Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
SRLabs Template v12
Mobile threats evolution
Luca Melette <luca@srlabs.de>
Agenda
1
 Attacks over the air
 Attacks over the wire
 How to protect yourself
Mobile communications have been secretly intercepted for decades
2
Stationary catcher
(1990)
Handheld catcher
(2015)
Porta...
GSM interception is now available to the masses
3
Years of research unearthed important GSM vulnerabilities and
produced l...
Listening to broadcast channels can disclose local user identities
4
Mitigation
 Avoid paging by IMSI as much as possible...
Passive GSM intercept is still a major privacy risk in many countries
5
Mitigation
 Adopt randomization techniques
 Use ...
GPRS settings (mobile data) can greatly differ from voice and SMS
6
Mitigation
 Double check radio security settings
 Us...
Missing authentication enable user impersonation and frauds
7
Mitigation
 Always require user authentication
 Move to a ...
Rogue base stations can massively collect user identities
8
Mitigation
 Monitor radio traffic to detect anomalies
 Force...
More sophisticated fake cell towers can take full control of users
9
Mitigation
 Monitor radio traffic to detect anomalie...
Persistent malware on the SIM can be remotely installed via SMS
10
Mitigation
 Patch vulnerable SIM cards
 Block binary ...
Agenda
11
 Attacks over the air
 Attacks over the wire
 How to protect yourself
Mobile operators share their subscribers data over trusted clouds
12
Voice, SMS, USSD
Signalling (SS7)
Mobile Internet
and...
User location tracking is cheap and widely available on the Internet
13
Mitigation
 Operators to deploy SMS home routing
...
Fine-grained position is obtainable with roaming related requests
14
Mitigation
 Deploy SS7 filtering at network borders
...
Trusted network relations can ease spam and frauds attempts
15
Mitigation
 Check plausibility of user requests
 Block re...
Strong encryption can be defeated by trusted key handovers
16
Mitigation
 Block internal-only SS7 requests
 Accept only ...
Voice and SMS can be remotely intercepted in several ways
17
Mitigation
 Perform smart SS7 plausibility checks
 Accept o...
Mobile data can also be remotely diverted, blocked and spoofed
18
Mitigation
 Block internal-only GTP requests
 Accept o...
Agenda
19
 Attacks over the air
 Attacks over the wire
 How to protect yourself
GSM Map allows users to compare security in several countries
20
Security levels are summarized in a chart and detailed in a report
21
A similar world map shows risk levels associated to SS7 exposure
22
SnoopSnitch monitors network anomalies and attack attempts
23
It currently shows: network security levels (intercept, impe...
Take aways
24
Questions?
Luca Melette <luca@srlabs.de>
 Many vulnerabilities found in the past
years are still a threat f...
Upcoming SlideShare
Loading in …5
×

2015.11.06. Luca Melette_Mobile threats evolution

943 views

Published on

Presented on 6.11.2015 during the Tech and Law Center event (ITA) Intercettazioni: tutto quello che non avreste voluto sapere
http://www.techandlaw.net/news/intercettazioni-tutto-quello-che-non-avreste-voluto-sapere.html

