An expert presented techniques for hacking intercom systems. The presentation covered:
1) Conducting red team physical intrusion tests which sometimes require bypassing intercom systems.
2) Different types of intercom systems and how numeric intercoms use mobile networks like GSM.
3) Potential attack vectors like impersonating resident phone numbers by intercepting calls to the intercom using a fake mobile tower.
Arduino arduino gsm-shield .... helpful to b.tec studentsnanda kar
The document summarizes information about the Arduino GSM Shield, which allows an Arduino board to connect to the internet, send and receive SMS, and make voice calls using GSM and GPRS technology. It provides details on what GSM and GPRS are, SIM card and network requirements, how to connect the shield, test connectivity, send SMS messages and connect to the internet using the GSM library. Code examples are included to demonstrate functionality.
This document discusses attacks on digital house intercom systems that use mobile networks like GSM, 3G, and 4G to communicate. It begins by providing background on digital intercom systems and how they work. It then reviews the state of research on attacking GSM networks. The document goes on to describe experiments the author conducted to passively monitor and actively attack a digital intercom system in a lab environment. Attacks demonstrated include leaking phone numbers, opening doors, and "backdooring" the system. The document concludes that digital intercom systems could be vulnerable due to their use of mobile networks with known security weaknesses.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Ansee Smart Home Security Products201610Royce Heung
Ansee Smart Home Security Products company introduces their line of smart home security cameras, alarms, and accessories. Their products include IP cameras, mini cameras, bullet cameras, dome cameras, alarms for smoke, gas, doors, and more. Their software allows remote viewing, playback, alerts and control of cameras and smart home devices over WiFi or cellular networks. Ansee focuses on video surveillance integration, smart home control, and linking video with alarms for home security.
Dahua DH-IPC-HFW2431TP-AS-S2 4MP Star-Light IR Fixed-focal Bullet Network IP ...Trimatrik Multimedia
Dahua DH-IPC-HFW2431TP-AS-S2 Bangladesh,
1/3″ Progressive CMOS; 4 MP; IP; H.264 / H.264+ / Н.265 / MJPEG; Lens: f = 3.6 mm (viewing angle 84°); Record: Main Stream 4 МР – 20 fps, 3 МР – 25 fps, 1080р – 25 fps, 720р – 25 fps, Sub Stream D1 – 25 fps, VGA – 25 fps, CIF – 25 fps; smart IR illumination up to 80 m; Storage method: NAS, Dahua Cloud, FTP, SFTP, microSD up to 256GB; Power supply DC 12 V / PoE (802.3af).
What is the Dahua DH-IPC-HFW2431TP-AS-S2 Price in Bangladesh?
TRIMATRIK MULTIMEDIA offers you Dahua DH-IPC-HFW2431TP-AS-S2 IP camera with the best price in Bangladesh which, is your budget-friendly. We also offers you Service & installation with this Dahua DH-IPC-HFW2431TP-AS-S2 IP camera. Dahua DH-IPC-HFW2431TP-AS-S2 Price is 10,500 Taka. Order Online for nationwide cash on delivery or visit our Corporate Office.
https://www.trimatrikbd.com/product/dahua-dh-ipc-hfw2431tp-as-s2/
CALL: 0185-3330344, 01789-636363
#Dahua
Brochure videofied outdoor home business enIlias Varsamis
The Videofied home security system deters intruders before a break-in occurs using outdoor cameras, sirens, and lights. The wireless system notifies monitoring stations and homeowners of intrusions in real-time via video. It provides protection for homes, businesses, and other properties using battery-powered indoor and outdoor cameras with a 4-year lifespan.
Ansee Security Products introduces their line of IP cameras, alarms, and smart home devices. Their products include mini, bullet, dome, and cube shaped IP cameras with features like P2P cloud connectivity, motion detection, audio, and storage. They also offer smoke, gas, and motion detectors, as well as smart switches and sockets. Ansee provides a CMS client software and mobile app for remote monitoring, playback, alerts and smart home control of their plug-and-play systems known for video alarm integration and simplicity of use.
An expert presented techniques for hacking intercom systems. The presentation covered:
1) Conducting red team physical intrusion tests which sometimes require bypassing intercom systems.
2) Different types of intercom systems and how numeric intercoms use mobile networks like GSM.
3) Potential attack vectors like impersonating resident phone numbers by intercepting calls to the intercom using a fake mobile tower.
Arduino arduino gsm-shield .... helpful to b.tec studentsnanda kar
The document summarizes information about the Arduino GSM Shield, which allows an Arduino board to connect to the internet, send and receive SMS, and make voice calls using GSM and GPRS technology. It provides details on what GSM and GPRS are, SIM card and network requirements, how to connect the shield, test connectivity, send SMS messages and connect to the internet using the GSM library. Code examples are included to demonstrate functionality.
This document discusses attacks on digital house intercom systems that use mobile networks like GSM, 3G, and 4G to communicate. It begins by providing background on digital intercom systems and how they work. It then reviews the state of research on attacking GSM networks. The document goes on to describe experiments the author conducted to passively monitor and actively attack a digital intercom system in a lab environment. Attacks demonstrated include leaking phone numbers, opening doors, and "backdooring" the system. The document concludes that digital intercom systems could be vulnerable due to their use of mobile networks with known security weaknesses.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Ansee Smart Home Security Products201610Royce Heung
Ansee Smart Home Security Products company introduces their line of smart home security cameras, alarms, and accessories. Their products include IP cameras, mini cameras, bullet cameras, dome cameras, alarms for smoke, gas, doors, and more. Their software allows remote viewing, playback, alerts and control of cameras and smart home devices over WiFi or cellular networks. Ansee focuses on video surveillance integration, smart home control, and linking video with alarms for home security.
