The presenter discusses attacking Internet of Things devices like intercom systems. They demonstrate intercepting communications from an intercom by setting up a rogue mobile network with software-defined radio equipment. The goal is to impersonate authorized users and send commands to open doors or access sensitive information. Potential attacks discussed include eavesdropping on calls, spoofing phone numbers registered with the intercom, and modifying settings via SMS messages.
Arduino arduino gsm-shield .... helpful to b.tec studentsnanda kar
The document summarizes information about the Arduino GSM Shield, which allows an Arduino board to connect to the internet, send and receive SMS, and make voice calls using GSM and GPRS technology. It provides details on what GSM and GPRS are, SIM card and network requirements, how to connect the shield, test connectivity, send SMS messages and connect to the internet using the GSM library. Code examples are included to demonstrate functionality.
This document discusses security in Bluetooth, CDMA, and UMTS wireless technologies. It describes security threats like disclosure and integrity threats in Bluetooth. It outlines Bluetooth security levels, modes, and techniques like authentication, authorization, and encryption. It also discusses known vulnerabilities like spoofing and denial of service attacks against Bluetooth. The document then covers 3G security features in UMTS like mutual authentication and data integrity. Finally, it provides an overview of CDMA technology and security through encryption and authentication.
This document provides an overview of GSM security solutions and UMTS authentication. It discusses GSM subscriber authentication using the A3 and A8 algorithms as well as encryption of voice traffic and signaling data using the A5 algorithm. It describes the use of temporary mobile subscriber identities and issues around roaming fraud. The document also outlines UMTS authentication and key agreement, noting that it adds mutual authentication between the user equipment and network compared to GSM. Finally, it discusses some security aspects and attacks related to mobility in Mobile IPv6 networks.
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).
SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.
Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.
Features:
Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.
Visit us today at www.slingsecure.com
This document summarizes Mifare Classic security analysis conducted in the Czech and Slovak republics. It discusses vulnerabilities found in Slovak Mifare Classic cards, including all tested cards using the same keys for the first 1024 bytes and at least one sector being encrypted with default keys. It also describes tools used in Mifare Classic attacks, such as Proxmark3 and Crapto1, and how all data on a Mifare Classic card can be cloned due to weaknesses in the authentication and encryption.
This document discusses cryptography in GSM networks. It provides background on common security requirements and introduces cryptography techniques like symmetric-key cryptography, public-key cryptography, and cryptographic hashes. It then discusses cryptography specifically used in GSM networks, including the A5/1 and A5/3 algorithms used for encryption. It notes issues with the security of these algorithms and proposes improving GSM network security.
Arduino arduino gsm-shield .... helpful to b.tec studentsnanda kar
The document summarizes information about the Arduino GSM Shield, which allows an Arduino board to connect to the internet, send and receive SMS, and make voice calls using GSM and GPRS technology. It provides details on what GSM and GPRS are, SIM card and network requirements, how to connect the shield, test connectivity, send SMS messages and connect to the internet using the GSM library. Code examples are included to demonstrate functionality.
This document discusses security in Bluetooth, CDMA, and UMTS wireless technologies. It describes security threats like disclosure and integrity threats in Bluetooth. It outlines Bluetooth security levels, modes, and techniques like authentication, authorization, and encryption. It also discusses known vulnerabilities like spoofing and denial of service attacks against Bluetooth. The document then covers 3G security features in UMTS like mutual authentication and data integrity. Finally, it provides an overview of CDMA technology and security through encryption and authentication.
This document provides an overview of GSM security solutions and UMTS authentication. It discusses GSM subscriber authentication using the A3 and A8 algorithms as well as encryption of voice traffic and signaling data using the A5 algorithm. It describes the use of temporary mobile subscriber identities and issues around roaming fraud. The document also outlines UMTS authentication and key agreement, noting that it adds mutual authentication between the user equipment and network compared to GSM. Finally, it discusses some security aspects and attacks related to mobility in Mobile IPv6 networks.
iParanoid: an IMSI Catcher - Stingray Intrusion Detection SystemLuca Bongiorni
The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).
SlingSecure is the most secure encrypted messaging provider for Blackberry & Android mobile devices on the market. SlingSecure secure messaging was designed specifically for encrypting mobile-to-mobile, mobile-to-landline communication via Blackberry / Android smartphones.
Our multiple security features and protocols ensure safe, anonymous and highly secure transmission between Blackberry & Android devices for users who may deal with sensitive information and anyone who wants their peace of mind.