Published in: Internet
  • Be the first to comment

2015.11.06. Luca Melette_Mobile threats evolution

  1. 1. SRLabs Template v12 Mobile threats evolution Luca Melette <luca@srlabs.de>
  2. 2. Agenda 1  Attacks over the air  Attacks over the wire  How to protect yourself
  3. 3. Mobile communications have been secretly intercepted for decades 2 Stationary catcher (1990) Handheld catcher (2015) Portable catcher (2000) IMSI Catchers are the famous devices operated by police and intelligence agencies to locate and spy on mobile users, since the beginning of GSM
  4. 4. GSM interception is now available to the masses 3 Years of research unearthed important GSM vulnerabilities and produced low cost IMSI catchers and passive interception systems OsmoSDR/Airprobe USB DVB-T stick < $10 (2015) CalypsoBTS/OsmocomBB Motorola C123 $20-$50 (2010) OpenBTS/Airprobe USRP + RFX900 $1000 (1998)
  5. 5. Listening to broadcast channels can disclose local user identities 4 Mitigation  Avoid paging by IMSI as much as possible  Frequently refresh TMSIs Risk  Detect user presence  Use IMSIs for further attacks Source code: git://git.osmocom.org/osmocom-bb IMSI? IMSI? IMSI? IMSI? Broadcast channel
  6. 6. Passive GSM intercept is still a major privacy risk in many countries 5 Mitigation  Adopt randomization techniques  Use a strong cipher (A5/3 or A5/4) Risk  Intecept calls and SMS  Follow user movements Tutorial: https://srlabs.de/decrypting_gsm Source code: https://opensource.srlabs.de/projects/a51-decrypt In the past two years we found networks using no encryption in these countries: Cambodia, China, Hong Kong, India, Israel, Kyrgyzstan, Lebanon, Morocco, Myanmar, Pakistan, Vietnam Voice/SMS Encrypted frames Decrypted voice/SMSKraken The common GSM encryption standard A5/1 can be cracked with rainbow tables in a normal PC with a GPU and 2TB disk, while A5/2 can be cracked very quickly even only using bruteforce on a CPU
  7. 7. GPRS settings (mobile data) can greatly differ from voice and SMS 6 Mitigation  Double check radio security settings  Use a strong cipher (GEA/3 or GEA/4) Risk  Intecept mobile data traffic  Follow user movements Tutorial: https://srlabs.de/gprs Mobile Internet Some operators surprisingly forget to turn on encryption on GPRS (or even UMTS) leaving passive sniffers full access to mobile Internet
  8. 8. Missing authentication enable user impersonation and frauds 7 Mitigation  Always require user authentication  Move to a more recent radio generation Risk  Spoof caller ID for calls and SMS  Send premium SMS (fraud) No code available SMS for TMSI 0x8a13b0cf Call from TMSI 0x8a13b0cf (1) (3) Step 1: Capture some call or SMS directed to the victim (2) Step 2: Recover the key if transaction was encrypted Step 3: Start a call or send SMS impersonating the victim with TMSI and key A similar attack can be applied to mobile terminated traffic
  9. 9. Rogue base stations can massively collect user identities 8 Mitigation  Monitor radio traffic to detect anomalies  Force mobile to use only 3G/4G networks Risk  Collect user identities in that area  Use IMSIs for further attacks Source code: http://openbts.org/get-the-code CID 3 LAC 9 f 6 High power LUR Time IMSI IMEI LAC/TA 13:37:37 22288... 35612... 1 / 2 13:37:42 22201... 01851... 1 / 1 The catching process works as follows: 1. The victim is attracted by the catcher due to the strong signal. 2. The fake tower requests all the relevant information of the user and device 3. The victim is pushed back to the original cell and gets normal coverage as before 4. No evidence is left on the mobile but the catcher has a full log of users
  10. 10. More sophisticated fake cell towers can take full control of users 9 Mitigation  Monitor radio traffic to detect anomalies  Force mobile to use only 3G/4G networks Risk  Intercept voice/SMS/mobile data  Manipulate traffic in both directions No code available Victim Real Network Communication forced to weak encryption in order to crack the key in realtime Call/SMS logging and manipulation The real network can enforce strong encryption and perform authentication, as the victim can provide valid responses for any sort of request Kraken
  11. 11. Persistent malware on the SIM can be remotely installed via SMS 10 Mitigation  Patch vulnerable SIM cards  Block binary SMS from unknown origins Risk  Intercept voice/SMS/mobile data  User location tracking (fine-grained) Tutorial: https://srlabs.de/rooting-sim-cards Source code: https://opensource.srlabs.de/git/SIMtester.git Low security and software bugs provide the attacker a completely stealth remote location tracking system or decryption oracle A special broken binary SMS transparently reaches the SIM and make the mobile send a signed response that is crackable by the attacker Using rainbow tables DES signatures can be cracked and the attacker gains admin privilege on the SIM