Dahua DH-IPC-HFW2431TP-AS-S2 4MP Star-Light IR Fixed-focal Bullet Network IP ...Trimatrik Multimedia
Dahua DH-IPC-HFW2431TP-AS-S2 Bangladesh,
1/3″ Progressive CMOS; 4 MP; IP; H.264 / H.264+ / Н.265 / MJPEG; Lens: f = 3.6 mm (viewing angle 84°); Record: Main Stream 4 МР – 20 fps, 3 МР – 25 fps, 1080р – 25 fps, 720р – 25 fps, Sub Stream D1 – 25 fps, VGA – 25 fps, CIF – 25 fps; smart IR illumination up to 80 m; Storage method: NAS, Dahua Cloud, FTP, SFTP, microSD up to 256GB; Power supply DC 12 V / PoE (802.3af).
What is the Dahua DH-IPC-HFW2431TP-AS-S2 Price in Bangladesh?
TRIMATRIK MULTIMEDIA offers you Dahua DH-IPC-HFW2431TP-AS-S2 IP camera with the best price in Bangladesh which, is your budget-friendly. We also offers you Service & installation with this Dahua DH-IPC-HFW2431TP-AS-S2 IP camera. Dahua DH-IPC-HFW2431TP-AS-S2 Price is 10,500 Taka. Order Online for nationwide cash on delivery or visit our Corporate Office.
https://www.trimatrikbd.com/product/dahua-dh-ipc-hfw2431tp-as-s2/
CALL: 0185-3330344, 01789-636363
#Dahua
Brochure videofied outdoor home business enIlias Varsamis
The Videofied home security system deters intruders before a break-in occurs using outdoor cameras, sirens, and lights. The wireless system notifies monitoring stations and homeowners of intrusions in real-time via video. It provides protection for homes, businesses, and other properties using battery-powered indoor and outdoor cameras with a 4-year lifespan.
Ansee Security Products introduces their line of IP cameras, alarms, and smart home devices. Their products include mini, bullet, dome, and cube shaped IP cameras with features like P2P cloud connectivity, motion detection, audio, and storage. They also offer smoke, gas, and motion detectors, as well as smart switches and sockets. Ansee provides a CMS client software and mobile app for remote monitoring, playback, alerts and smart home control of their plug-and-play systems known for video alarm integration and simplicity of use.
Camera Dahua DH-IPC-HDW2239TP-AS-LED-S2 datasheetdaiphatcamera
This document provides specifications for the DH-IPC-HDW2239T-AS-LED-S2 2MP full-color fixed focal network camera. It has a 2MP CMOS sensor, H.265/H.264/MJPEG encoding, IP67 weatherproof rating, built-in microphone, and supports SD card storage and PoE or 12V DC power. The camera provides intelligent features like tripwire detection and has a wide voltage input tolerance suitable for outdoor use.
1. The Videofied alarm system records a 10 second video clip when an alarm is triggered, sending it to a security center and the homeowner's phone.
2. At the security center, an operator can view the live video, speak to an intruder through two-way audio, and verify if police response is needed.
3. The system operates wirelessly with a battery lasting up to 4 years, allowing indoor and outdoor use without phone or power lines.
I presented these slides in the "Privacy Protection" subject, taught by Prof. Josep Domingo-Ferrer in the Master in Computer Security Engineering and Artificial Intelligence.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
This document summarizes a talk about Bluetooth security. The talk covers extending the range of Bluetooth devices, wardriving to discover Bluetooth devices, and various attacks against Bluetooth including Bluebug, Bluesnarf, attacking cars and headsets, and cracking Bluetooth pins and link keys. It also discusses vulnerabilities in Bluetooth implementations on Apple and Windows devices that can allow compromising internal networks. Throughout it emphasizes the risks of Bluetooth and gives recommendations to improve security like disabling Bluetooth when not in use and pairing devices securely.
Brickcom VD-E400Af 4 Mpix Vandal Dome IK10 - IR night vision - Builtin MIC ...Ali Shoaee
Brickcom VD-E400Af IP Camera
4 Megapixel Outdoor Vandal Dome Camera
H.264 High Profile Video Compression Technology
EN50155 Certified for Transportation Application
i-Mode for Different Environments
EasyLink® for accessing IP camera easier
Support HDTV Video Quality (Full HD 1080p @ 30fps Streaming)
Removable IR-cut Filter / Auto Light Sensor for Day and Night
IK10 Vandal Proof and IP66 Weather Proof Outdoor Enclosure
Built-in IR Illuminators up to 20 Meters
Built-in Microphone
External Storage SDXC Card supported
PoE(802.3af) / DC 12V supported
#Brickcom #CCTV #NVR #IPCamera #IP #Camera #Security #Surveillance #DPS #MMC #InfoTechME
Vision : Secured and intelligent city
Info Tech Middle East
The document describes a wireless video security system called Videofied that prevents copper theft. It uses motion-activated cameras that send 10-second videos to monitoring stations. It can monitor up to 24 cameras on a single system using wireless batteries that last 4 years. The system immediately alerts monitors of intrusions and police are dispatched. It provides protection for substations, cell towers, and other infrastructure. The document outlines available protection kits including panels, keypads, motion cameras, mounts, and accessories. It provides member pricing for hardware and monthly monitoring rates.
The document discusses a portable, wireless video security system called VIDEOFIED that provides instant alerts of intrusions without needing AC power or wiring. The system includes portable, battery-powered cameras called P-Cams that can be installed anywhere and have a 4-year battery life. When motion is detected, the cameras send video alarms over the cellular network to a monitoring station. The entire system operates outdoors on batteries for up to 4 years and allows for easy, wireless installation of up to 24 cameras from a single control panel located anywhere security is needed.
The document discusses a portable, wireless video security system called VideoFIED that provides instant alerts of intrusions without needing AC power or wired connections. The system includes portable P-Cam devices that can be installed anywhere and act as remote sentries using integrated motion sensors and cameras with illuminators. When motion is detected, a video alarm is sent over the cellular network to a monitoring station. The entire system is weatherproof and battery powered, providing surveillance anywhere for up to 4 years without needing trenching or wires.