Features:
Blackberry to Android Encryption
Mobile to Landline Encryption
Landline to Landline Encryption
Private SMS Encryption
Email Encryption Blackberry to Android.
Visit us today at www.slingsecure.com
This document summarizes Mifare Classic security analysis conducted in the Czech and Slovak republics. It discusses vulnerabilities found in Slovak Mifare Classic cards, including all tested cards using the same keys for the first 1024 bytes and at least one sector being encrypted with default keys. It also describes tools used in Mifare Classic attacks, such as Proxmark3 and Crapto1, and how all data on a Mifare Classic card can be cloned due to weaknesses in the authentication and encryption.
This document discusses cryptography in GSM networks. It provides background on common security requirements and introduces cryptography techniques like symmetric-key cryptography, public-key cryptography, and cryptographic hashes. It then discusses cryptography specifically used in GSM networks, including the A5/1 and A5/3 algorithms used for encryption. It notes issues with the security of these algorithms and proposes improving GSM network security.
This document describes a project to add voice encryption to GSM calls using an Arduino. The system works by encrypting an analog voice signal from a microphone using an encryption algorithm on an Arduino. The encrypted signal is transmitted to an Android phone via Bluetooth and then to the receiver. At the receiver, another Arduino decrypts the signal and plays it through speakers. The document outlines the hardware components, encryption method, and challenges faced with transmitting encrypted audio over Bluetooth.
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
The document discusses security algorithms used in GSM networks - A3 is used for authentication between the mobile station and network, A5 is used for encryption, and A8 is used to generate cipher keys. Specifically, A3 takes a random number (RAND) and secret key (Ki) to generate a signed response (SRES) for authentication. A8 also takes RAND and Ki to generate a 64-bit cipher key (KC) for encryption using the A5 algorithm. The document was presented by Rupali Lohar from B. R. Harne College Of Engineering & Technology in Maharashtra, India.
The document discusses RFID vulnerabilities and exploits, focusing on weaknesses in the Mifare Classic RFID card system. It describes the structure and authentication process of Mifare Classic cards, and summarizes early research that demonstrated practical attacks against the proprietary CRYPTO1 encryption algorithm used. This research allowed cloning of cards and manipulation of the wireless communication channel without proper authentication. While risks to PKI cards like electronic passports were not shown, the document outlines security issues in Mifare Classic's encryption approach.
This document discusses NFC and BLE technologies and their uses for automating daily life and biohacking. It defines NFC and how it works, providing examples of common NFC tag types and their memory sizes. Risks of biohacking are noted. The document also demonstrates how to enable and use NFC in mobile apps to read plain text tags and manually create NFC records to write tags. Out-of-the-box uses include controlling lights, unlocking devices, and biohacking applications like embedding chips for access. More information and demos are provided in online resources.
Electronic Access Control Security / Безопасность электронных систем контроля...Positive Hack Days
Ведущий: Маттео Беккаро
Мастер-класс посвящен эксплуатации уязвимостей электронных систем контроля доступа. Ведущий расскажет о наиболее распространенных технологиях, их уязвимостях и возможных способах атаки. Участникам, которым удастся провести атаку, достанутся аппаратные гаджеты Opposing Force.
This document discusses various methods that criminals use to attack ATMs, including malware, black box attacks, and physical access. It describes specific malware like Tyupkin and attacks on protocols like XFS that allow unauthorized control of ATM components over USB/COM ports. Issues discussed include lack of authentication in XFS, vulnerabilities in Windows XP, and insecurity of physical locks and interfaces. The document calls for improvements like mutual authentication, secure protocols and regular security testing to help address these ATM attack methods.
This document describes a proposed true random number generator circuit for RFID tags. The circuit uses a simple operational amplifier with positive feedback configured as a Schmitt trigger. In the absence of an input signal, the output will be randomly set to either the positive or negative saturated output level depending on the polarity of the differential input thermal noise voltage from resistors at the input. This causes the output bit pattern to be random. Results show the output passes the NIST randomness tests without further processing. The simple circuit can be implemented on existing RFID tag platforms like MSP430 microcontrollers and meets requirements for being lightweight, robust to thermal and power attacks, and not requiring a seed value or continuous operation.