  12. 12. Agenda 11  Attacks over the air  Attacks over the wire  How to protect yourself
  13. 13. Mobile operators share their subscribers data over trusted clouds 12 Voice, SMS, USSD Signalling (SS7) Mobile Internet and MMS (GRX) Net 1 Net 2 Net 3 Net 4 Country B Country A Only members of the GSM Association should have access to these clouds Public Internet
  14. 14. User location tracking is cheap and widely available on the Internet 13 Mitigation  Operators to deploy SMS home routing  Block requests from untrusted sources Risk  User location retrieval (coarse position)  Entirely stealth and remote tracking Slides: https://berlin.ccc.de/~tobias/25c3-locating-mobile-phones.pdf Many providers online offer HLR lookups for just a few dollar cents Try on google: hlr lookup Starting from a mobile number one can visualize which state and city the mobile user is currently visiting
  15. 15. Fine-grained position is obtainable with roaming related requests 14 Mitigation  Deploy SS7 filtering at network borders  Block requests from untrusted sources Risk  User location retrieval (fine-grained)  Remote tracking (not always stealth) Slides: http://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf SS7 Net 1 Net 2 Victim Dear Net 1, my subscriber Victim is currently roaming in your network, could you tell me where and if it’s in a call? Sure! Dear Net 2, your Victim is currently served by a cell near the Tour Eiffel and it’s not in a call
  16. 16. Trusted network relations can ease spam and frauds attempts 15 Mitigation  Check plausibility of user requests  Block requests from untrusted sources Risk  User impersonation (call/SMS fraud)  Mass SMS advertisement delivery SS7 Net 1 Net 2 Victim Dear Net 1, your user Victim is visiting me, can you give me his full profile? And also, he wants to send an SMS to ... Dear Net 2, here is the profile and thanks for the SMS, I will try to deliver it and bill it to Victim
  17. 17. Strong encryption can be defeated by trusted key handovers 16 Mitigation  Block internal-only SS7 requests  Accept only speakers from a whitelist Risk  Capture and decrypt user traffic  Reuse keys to spoof legitimate towers Slides:https://events.ccc.de/congress/2014/Fahrplan/system/attachments/2493/or iginal/Mobile_Self_Defense-Karsten_Nohl-31C3-v1.pdf SS7 Net 1 Net 2 Victim Dear Net 1, I need immediately the encryption key to connect a call of your subscriber Victim that is coming towards me Dear Net 2, sure! Here is the key and all the rest you need to keep the call going, good luck!
  18. 18. Voice and SMS can be remotely intercepted in several ways 17 Mitigation  Perform smart SS7 plausibility checks  Accept only speakers from a whitelist Risk  Intercept calls and SMS  Manipulate/spoof user traffic Video: www.9jumpin.com.au/show/60minutes/stories/2015/august/phone-hacking SS7 Net 1 Net 2 Victim Dear cell XXX, forget what Net 1 said about Victim, he wants now to forward all his calls to me Father Father tries to call Victim but the call is immediately rerouted to the attacker that can start recording and forward it to the Victim
  19. 19. Mobile data can also be remotely diverted, blocked and spoofed 18 Mitigation  Block internal-only GTP requests  Accept only speakers from a whitelist Risk  Intercept mobile data (Internet)  Manipulate/spoof user traffic Slides:https://events.ccc.de/camp/2015/Fahrplan/system/attachments/2649/origi nal/CCCamp-SRLabs-Advanced_Interconnect_Attacks.v1.pdf GRX (or Internet) Net 1 Net 2 Victim Dear Net 1, your user Victim is visiting me, can you give me his current IP and make me the owner of it? Dear Net 2, here is the current IP and connection settings for Victim, now it’s all yours, and here are some packets for him
  20. 20. Agenda 19  Attacks over the air  Attacks over the wire  How to protect yourself
  21. 21. GSM Map allows users to compare security in several countries 20
  22. 22. Security levels are summarized in a chart and detailed in a report 21
  23. 23. A similar world map shows risk levels associated to SS7 exposure 22
  24. 24. SnoopSnitch monitors network anomalies and attack attempts 23 It currently shows: network security levels (intercept, impersonation), IMSI catcher events, SS7 attacks, reception of malicious SMS (silent & binary)
  25. 25. Take aways 24 Questions? Luca Melette <luca@srlabs.de>  Many vulnerabilities found in the past years are still a threat for mobile users  Network operators worldwide should improve their security to prevent abuse  Attack tools are available to researchers, and criminals are not far behind them

×