Aditgroup present the AVtron Monarch dome camera for the home security which able to support the dynamic wide rang. Its 1.3MP lens catches the HD resolution pictures with the great clarity.
Trends of IoT Technology for industrial prototyping and educational marketsWithTheBest
The document discusses several Arduino boards and IoT hardware options including the Arduino UNO WiFi with ESP8266, Arduino Primo with Cloud IOT, and Arduino YUN and YUN mini. It also describes the Linino OS which can be used with these boards, including features like OpenWRT, Linux 14.07, U-BOOT, and support for programming languages like Python, C/C++, and Node.js. Technical specifications are provided for some of the boards like battery connectors, antennas, and voltage levels.
INTELLIGENT ACCESS CONTROL. TIME & ATTENDANCE SYSTEMwisdom0313
The document describes an intelligent access control and time attendance system from Bioinsec Co., Ltd. It includes details about various components of the system such as fingerprint and RF card readers, a color LCD display, touchpad, waterproofing, connectivity options, and remote management features. The system provides user authentication, visitor verification, and stores log data. It can be customized with different reader options and has expansion capabilities.
Usb dongle z wave.me with windows software manualDomotica daVinci
Z-Way for Windows is software that allows you to control your Z-Wave home automation network. It requires installation of the Z-Way software and driver for the USB Z-Wave controller. Once installed, you can include and control Z-Wave devices, view device information and sensor values, and configure the network from the browser interface. The software also works with the Z-Way iPhone app to remotely control the smart home network.
The presenter discusses attacking Internet of Things devices like intercom systems. They demonstrate intercepting communications from an intercom by setting up a rogue mobile network with software-defined radio equipment. The goal is to impersonate authorized users and send commands to open doors or access sensitive information. Potential attacks discussed include eavesdropping on calls, spoofing phone numbers registered with the intercom, and modifying settings via SMS messages.
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
Modmobmap is a tool that maps mobile cells in real-time by capturing cell information from exposed diagnostic interfaces or the Android RIL. It aims to provide more precise cell tower data than existing recording solutions. The presentation discusses using cheap software-defined radios, custom SIM cards, Faraday cages, and downgrade attacks to attract mobile devices and intercept their communications for testing purposes. It also covers automating cell changes using AT commands to simulate a mobile station camping between cells.
Modmobmap is a tool for mapping 2G, 3G, and 4G mobile networks using various tricks and interfaces. It uses ServiceMode on Android phones to obtain cell information and the Dirty Fuzzy Registration technique to enumerate cells by changing network registration. The tool combines these methods and Software-Defined Radio to cheaply scan networks. A demonstration with a Galaxy S5 phone shows it works by accessing the phone's diagnostic interface and capturing data in GSMTAP format.
This document describes the design and implementation of a GSM alarm system. The system uses an Arduino board connected to a GSM shield to detect motion via a PIR sensor and send SMS alerts. It includes a keypad for input, LCD display for status, and buzzer for alarms. Programming was done in C++ using the Arduino IDE. The system aims to provide remote security monitoring via GSM connectivity even when the owner is away. Some challenges included delays receiving hardware and issues with the GSM functionality during testing. Overall the project demonstrated a working GSM alarm prototype.
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).
This document provides a summary of a presentation titled "Ride the Light: A guide to the internet, telephony and computer technology in the 21st century." The presentation covers topics such as core computing values, telephony, internet technology, IP addressing, internet security and abuse. It includes details on technologies like dial-up, DSL, T1 lines, routing registries, RFCs, subnetting, internet threats and solutions, and recommended websites for further information.
This document provides an overview of Sigfox and how to communicate using Sigfox networks. It begins with an agenda and introductions. It then discusses Sigfox basics like the company, protocol, and advantages. Key concepts are explained like energy efficiency, outdoor/indoor coverage, security, and payload sizes. Demo examples are shown for sending a basic message and using an RFID reader. The cloud platform and callbacks are overviewed. Finally, instructions are provided for contributing projects and a workshop is held where attendees can send their first message using an Akeru board.
The document discusses attacking GSM networks by spoofing a base transceiver station (BTS). It describes how to setup an OpenBTS system using inexpensive hardware to intercept mobile subscribers. It also summarizes vulnerabilities in the GSM cryptographic protocols including issues with identifiers, spoofing networks, decrypting traffic, and lack of encryption.
Camera Dahua DH-IPC-HDW2239TP-AS-LED-S2 datasheetdaiphatcamera
This document provides specifications for the DH-IPC-HDW2239T-AS-LED-S2 2MP full-color fixed focal network camera. It has a 2MP CMOS sensor, H.265/H.264/MJPEG encoding, IP67 weatherproof rating, built-in microphone, and supports SD card storage and PoE or 12V DC power. The camera provides intelligent features like tripwire detection and has a wide voltage input tolerance suitable for outdoor use.
1. The Videofied alarm system records a 10 second video clip when an alarm is triggered, sending it to a security center and the homeowner's phone.
2. At the security center, an operator can view the live video, speak to an intruder through two-way audio, and verify if police response is needed.
3. The system operates wirelessly with a battery lasting up to 4 years, allowing indoor and outdoor use without phone or power lines.
I presented these slides in the "Privacy Protection" subject, taught by Prof. Josep Domingo-Ferrer in the Master in Computer Security Engineering and Artificial Intelligence.
All your Bluetooth is belong to us - the rest too.Thierry Zoller
This document summarizes a talk about Bluetooth security. The talk covers extending the range of Bluetooth devices, wardriving to discover Bluetooth devices, and various attacks against Bluetooth including Bluebug, Bluesnarf, attacking cars and headsets, and cracking Bluetooth pins and link keys. It also discusses vulnerabilities in Bluetooth implementations on Apple and Windows devices that can allow compromising internal networks. Throughout it emphasizes the risks of Bluetooth and gives recommendations to improve security like disabling Bluetooth when not in use and pairing devices securely.
