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
Wireless signal jamming
Wireless signal jammingWireless signal jamming
Wireless signal jamming
Mahmoud Abdeen
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
Abhishek Abhi
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Luca Bongiorni
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter new
Karnav Rana
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 

Recommended

IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)
Papun Papun
 
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
Luca Bongiorni
 
Wireless signal jamming
Wireless signal jammingWireless signal jamming
Wireless signal jamming
Mahmoud Abdeen
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
Abhishek Abhi
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Luca Bongiorni
 
Firewall & packet filter new
Firewall & packet filter newFirewall & packet filter new
Firewall & packet filter new
Karnav Rana
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
AAKASH S
 
Jamming Devices and how they works?
Jamming Devices and how they works?Jamming Devices and how they works?
Jamming Devices and how they works?
xiha tareen
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTE
ntel
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
PositiveTechnologies
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensics
i4box Anon
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Cell Phone Detector
Cell Phone DetectorCell Phone Detector
Cell Phone Detector
elprocus
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
Skycure
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
PositiveTechnologies
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
RFID attendance system
RFID attendance systemRFID attendance system
RFID attendance system
A.k. Goverdhan
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
Pushkar Pashupat
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda Güvenlik
BGA Cyber Security
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
Andrew Wong
 
Packet capturing
Packet capturingPacket capturing
Packet capturing
PankajSingh1035
 
Cell phone jammer ppt
Cell phone jammer pptCell phone jammer ppt
Cell phone jammer ppt
Ronson Calvin Fernandes
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysis
Andrey Apuhtin
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
alxdvs
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
DINESH KAMBLE
 

More Related Content

What's hot

RFID attendance system
RFID attendance systemRFID attendance system
RFID attendance system
A.k. Goverdhan
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
P1Security
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
PositiveTechnologies
 

What's hot (20)

Jamming Devices and how they works?
Jamming Devices and how they works?Jamming Devices and how they works?
Jamming Devices and how they works?
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTE
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
 
Shelton mobile forensics
Shelton mobile forensicsShelton mobile forensics
Shelton mobile forensics
 
Mobile security
Mobile securityMobile security
Mobile security
 
Cell Phone Detector
Cell Phone DetectorCell Phone Detector
Cell Phone Detector
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
RFID attendance system
RFID attendance systemRFID attendance system
RFID attendance system
 
Wireless and mobile security
Wireless and mobile securityWireless and mobile security
Wireless and mobile security
 
Kablosuz Ağlarda Güvenlik
Kablosuz Ağlarda GüvenlikKablosuz Ağlarda Güvenlik
Kablosuz Ağlarda Güvenlik
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
Introduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for BusinesssIntroduction to Kaspersky Endpoint Security for Businesss
Introduction to Kaspersky Endpoint Security for Businesss
 
Packet capturing
Packet capturingPacket capturing
Packet capturing
 
Cell phone jammer ppt
Cell phone jammer pptCell phone jammer ppt
Cell phone jammer ppt
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Lookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysisLookout pegasus-android-technical-analysis
Lookout pegasus-android-technical-analysis
 

Similar to Catching IMSI Catchers

Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
alxdvs
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on you
Sheher Bano
 

Similar to Catching IMSI Catchers (20)

Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
 
Surveillance Society
Surveillance SocietySurveillance Society
Surveillance Society
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on you
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
Unit-2 ICS.ppt
Unit-2 ICS.pptUnit-2 ICS.ppt
Unit-2 ICS.ppt
 
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure Channel
 
Smartphone
SmartphoneSmartphone
Smartphone
 
Securitytips
SecuritytipsSecuritytips
Securitytips
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Android forensics
Android forensicsAndroid forensics
Android forensics
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
 

More from Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
Security Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
Security Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
Security Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
Security Innovation
 