This document proposes a smart security system for automobiles using Internet of Things (IoT) technology. The system would secure vehicles by detecting unauthorized activity using sensors like an ignition sensor. It could be controlled remotely via a smartphone app, allowing users to lock their vehicle or track its location using GPS. The system would use technologies like Arduino, PIC microcontrollers, GSM boards, and sensors for temperature, humidity, IR, cameras, magnets and motion. Data captured from IoT sensors could be analyzed on platforms like IBM Bluemix using Hadoop for distributed processing. This smart security system offers advantages like low cost, compatibility with existing tech, applicability even in remote areas, and enhanced security for vehicles.
Slides from the NFC kickstarter workshop at MobDevCon 2013
Source code is available on github : https://github.com/jameselsey/mobdevcon-nfc-kickstarter
Any questions please shout me on twitter! @jameselsey1986
An expert presented techniques for hacking intercom systems. The presentation covered:
1) Conducting red team physical intrusion tests which sometimes require bypassing intercom systems.
2) Different types of intercom systems and how numeric intercoms use mobile networks like GSM.
3) Potential attack vectors like impersonating resident phone numbers by intercepting calls to the intercom using a fake mobile tower.
Presented on 6.11.2015 during the Tech and Law Center event (ITA) Intercettazioni: tutto quello che non avreste voluto sapere
http://www.techandlaw.net/news/intercettazioni-tutto-quello-che-non-avreste-voluto-sapere.html
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
Modmobmap is a tool for mapping 2G, 3G, and 4G mobile networks using various tricks and interfaces. It uses ServiceMode on Android phones to obtain cell information and the Dirty Fuzzy Registration technique to enumerate cells by changing network registration. The tool combines these methods and Software-Defined Radio to cheaply scan networks. A demonstration with a Galaxy S5 phone shows it works by accessing the phone's diagnostic interface and capturing data in GSMTAP format.
Modmobmap is a tool that maps mobile cells in real-time by capturing cell information from exposed diagnostic interfaces or the Android RIL. It aims to provide more precise cell tower data than existing recording solutions. The presentation discusses using cheap software-defined radios, custom SIM cards, Faraday cages, and downgrade attacks to attract mobile devices and intercept their communications for testing purposes. It also covers automating cell changes using AT commands to simulate a mobile station camping between cells.
This document discusses attacks on digital house intercom systems that use mobile networks like GSM, 3G, and 4G to communicate. It begins by providing background on digital intercom systems and how they work. It then reviews the state of research on attacking GSM networks. The document goes on to describe experiments the author conducted to passively monitor and actively attack a digital intercom system in a lab environment. Attacks demonstrated include leaking phone numbers, opening doors, and "backdooring" the system. The document concludes that digital intercom systems could be vulnerable due to their use of mobile networks with known security weaknesses.
This document describes a border security and alert system using GSM technology. The system uses an LPC2148 microcontroller interfaced with IR sensors, a GSM modem, buzzer, and LCD to detect intruders and alert authorized personnel via text message. When an IR sensor detects an object at the border, the microcontroller sends an SMS via the GSM modem. The system provides low-cost border security automation and real-time intruder alerts to remote users through standard mobile networks and devices. Potential applications include defense, banking security, and museum protection.
The document discusses attacking GSM networks by spoofing a base transceiver station (BTS). It describes how to setup an OpenBTS system using inexpensive hardware to intercept mobile subscribers. It also summarizes vulnerabilities in the GSM cryptographic protocols including issues with identifiers, spoofing networks, decrypting traffic, and lack of encryption.
This document describes the design and implementation of a GSM alarm system. The system uses an Arduino board connected to a GSM shield to detect motion via a PIR sensor and send SMS alerts. It includes a keypad for input, LCD display for status, and buzzer for alarms. Programming was done in C++ using the Arduino IDE. The system aims to provide remote security monitoring via GSM connectivity even when the owner is away. Some challenges included delays receiving hardware and issues with the GSM functionality during testing. Overall the project demonstrated a working GSM alarm prototype.
Veilig communiceren power point presentatieleonardoleno
The document provides guidelines for safely organizing actions without leaking sensitive information, focusing on risks from cell phones and email. It discusses how communication data can be intercepted and outlines best practices like encrypting emails and removing phone batteries. Newer technologies make monitoring cheaper and allow reactivating powered-off phones, emphasizing the importance of proper communication security.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
This document describes a project to add voice encryption to GSM calls using an Arduino. The system works by encrypting an analog voice signal from a microphone using an encryption algorithm on an Arduino. The encrypted signal is transmitted to an Android phone via Bluetooth and then to the receiver. At the receiver, another Arduino decrypts the signal and plays it through speakers. The document outlines the hardware components, encryption method, and challenges faced with transmitting encrypted audio over Bluetooth.