Brickcom VD-E400Af 4 Mpix Vandal Dome IK10 - IR night vision - Builtin MIC ...Ali Shoaee
Brickcom VD-E400Af IP Camera
4 Megapixel Outdoor Vandal Dome Camera
H.264 High Profile Video Compression Technology
EN50155 Certified for Transportation Application
i-Mode for Different Environments
EasyLink® for accessing IP camera easier
Support HDTV Video Quality (Full HD 1080p @ 30fps Streaming)
Removable IR-cut Filter / Auto Light Sensor for Day and Night
IK10 Vandal Proof and IP66 Weather Proof Outdoor Enclosure
Built-in IR Illuminators up to 20 Meters
Built-in Microphone
External Storage SDXC Card supported
PoE(802.3af) / DC 12V supported
#Brickcom #CCTV #NVR #IPCamera #IP #Camera #Security #Surveillance #DPS #MMC #InfoTechME
Vision : Secured and intelligent city
Info Tech Middle East
The document describes a wireless video security system called Videofied that prevents copper theft. It uses motion-activated cameras that send 10-second videos to monitoring stations. It can monitor up to 24 cameras on a single system using wireless batteries that last 4 years. The system immediately alerts monitors of intrusions and police are dispatched. It provides protection for substations, cell towers, and other infrastructure. The document outlines available protection kits including panels, keypads, motion cameras, mounts, and accessories. It provides member pricing for hardware and monthly monitoring rates.
The document discusses a portable, wireless video security system called VIDEOFIED that provides instant alerts of intrusions without needing AC power or wiring. The system includes portable, battery-powered cameras called P-Cams that can be installed anywhere and have a 4-year battery life. When motion is detected, the cameras send video alarms over the cellular network to a monitoring station. The entire system operates outdoors on batteries for up to 4 years and allows for easy, wireless installation of up to 24 cameras from a single control panel located anywhere security is needed.
The document discusses a portable, wireless video security system called VideoFIED that provides instant alerts of intrusions without needing AC power or wired connections. The system includes portable P-Cam devices that can be installed anywhere and act as remote sentries using integrated motion sensors and cameras with illuminators. When motion is detected, a video alarm is sent over the cellular network to a monitoring station. The entire system is weatherproof and battery powered, providing surveillance anywhere for up to 4 years without needing trenching or wires.
Aditgroup present the AVtron Monarch dome camera for the home security which able to support the dynamic wide rang. Its 1.3MP lens catches the HD resolution pictures with the great clarity.
Trends of IoT Technology for industrial prototyping and educational marketsWithTheBest
The document discusses several Arduino boards and IoT hardware options including the Arduino UNO WiFi with ESP8266, Arduino Primo with Cloud IOT, and Arduino YUN and YUN mini. It also describes the Linino OS which can be used with these boards, including features like OpenWRT, Linux 14.07, U-BOOT, and support for programming languages like Python, C/C++, and Node.js. Technical specifications are provided for some of the boards like battery connectors, antennas, and voltage levels.
INTELLIGENT ACCESS CONTROL. TIME & ATTENDANCE SYSTEMwisdom0313
The document describes an intelligent access control and time attendance system from Bioinsec Co., Ltd. It includes details about various components of the system such as fingerprint and RF card readers, a color LCD display, touchpad, waterproofing, connectivity options, and remote management features. The system provides user authentication, visitor verification, and stores log data. It can be customized with different reader options and has expansion capabilities.
Usb dongle z wave.me with windows software manualDomotica daVinci
Z-Way for Windows is software that allows you to control your Z-Wave home automation network. It requires installation of the Z-Way software and driver for the USB Z-Wave controller. Once installed, you can include and control Z-Wave devices, view device information and sensor values, and configure the network from the browser interface. The software also works with the Z-Way iPhone app to remotely control the smart home network.
The presenter discusses attacking Internet of Things devices like intercom systems. They demonstrate intercepting communications from an intercom by setting up a rogue mobile network with software-defined radio equipment. The goal is to impersonate authorized users and send commands to open doors or access sensitive information. Potential attacks discussed include eavesdropping on calls, spoofing phone numbers registered with the intercom, and modifying settings via SMS messages.
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
Modmobmap is a tool that maps mobile cells in real-time by capturing cell information from exposed diagnostic interfaces or the Android RIL. It aims to provide more precise cell tower data than existing recording solutions. The presentation discusses using cheap software-defined radios, custom SIM cards, Faraday cages, and downgrade attacks to attract mobile devices and intercept their communications for testing purposes. It also covers automating cell changes using AT commands to simulate a mobile station camping between cells.
Modmobmap is a tool for mapping 2G, 3G, and 4G mobile networks using various tricks and interfaces. It uses ServiceMode on Android phones to obtain cell information and the Dirty Fuzzy Registration technique to enumerate cells by changing network registration. The tool combines these methods and Software-Defined Radio to cheaply scan networks. A demonstration with a Galaxy S5 phone shows it works by accessing the phone's diagnostic interface and capturing data in GSMTAP format.
This document describes the design and implementation of a GSM alarm system. The system uses an Arduino board connected to a GSM shield to detect motion via a PIR sensor and send SMS alerts. It includes a keypad for input, LCD display for status, and buzzer for alarms. Programming was done in C++ using the Arduino IDE. The system aims to provide remote security monitoring via GSM connectivity even when the owner is away. Some challenges included delays receiving hardware and issues with the GSM functionality during testing. Overall the project demonstrated a working GSM alarm prototype.
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).
This document provides a summary of a presentation titled "Ride the Light: A guide to the internet, telephony and computer technology in the 21st century." The presentation covers topics such as core computing values, telephony, internet technology, IP addressing, internet security and abuse. It includes details on technologies like dial-up, DSL, T1 lines, routing registries, RFCs, subnetting, internet threats and solutions, and recommended websites for further information.