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Catching IMSI Catchers

  • 2. What you will learn today 1. What IMSI Catchers do and how they work 2. Detection Strategies 3. Hear an exciting tale of adventures in Vegas 4. Learn how to avoid being caught up in an IMSI Catcher
  • 3. Whoami • Geoffrey Vaughan @MrVaughan • Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement • Travelled from Toronto to be here with you today
  • 4. IMSI Catchers / Stingrays IMSI Catcher: Can be any rogue cellular device designed to capture cell phone data or traffic Often used by police/governments Stingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp IMSI: International mobile subscriber identity Your unique cell phone ID. Privacy constraints: Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
  • 5.
  • 6. IMSI Catcher Specs • Can intercept 2G, 3G, 4G communication simultaneously as well as CMDA/GSM networks • Devices can launch attacks requesting devices connect over weaker channels (2G) • Operates in either passive or active mode • Passive mode – Simply captures all available traffic in the area • Active mode – Acts as a full duplex proxy forcing all traffic through the device then onward to a normal cellular tower
  • 7. How they are used • Confirming presence of a device in a target’s home prior to a search thereof • Identifying an individual responsible for sending harassing text messages • Locating a stolen mobile device as a precursor to searching homes in the vicinity • Locating specific individuals by driving around a city until a known IMSI is found • Mounted on airplanes by the United States Marshall Service to sweep entire cities for a specific mobile device • To monitor all devices within range of a prison to determine whether prisoners are using cell phones • Reportedly at political protests to identify devices of individuals attending • To monitor activity in the offices of an independent Irish police oversight body Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report- Gone_Opaque.pdf
  • 8. Where they are used • 1400+ cases confirmed use in Baltimore mapping show disproportionate use in predominately black neighborhoods' • http://www.citylab.com/crime/2016/10/racial-disparities-in-police- stingray-surveillance-mapped/502715/?utm_source=feed • Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused- of-illegal-mobile-spectrum-use-with-stingrays/
  • 9. Manual Leak The Intercept acquired a device manual and published it: https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail- how-police-can-spy-on-phones/
  • 10. Where to buy • Only sold to governments, police, and military • Alibaba: Good luck (mostly 2G only), Import laws, buyer assumes risk • But for ~1400USD you can build your own: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for- 4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love you https://julianoliver.com/output/stealth-cell-tower
  • 11. How to find and detect an IMSI Catcher Current Detection Methods are entirely anomaly based 1. War walk your neighborhood and make note of all Cell Tower ID’s you find and their locations 2. Repeat this until you are sure you have all known devices cataloged 3. Constantly monitor your area to see if any new devices are added 4. Go find the new device
  • 12. Tools to help you out OpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiers AISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes). • https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detection Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
  • 14. How hostile is it for your devices at Def Con? • Def Con = “Most hostile network on earth” ???? • Sure don’t use the hotel Wi Fi but how bad is it for your cell phones? • Personal experiment to see if I could find any IMSI Catchers
  • 15. Setup • AIMSICD App • Burner Android Phone (rooted) • Next time: Pre-install opencellid.org data War Driving the Strip in style
  • 16. Don’t Freak out! Pre Def Con War Walk Post Def Con Data
  • 17. Lots of false positives • Devices on multiple floors? • Multiple redundant devices in same location • Potential issues with GPS accuracy
  • 18. Still Unknown Devices Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
  • 19. Caesar’s • 3 Nights in Caesar’s before Def Con • Lots of towers picked up • Suggest a sort of ‘drive by attack’ • Also observed a lot of LTE to GSM downgrade attacks, my device was hopping networks quite frequently
  • 20. Caesar’s • At least 4 of these devices were previously not known to opencellid.org • There were a couple others that had only been seen once before
  • 21. Defense • Depends on your personal threat model • Don’t use your device • Wi Fi calling with vpn? • Signal / OpenWhisper app for calling/SMS, although you would still be tracked • If all Wireless Carriers published the tower id’s you could at least know if an id did not match. • Device spoofing would still be possible • Pressure Wireless Carriers to implement mutual authentication between devices
  • 22. Conclusions • The devices are very hard to detect, this is part of what makes them so dangerous • You rarely know when you are connected to these devices All data collected is available on my Github Page https://github.com/MrVaughan/Defcon2016GSMData
  • 23. Shameless Plug • CMD+CTRL CTF Saturday Night • Accessible web app CTF for beginners and pros a like • Lots of challenges to keep you busy • Prizes

Editor's Notes

  1. -Talk about 911 impact -Detecting presence -Can break some of the weaker crypto algorithms used in cellular networks
  2. About Citizen lab: Intersection of Information and Communication Technologies (ICTs), human rights, and global security ‘Cyberwar’ All of these are sourced in Citizen Labs paper
  3. They are used in Other EU Countries as well as Canada, It is tough getting confirmed uses as it often takes years for the information to trickle out of court cases and information requests Montreal Reporters
  4. I have it on my calendar to build one in January (first chance I’ll get)
  5. Looking at your phone right now you have no idea if it is connected to a real cell phone tower or an IMSI catcher
  6. There are a couple other similar presentations in the last year or 2. Can you trust the data in openCellId ? -If I were XXX -
  7. Multiple antenna’s