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
The document discusses security algorithms used in GSM networks - A3 is used for authentication between the mobile station and network, A5 is used for encryption, and A8 is used to generate cipher keys. Specifically, A3 takes a random number (RAND) and secret key (Ki) to generate a signed response (SRES) for authentication. A8 also takes RAND and Ki to generate a 64-bit cipher key (KC) for encryption using the A5 algorithm. The document was presented by Rupali Lohar from B. R. Harne College Of Engineering & Technology in Maharashtra, India.
The document discusses RFID vulnerabilities and exploits, focusing on weaknesses in the Mifare Classic RFID card system. It describes the structure and authentication process of Mifare Classic cards, and summarizes early research that demonstrated practical attacks against the proprietary CRYPTO1 encryption algorithm used. This research allowed cloning of cards and manipulation of the wireless communication channel without proper authentication. While risks to PKI cards like electronic passports were not shown, the document outlines security issues in Mifare Classic's encryption approach.
This document discusses NFC and BLE technologies and their uses for automating daily life and biohacking. It defines NFC and how it works, providing examples of common NFC tag types and their memory sizes. Risks of biohacking are noted. The document also demonstrates how to enable and use NFC in mobile apps to read plain text tags and manually create NFC records to write tags. Out-of-the-box uses include controlling lights, unlocking devices, and biohacking applications like embedding chips for access. More information and demos are provided in online resources.
Electronic Access Control Security / Безопасность электронных систем контроля...Positive Hack Days
Ведущий: Маттео Беккаро
Мастер-класс посвящен эксплуатации уязвимостей электронных систем контроля доступа. Ведущий расскажет о наиболее распространенных технологиях, их уязвимостях и возможных способах атаки. Участникам, которым удастся провести атаку, достанутся аппаратные гаджеты Opposing Force.
This document discusses various methods that criminals use to attack ATMs, including malware, black box attacks, and physical access. It describes specific malware like Tyupkin and attacks on protocols like XFS that allow unauthorized control of ATM components over USB/COM ports. Issues discussed include lack of authentication in XFS, vulnerabilities in Windows XP, and insecurity of physical locks and interfaces. The document calls for improvements like mutual authentication, secure protocols and regular security testing to help address these ATM attack methods.
This document describes a proposed true random number generator circuit for RFID tags. The circuit uses a simple operational amplifier with positive feedback configured as a Schmitt trigger. In the absence of an input signal, the output will be randomly set to either the positive or negative saturated output level depending on the polarity of the differential input thermal noise voltage from resistors at the input. This causes the output bit pattern to be random. Results show the output passes the NIST randomness tests without further processing. The simple circuit can be implemented on existing RFID tag platforms like MSP430 microcontrollers and meets requirements for being lightweight, robust to thermal and power attacks, and not requiring a seed value or continuous operation.
This document proposes a smart security system for automobiles using Internet of Things (IoT) technology. The system would secure vehicles by detecting unauthorized activity using sensors like an ignition sensor. It could be controlled remotely via a smartphone app, allowing users to lock their vehicle or track its location using GPS. The system would use technologies like Arduino, PIC microcontrollers, GSM boards, and sensors for temperature, humidity, IR, cameras, magnets and motion. Data captured from IoT sensors could be analyzed on platforms like IBM Bluemix using Hadoop for distributed processing. This smart security system offers advantages like low cost, compatibility with existing tech, applicability even in remote areas, and enhanced security for vehicles.
Slides from the NFC kickstarter workshop at MobDevCon 2013
Source code is available on github : https://github.com/jameselsey/mobdevcon-nfc-kickstarter
Any questions please shout me on twitter! @jameselsey1986
An expert presented techniques for hacking intercom systems. The presentation covered:
1) Conducting red team physical intrusion tests which sometimes require bypassing intercom systems.
2) Different types of intercom systems and how numeric intercoms use mobile networks like GSM.
3) Potential attack vectors like impersonating resident phone numbers by intercepting calls to the intercom using a fake mobile tower.
Presented on 6.11.2015 during the Tech and Law Center event (ITA) Intercettazioni: tutto quello che non avreste voluto sapere
http://www.techandlaw.net/news/intercettazioni-tutto-quello-che-non-avreste-voluto-sapere.html
This document discusses mobile network security and practical attacks. It presents:
1) Attacks on 2G networks like GSM are possible using inexpensive hardware by exploiting weaknesses in the authentication protocols or reusing authentication triplets.