This document provides an overview of Sigfox and how to communicate using Sigfox networks. It begins with an agenda and introductions. It then discusses Sigfox basics like the company, protocol, and advantages. Key concepts are explained like energy efficiency, outdoor/indoor coverage, security, and payload sizes. Demo examples are shown for sending a basic message and using an RFID reader. The cloud platform and callbacks are overviewed. Finally, instructions are provided for contributing projects and a workshop is held where attendees can send their first message using an Akeru board.
The document discusses attacking GSM networks by spoofing a base transceiver station (BTS). It describes how to setup an OpenBTS system using inexpensive hardware to intercept mobile subscribers. It also summarizes vulnerabilities in the GSM cryptographic protocols including issues with identifiers, spoofing networks, decrypting traffic, and lack of encryption.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
This document summarizes advanced WiFi attacks that can be performed using inexpensive commodity hardware. It describes how WiFi assumes each station acts fairly, but with specialized hardware this assumption no longer holds. Various attacks are demonstrated, including continuous jamming to render a channel unusable, and selective jamming to block specific packets. The document also explores selfish behavior attacks, continuous and selective jamming implementations, and impacts on higher network layers including attacks on encrypted WPA-TKIP traffic.
Presented on 6.11.2015 during the Tech and Law Center event (ITA) Intercettazioni: tutto quello che non avreste voluto sapere
http://www.techandlaw.net/news/intercettazioni-tutto-quello-che-non-avreste-voluto-sapere.html
IOSR Journal of Electrical and Electronics Engineering(IOSR-JEEE) is an open access international journal that provides rapid publication (within a month) of articles in all areas of electrical and electronics engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in electrical and electronics engineering. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
The (Io)Things you don't even need to hack. Should we worry?SecuRing
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
The document provides descriptions of various hacking and security tools including the Bash Bunny USB attack platform, Packet Squirrel network device, LAN Turtle covert access tool, USB Rubber Ducky keystroke injection tool, WiFi Pineapple rogue access point, Proxmark RFID hacking tool, HackRF Software Defined Radio, Crazy Radio wireless keyboard/mouse attack tool, Digispark USB keystroke injection board, Orange Pi single board computer, Raspberry Pi models, RTL-SDR Software Defined Radio, USB magnetic stripe card reader/writer, USB smart card reader, lock picking tools, encrypted USB drive, barcode scanner, portable electronics kit, and standalone RFID cloning device.
Arm Robot Surveillance Using Dual Tone Multiple Frequency TechnologyIJERA Editor
Surveillance place a pivotal role in addressing a wide range of security challenges .In the present paper we propose a Dual Tone Multiple Frequency ( DTMF) based Robot with video surveillance. In the proposed model a DTMF based Robot with video surveillance with multiple key functions, Arm picker and security system was implemented. Master and slave concept using 3 Microcontroller and motor driver IC to drive motors was implemented and belt wheel platform was used to move the robot from one place to another. Multiple key functions were used to perform more functions and a camera for surveillance .The robot can navigate with the help of the user.
This document describes the design of a dual band mobile phone jammer that can jam signals in the GSM 900 and GSM 1800 frequency bands. [1] The jammer works by transmitting noise signals within the downlink frequencies of 935-960 MHz and 1805-1880 MHz to overwhelm mobile signals and cause a "no service" message on phones. [2] Key components include a voltage controlled oscillator, power amplifier, and antenna for each band. [3] The device was tested successfully in jamming all major mobile carriers in Jordan.
The document discusses using Arduino boards for networking and Internet of Things applications. It describes various networking options for Arduinos including wired protocols like Ethernet and serial, and wireless options like ZigBee, Bluetooth, and WiFi. It also provides an example of building a simple networked device with Arduinos and ZigBee modules to send button press events over a wireless network.
1) This project allows users to remotely control four devices from anywhere using a cell phone. The user dials a phone number associated with a device to turn it on or off.
2) DTMF signals are used to transmit the phone digits which are decoded by a microcontroller to control the devices.
3) The system includes a phone line, DTMF decoder, microcontroller, and power supply to interface with devices like fans or lights and turn them on or off remotely.
Long Range Wide Area Network (LoRaWAN) devices have been hacking targets for quite some time. We dive into attacks that malicious actors can use against vulnerable LoRaWAN devices, and review the state of LoRaWAN security. This is the first in a three-part series.
This document discusses a framework for fuzzing the GSM protocol stack. It begins with an abstract and introduction describing the challenges of fuzzing GSM due to its complexity. It then provides background on GSM basics including the network architecture, protocol layers, and message formats. The document focuses on describing the prerequisites and architecture developed for automated GSM fuzzing, including generating test cases, monitoring mobile phone states, and managing the fuzzing process.
This document summarizes a presentation on attacking HomePlugAV powerline communication devices. It provides background on PLC technology, describing how PLCs transmit data over electrical wiring and discussing previous research. It then outlines several attacks against PLC networks, including eavesdropping on unencrypted communication between a computer and PLC, spoofing devices to intercept network information requests, and manipulating configuration files to backdoor devices.
1. The document describes a framework called MobiDeke that was created to fuzz the GSM protocol stack over-the-air by generating and mutating malformed GSM messages and monitoring the target's behavior for crashes or errors.
2. MobiDeke addresses limitations with existing fuzzing methods by automating the generation, mutation, transmission and monitoring processes.
3. The key components of MobiDeke are modules for generating and mutating GSM messages, transmitting payloads over-the-air via a software-defined radio, and monitoring the target phone and base station for crashes or abnormal behavior.
