SlideShare a Scribd company logo

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

•
•
Luca Bongiorni
Luca Bongiorni

The goal is the research and development of Intrusion Detection System related with Cell Networks. Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).

TechnologyBusiness
1 of 22
Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
3
“… police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. … Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. … it’s possible that criminal gangs could be using them for extortion” • What happens if competitors use it to take advantage of your company? • What happens if someone intercept you and then extorts you money? Think about it… 4
In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
• Lack of Mutual Authentication o The MS auths the network, not viceversa • Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) • Encryption is NOT Compulsory o A5/0 No Encryption 6
Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
• Spoofing CallerID • Eavesdropping Outgoing Calls & SMS • Highjacking Emergency Calls 8
Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
10
11
12
“GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
14
How can we Mitigate the Problem? 15
A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
19
The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
21
22

Recommended

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...PositiveTechnologies
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTESurya Munda
 
LTE Architecture Overview
LTE Architecture OverviewLTE Architecture Overview
LTE Architecture OverviewHossein Yavari
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 

Recommended

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem... 5G SA security: a comprehensive overview of threats, vulnerabilities and rem...
5G SA security: a comprehensive overview of threats, vulnerabilities and rem...PositiveTechnologies
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...
Analysis of attacks / vulnerabilities SS7 / Sigtran using Wireshark (and / or...Alejandro Corletti Estrada
 
Paging in LTE
Paging in LTEPaging in LTE
Paging in LTESurya Munda
 
LTE Architecture Overview
LTE Architecture OverviewLTE Architecture Overview
LTE Architecture OverviewHossein Yavari
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
4 g LTE, LTE Advance
4 g LTE, LTE Advance 4 g LTE, LTE Advance
4 g LTE, LTE Advance Sajid Marwat
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Lte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxLte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxtharinduwije
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Siddharth Rao
 
UMTS OVERVIEW
UMTS OVERVIEWUMTS OVERVIEW
UMTS OVERVIEWAbdulqader Al-kaboudei
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
5G Network Overview
5G Network Overview 5G Network Overview
5G Network OverviewHamidreza Bolhasani
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 
LTE Architecture and interfaces
LTE Architecture and interfacesLTE Architecture and interfaces
LTE Architecture and interfacesAbdulrahman Fady
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sipVikas Shokeen
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 

More Related Content

What's hot

4 g LTE, LTE Advance
4 g LTE, LTE Advance 4 g LTE, LTE Advance
4 g LTE, LTE Advance Sajid Marwat
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS SecuritySohaib Altaf
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!PositiveTechnologies
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Lte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxLte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxtharinduwije
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...DefCamp
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Siddharth Rao
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure3G4G
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksNaveen Kumar
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilityPositiveTechnologies
 
LTE Architecture and interfaces
LTE Architecture and interfacesLTE Architecture and interfaces
LTE Architecture and interfacesAbdulrahman Fady
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTPositiveTechnologies
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sipVikas Shokeen
 

What's hot (20)

4 g LTE, LTE Advance
4 g LTE, LTE Advance 4 g LTE, LTE Advance
4 g LTE, LTE Advance
 
GSM & UMTS Security
GSM & UMTS SecurityGSM & UMTS Security
GSM & UMTS Security
 
Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G! Signaling security essentials. Ready, steady, 5G!
Signaling security essentials. Ready, steady, 5G!
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1security
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Lte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkxLte ue initial attach & detach from networkx
Lte ue initial attach & detach from networkx
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 
Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...Mobile signaling threats and vulnerabilities - real cases and statistics from...
Mobile signaling threats and vulnerabilities - real cases and statistics from...
 
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
Unblocking Stollen Mobile Phones using SS7-MaP vulnerabilities
 
UMTS OVERVIEW
UMTS OVERVIEWUMTS OVERVIEW
UMTS OVERVIEW
 
Simplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach ProcedureSimplified Call Flow Signaling: Registration - The Attach Procedure
Simplified Call Flow Signaling: Registration - The Attach Procedure
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 
Security in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) NetworksSecurity in GSM(2G) and UMTS(3G) Networks
Security in GSM(2G) and UMTS(3G) Networks
 
5G Network Overview
5G Network Overview 5G Network Overview
5G Network Overview
 
Simjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerabilitySimjacker: how to protect your network from the latest hot vulnerability
Simjacker: how to protect your network from the latest hot vulnerability
 
LTE Architecture and interfaces
LTE Architecture and interfacesLTE Architecture and interfaces
LTE Architecture and interfaces
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Telecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoTTelecom Security in the Era of 5G and IoT
Telecom Security in the Era of 5G and IoT
 
ims registration call flow procedure volte sip
ims registration call flow procedure volte sipims registration call flow procedure volte sip
ims registration call flow procedure volte sip
 

Similar to iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolutionTech and Law Center
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSPY24
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephonyJoseph Guindeba
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseDroidcon Berlin
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking📡 Sebastien Dudek
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxRohithKumarKishtam
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks📡 Sebastien Dudek
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptxManojMudhiraj3
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxMurulidharLM1
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Jyothsna Sridhar
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone CloningDevyani Vaidya
 

Similar to iParanoid: an IMSI Catcher - Stingray Intrusion Detection System (20)

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdfSS7: Locate -Track - Manipulate Attack - SPY24™.pdf
SS7: Locate -Track - Manipulate Attack - SPY24™.pdf
 
Beerump 2018 - Modmobmap
Beerump 2018 - ModmobmapBeerump 2018 - Modmobmap
Beerump 2018 - Modmobmap
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephony
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
 
Mobile threat
Mobile threatMobile threat
Mobile threat
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
 
Gsm
Gsm Gsm
Gsm
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things
 
Test
TestTest
Test
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
 

More from Luca Bongiorni

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...Luca Bongiorni
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetLuca Bongiorni
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyLuca Bongiorni
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1Luca Bongiorni
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Luca Bongiorni
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Luca Bongiorni
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
 

More from Luca Bongiorni (10)

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playset
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 

Recently uploaded

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

  • 1. Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
  • 2. The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
  • 3. 3
  • 4. “… police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. … Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. … it’s possible that criminal gangs could be using them for extortion” • What happens if competitors use it to take advantage of your company? • What happens if someone intercept you and then extorts you money? Think about it… 4
  • 5. In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
  • 6. • Lack of Mutual Authentication o The MS auths the network, not viceversa • Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) • Encryption is NOT Compulsory o A5/0 No Encryption 6
  • 7. Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
  • 8. • Spoofing CallerID • Eavesdropping Outgoing Calls & SMS • Highjacking Emergency Calls 8
  • 9. Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. “GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
  • 14. 14
  • 15. How can we Mitigate the Problem? 15
  • 16. A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
  • 17. iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
  • 18. The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
  • 19. 19
  • 20. The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
  • 21. 21
  • 22. 22