This document summarizes a paper on practical attacks against HomePlugAV powerline communication devices. It begins by providing background on powerline communication technology and discussing the HomePlugAV specification. It then describes analyzing HomePlugAV networks using various tools to understand the protocols and encryption. The document outlines several practical attacks demonstrated, including intercepting network keys, bruteforcing passwords, and gaining remote memory access on devices once on the network. It concludes by discussing future work areas like firmware analysis and authentication message fuzzing.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...📡 Sebastien Dudek
The document discusses a tool called V2G Injector that was developed to interface with, analyze, and inject traffic into Vehicle-to-Grid (V2G) systems. V2G systems allow electric vehicles to store and return energy to the electric grid through bidirectional charging stations. The tool exploits vulnerabilities in the HomePlug GreenPHY standard used for powerline communication between electric vehicles and charging stations.
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...📡 Sebastien Dudek
A presentation discusses vehicle-to-grid (V2G) communication and security. It summarizes the development of a tool called the "V2G Injector" that can monitor and inject crafted packets into V2G networks communicating over power lines. The tool decodes V2G data formats and circumvents security in the HomePlug Green PHY standard to extract network keys from charging stations. The tool allows an attacker to intercept and manipulate V2G communications between electric vehicles and charging stations.
Modmobtools provides tools for monitoring and jamming 2G, 3G, and 4G cellular networks. The tools include Modmobmap for scanning cellular towers and cells, and Modmobjam for targeted jamming of specific frequencies used by cellular networks. The presentation discusses using older Nokia phones or exposed diagnostic interfaces on Android phones to monitor cells, and leveraging software-defined radios to precisely jam only targeted frequency channels.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
National Security Agency - NSA mobile device best practices
33c3 - 2G and 3G intercom attacks
1. Call the Front Door and Install Your Back Door
Intercoms Hacking
Presented by Sébastien Dudek
2. About me
Company: Synacktiv (http://www.synacktiv.com)
Twitter: @fluxius
Interests: radio-communications (Wi-Fi, RFID,
GSM, PLC...), networking, web, Linux security…
and intercoms!
Do red team tests at Synacktiv:
spear phishing,
remote and
physical intrusions
...
3. Physical intrusions (1)
Why?:
to plug a malicious device,
dump computer memory,
or let malicious USB keys indoor, ...
4. Physical intrusion (2)
Main problem: we always need a way to
enter to a building
How?:
lockpicking,
RF attacks,
social engineering,
or attacking Intercoms!
5. Red team tests
Sometimes it works, but sometimes we get
spotted...
Alert! Intruder!
6. Why intercoms could be
interesting?
At night → entering premises like a ninja!
But also:
to spy on conversations in the street, when it’s
possible
to make money
and have a lot of fun...
7. Warning
This talk applies practical attacks on
intercoms
But other devices in the “IoT” ecosystem
are also concerned...
8. Intercoms today
Features:
Pass code
RF tag access
Call a resident:
The resident can then
open the door
When calling a resident, this intercoms uses the mobile network
→ that explains the (+33)6* prefix displayed on the resident’s phone
* Like +49<cell phone number> in Germany
9. Human curiosity...
Would it be possible to play with the intercom?
We tried to directly call the intercom
but the intercom doesn’t answer to the call
Dump and modify the flash
good option, but difficult to do without being spotted in
the street…
A mobile attack → Better!
but we need to understand the functioning of these
intercoms first!
10. Context
Intercom / door phone / house intercom
A voice communication device → within a
building
Numeric for our case → use the mobile network
(SIM/USIM cards)
Allows to call a resident to identify the visitor and
open a door
Different types of intercoms exist
11. Different types of intercoms
Conventional Simplified Numeric
Description
Used for medium
sized buildings
/
Medium sized
building, or private
residents
# of wires
4+n (2 for power, 2
for the door system
and n → number of
residents)
1 wire for power and
door system + n →
number of residents
Generally: no wires
for each resident
12. Numeric intercoms
Wires replaced by:
GSM, 3G, rarely in 4G
or Wi-Fi…
⇒ Avoid complicated and cumbersome cables
⇒ Easy installation
15. Different brands market
4 brands are well-known in France:
Comelit
Intratone
Norasly
Urmet Captiv… that cost ~2000€
Cheaper alternatives:
Linkcom → commonly used by private residents
→ Our choice for our 1st analysis
16. How to recognize a mobile intercom
Not easy… maybe spotting a nice LCD
screen, new stainless steel case…
Or...
Looks like
a mobile
module?
17. State Of the Art: intercoms
Publications about intercoms are nearly
nonexistent
But research on mobile security can be
applied to attack these devices...
18. State Of the Art: Mobile security
Many publications exist:
Attacks on GSM A5/1 algorithm with rainbow tables
(at 26c3, Chris Paget and Karsten Nohl)
OsmocomBB
(at 2010 at 27c3, Harald Welte and Steve Markgraf)
Hacking the Vodaphone femtocell
(at BlackHat 2011, Ravishankar Borgaonkar, Nico Golde, and Kevin Redon)
An analysis of basebands security
(at SSTIC 2014, Benoit Michau)
Attacks on privacy and availability of 4G
(In October 2015, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi
and Jean-Pierre Seifert)
How to not break LTE crypto
(at SSTIC 2016, Christophe Devine and Benoit Michau)
And many others...
19. State Of the Art: tools
Hardware
USRP from 700 € (without daughter-boards and antennas)
SysmoBTS from 2,000 €
BladeRF from 370 € (without antennas)
Software
Setup a mobile network
OpenBTS: GSM and GPRS network compatible with USRP and BladeRF
OpenUMTS: UMTS network compatible with some USRP
OpenLTE: LTE network compatible with BladeRF and USRP
OpenAir: LTE network compatible with some USRP
YateBTS: GSM and GPRS network compatible with USRP and BladeRF
Analyze traffic
libmich: Analyze and craft mobile packets captured with GSMTAP
Wireshark: Analyze GSMTAP captured packets
OsmocomBB: sniff and capture GSM packets
20. GSM and GPRS: authentication
● BTS: Base
Transceiver Station
● BSC: Base Station
Controller
● MSC: Mobile
Switch Center
● VLR: Visitor
Location Register
● HLR: Home
Location Register
● AuC:
Authentication
Center
21. GSM and GPRS: Handover
Source: article.sapub.org
A stronger signal will likely attract User Equipments
→ Useful for attackers
22. GSM and GPRS: possible attacks
No mutual authentication → Fake rogue
BTS
Reuse of Authentication triplet RAND, RES,
Kc many times
Signaling channel not encrypted → open
for attacks
Attacks on the A5/1 algorithm
⇒ Interception is possible on GSM and GPRS
23. 3G/4G: advantages
GSM 3G 4G
Client
authentication
YES YES YES
Network
authentication
NO
Only if USIM is
used (not SIM)
YES
Signaling
integrity
NO YES YES
Encryption A5/1
KASUMI |
SNOW-3G
SNOW-3G |
AES | ZUC...
24. Mobile interception: signal attraction
A User Equipment connects to the closest
Base Station
3G/4G downgrades to 2G via
protocol attacks → difficult
jamming attacks → a simple Gaussian noise in
targeted channels
26. The 3G module
Found in a public documentation:
« Lorsque le réseau 3G est inexistant sur les lieux de l’installation, le bloc 3G
cherchera le réseau GSM automatiquement et pourra résumer ses fonctionnalités dans
ce mode :
- Appel Audio (sans Visio).
- Mise à jour en temps réel sur le réseau GSM et non plus 3G. »
= If 3G is unreachable → use 2G instead!
27. To jam a 3G channel
We can buy a jammer + disable 2G Tx
Or for each operator:
enumerate the list of close UARFCN (UTRA
Absolute Radio Frequency Channel Number)
with UARFCN → translate into central frequencies
to jam the channels
send Gaussian noise into each detected channel
using SDR
29. Baseband diag interfaces (1)
Android phones with a XGold baseband →
/dev/ttyACM0 → use xgoldmon tool
UMTS RRC (Radio Resource Control) messages
→ get DL UARFCN
30. Baseband diag interfaces (2)
Qualcomm baseband sometimes expose
a /dev/diag interface that could be
exploited
But a universal (and dirty) method exists
with Samsung mobiles
31. Cheap and dirty UARFCN
enumerator with Samsung Mobiles
When entering the ServiceMode (e.g:
*#0011#) in Samsung and trying to register
→ the DL and UL UARFCN are logged in
logcat
We can parse the logcat output to get the
UARFCN
[...]
LOG:>>[HIGH]oemtestmode.c,403,Idle: dl_uarfcn 10688
ul_uarfcn 9738<<
[...]
32. Downgrade 3G → 2G demo
Targeted channel jamming
Using a simple HackRF for ~300€
→ works also with a USRP (~700€), or a bladeRF
(~400€)
33. GSM Lab setup: for interception
No full duplex with hackRF → we use a bladeRF instead!
● 1 BladeRF = 370 € minimum
● 2 Antennas = 15 € minimum each
● YateBTS software = FREE
● Total cost = 400 €Linkcom iDP GSM
34. Intercom setup: configuration
This intercom can be configured in 3 ways:
With a programming interface and the Link iDP
manager software
With a SIM card reader/programmer
Via SMS messages
The SIM card is used as a memory → contains
all the settings
A first administrator number “ADMIN1” has to
be setup in the SIM card contacts
35. First impressions
Our goals:
impersonate a number, or
find a way to bypass it
then open a door, or send
commands to the intercoms
…
A good indicator → after
sending commands, an
acknowledgment is
performed by SMS
36. Hypotheses as a potential attacker
We don’t know the mobile operator
We don’t know intercom’s number
The commands could be found with public
or leaked documentations, or by
performing a firmware analysis
37. Attacker steps to open the door
1. Recognize intercom’s operator to trap it
2. Leak, or guess, numbers to impersonate
3. Register my phone with the leaked
resident number on the fake BTS
4. Call myself
5. Open the door!
38. To trap the intercom
Bruteforcing the 4
MCC/MNC (FR)
15min~ waiting for
each MCC/MNC
Strong GSM signal
Button push →
calling intercepted
→ success!
Note: The used MCC/MNC but mostly the used channel can be discovered with
jamming tests over the different channels.
39. What’s next? Let's leak numbers!
Activate GSM tapping on YateBTS →
Wireshark
Then push on buttons → CC SETUP
40. What’s next? Let's open the door!
Leaked number → affect it to your IMSI in tmsidata.conf
[tmsi]
last=007b0005
[ues]
20820<attacker’s IMSI>=007b0003,35547XXXXXXXXXX,
<resident or admin number>,1460XXXXXX,
ybts/TMSI007b0003
# associating attacker IMSI with a resident number
[...]
41. What’s next? Let's backdoor it!
Leak the admin number:
buttons (call, or alarm triggers, etc.)
social engineering
Find commands:
public or leaked documentations
Passive channel monitoring → good luck!
or buy the same model in commercial web sites such as “leboncoin”, eBay,
and so on.
In our case with Linkcom iDP:
Command Description
READ <NAME> Read the number of a button, or an admin (ADMIN[1-9]).
WRITE <NAME> <number> Add or update a number associated to a name.
CAL AT<command suffix> Send an AT command to the baseband through SMS!
42. AT commands?
We can interact with Intercom’s baseband:
retrieve SMS messages → AT+CMGL="ALL"
spying building door conversations with auto-
answer feature (if not disabled) → ATS0=1
and so on.
46. Intercoms using M2M SIM/USIM
cards
Provided with a M2M SIM/USIM card
→ more than 10 years subscription
→ the mobile operator provides a virtual network to
manage the intercoms
Use the UMTS network by default
→ GSM is used if UMTS is unreachable
Intercoms → managed by a centralized server
→ It’s an interesting new vector of attacker, but there
are many others...
47. Attack vectors with M2M Intercoms
Vulnerabilities in
Services: Web,
SIP, etc.
SIM/USIM →
look for
vulnerabilities
in the virtual
network
3G downgrade to
2G + GSM
interception
48. Website vulnerabilities
Websites → manage one or multiple intercoms
thanks to their mobile number
Vulnerabilities could be found:
account guessing + bruteforce → we’ve tested it on a
product
authentication bypasses → could be identified crawling
with Google!
SQL injections,
LFI,
and so on.
49. Our tests on “Product A”
We’ve tested a 3G intercom that is
provided with a M2M SIM Card
Lets call it “Product A”
50. Bruteforce accounts
By default, “Product A” website doesn’t
enforce a password to manage intercoms:
But we need a valid number…
51. Number enumeration (quick PoC)
url = "http://<login page of product A>/<login page>"
[...]
prefixes = [ "07", "08", "30", "70", "71", "72", "73", "74", […] ]
prefixes = reversed(sorted(prefixes))
init = 100000
numbers = []
for p in prefixes: # number generation
init = 100000
while init <= 999999:
if init == 100000:
numbers.append("06" + p + "000000")
numbers.append("06" + p + str(init))
Init += 1
f = open("numbers.list", "a+")
for x in numbers: # for each generated number, log existing account
t = int(time.time()) # timestamp added for the POST query
data = {"**CENSORED1**":x, "**CENSORED2**":t}
r = requests.get(url, params=data, headers=headers)
if r.url != u"http://<login page of product A>/<error page>":
f.write(x+"n")
52. Enumerated accounts
The server doesn’t mitigate wrong tries
So 90 numbers have been enumerated for 1 prefix
(+33 6 77 ******) < 4 hours
We are able to manage intercoms without the need of
SDR tools!
53. Attack scenarios
Without the need of any SDR tool:
Update all intercoms with a premium rate number
=/
open doors → but we need the locations...
54. How to get the location?
In general, people add their home number
first...
56. The M2M virtual network as a
second attack vector
Provided SIM/USIM cards could be plugged
on other devices
→ we can scan the virtual network
But product’s “A” SIM/USIM card has a PIN
code… =/
→ not a problem for the SIMtrace tool!
57. SIMtrace setup and results
Entering main loop
ATR APDU: 3b 9f 96 80 1f c7 80 31
e0 73 fe 21 1b 64 40 91 11 00 82
90 00 01
PPS(Fi=9/Di=6) APDU: 00 a4 00 04
02 3f 00 61 23
[…]
APDU: 00 20 00 01 08 ** ** ** ** ff
ff ff ff 90 00
APDU: 00 2c 00 01 00 63 ca
[…]
SIMtrace as a “proxy” between the SIM/USIM ↔ intercom:
PIN code typed by the “Product A” intercom itself
Intercom USIM card
58. Connecting to the M2M network
Put the SIM/USIM in your phone
Optionally change the IMEI (possible with some Chinese
phones)
Setup the right APN (Access Point Name) of the M2M
network → documented
Tether the communication
→ use a computer
Changing the IMEI within the engineer mode
59. Traceroute in the M2M virtual
network
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.42.129 (192.168.42.129) 0.622 ms 0.643 ms 0.705 ms
2 10.***.***.250 (10.***.***.250) 105.629 ms 125.547 ms 185.628 ms
3 10.***.***.209 (10.***.***.209) 195.783 ms 195.900 ms 195.831 ms
[...]
14 google-public-dns-a.google.com (8.8.8.8) 50.771 ms 50.248 ms
51.016 ms
Check the connection with a tethered computer:
An attacker will now be able to:
1) scan the virtual network
2) search for vulnerable services
3) then exploit vulnerable services
4) and so on… or use the SIM/USIM to get a free internet
access ^^
60. SIP as an attack surface
“Product A” has a mobile application to
provide Video calls
Video calls use SIP
To use this app a premium
account is required =(
But let’s analyze it!
61. Application analysis: first results
Mainly (very) bad/NULL SSL checks… →
MITM is possible
Also one SIP credential seems to be
hardcoded:
62. Registering in the SIP server
Using hardcoded credentials → success!
SIP/2.0 200 OK
Via: SIP/2.0/TCP
10.***.***.11:38703;alias;branch=z9hG4bK.rfZ5uXs1W;rpor
t=38703;received=19**********2
From: <sip:user@sip.**********>;tag=qmu7Mgc8t
To: sip:user@sip.***********;tag=***********
CSeq: 21 REGISTER
63. Results on “product A” SIP vector
Not satisfying =/
We are able to contact simple users like:
“user”;
“root”, …
But impossible to contact a known number
→ Maybe because the number needs be registered as a
premium extension
Actual question: how to find a valid extension
(without flooding with “INVITE” requests)?
64. Security recommendations for
M2M solutions
Enforce a PIN code on SIM/USIM cards → like in “Product A”
Whitelist IMEIs
Audit/pentest regularly the management website against web
vulnerabilities, but also other services
Restrict actions and requests on APNs
Firewall the virtual network, or do some segmentation
Audit/pentest the virtual network against network attacks
and vulnerabilities in services
Monitor and block SIM/USIM cards that have a suspicious
behavior
65. Conclusion
With GSM intercoms we can:
open a door
call premium rate numbers
spy on conversations if ATS0 is supported
Intercoms using the mobile network → same flaws as mobile phones
Other devices in the IoT ecosystem use the mobile network
M2M intercoms introduce new vectors of attack → much more
destructive → require a simple Internet connection (no SDR tools needed)
But M2M SIM/USIM cards are also used in many other IoT products!
Further work:
find a solution about the SIP vector,
start attacking intercoms’ basebands,
reduce the lab with an odroid device or another alternative :)