2) 3G and 4G networks have stronger encryption but mutual authentication can still be bypassed depending on the baseband implementation.
3) Practical attacks were demonstrated through jamming to force a downgrade to 2G, running a rogue base station, and exploiting bugs found through fuzzing a mobile device's baseband.
Modmobmap is a tool for mapping 2G, 3G, and 4G mobile networks using various tricks and interfaces. It uses ServiceMode on Android phones to obtain cell information and the Dirty Fuzzy Registration technique to enumerate cells by changing network registration. The tool combines these methods and Software-Defined Radio to cheaply scan networks. A demonstration with a Galaxy S5 phone shows it works by accessing the phone's diagnostic interface and capturing data in GSMTAP format.
Modmobmap is a tool that maps mobile cells in real-time by capturing cell information from exposed diagnostic interfaces or the Android RIL. It aims to provide more precise cell tower data than existing recording solutions. The presentation discusses using cheap software-defined radios, custom SIM cards, Faraday cages, and downgrade attacks to attract mobile devices and intercept their communications for testing purposes. It also covers automating cell changes using AT commands to simulate a mobile station camping between cells.
This document discusses attacks on digital house intercom systems that use mobile networks like GSM, 3G, and 4G to communicate. It begins by providing background on digital intercom systems and how they work. It then reviews the state of research on attacking GSM networks. The document goes on to describe experiments the author conducted to passively monitor and actively attack a digital intercom system in a lab environment. Attacks demonstrated include leaking phone numbers, opening doors, and "backdooring" the system. The document concludes that digital intercom systems could be vulnerable due to their use of mobile networks with known security weaknesses.
This document describes a border security and alert system using GSM technology. The system uses an LPC2148 microcontroller interfaced with IR sensors, a GSM modem, buzzer, and LCD to detect intruders and alert authorized personnel via text message. When an IR sensor detects an object at the border, the microcontroller sends an SMS via the GSM modem. The system provides low-cost border security automation and real-time intruder alerts to remote users through standard mobile networks and devices. Potential applications include defense, banking security, and museum protection.
The document discusses attacking GSM networks by spoofing a base transceiver station (BTS). It describes how to setup an OpenBTS system using inexpensive hardware to intercept mobile subscribers. It also summarizes vulnerabilities in the GSM cryptographic protocols including issues with identifiers, spoofing networks, decrypting traffic, and lack of encryption.
This document describes the design and implementation of a GSM alarm system. The system uses an Arduino board connected to a GSM shield to detect motion via a PIR sensor and send SMS alerts. It includes a keypad for input, LCD display for status, and buzzer for alarms. Programming was done in C++ using the Arduino IDE. The system aims to provide remote security monitoring via GSM connectivity even when the owner is away. Some challenges included delays receiving hardware and issues with the GSM functionality during testing. Overall the project demonstrated a working GSM alarm prototype.
Veilig communiceren power point presentatieleonardoleno
The document provides guidelines for safely organizing actions without leaking sensitive information, focusing on risks from cell phones and email. It discusses how communication data can be intercepted and outlines best practices like encrypting emails and removing phone batteries. Newer technologies make monitoring cheaper and allow reactivating powered-off phones, emphasizing the importance of proper communication security.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
This document discusses using a Raspberry Pi-based system to prevent theft of car logos. The system uses a pressure sensor attached to the car logo to detect if someone is trying to remove it. If triggered, the system will first send an alert to the car owner if they are nearby. It will also use GSM to send an SMS message to the owner's phone with a photo of the thief captured by a camera. This provides anti-theft protection for the car logo at an affordable cost using Raspberry Pi and GSM technology to remotely alert the owner even if they are not near the car.
This document provides explanations for multiple choice questions related to network scanning, TCP/IP protocols, and cybersecurity concepts like social engineering and denial of service attacks. It defines technical terms like ICMP type codes, default port numbers for protocols like SNMP and LDAP, the three-way handshake process in TCP, and vulnerabilities involving alternate data streams and tailgating. The explanations emphasize accurate port scanning methods, TCP flag functions, covert channels, broadcast MAC addresses, and strategies for preventing social engineering like tailgating.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
When doing a security assessment, observing how a device communicates with the outside world is a must. It tells you what it sends and receives, and in general let you understand if it can be attacked. We have tools and methods to do it for the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old tcp/ip?
During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action the tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like common attacks, but at the RF level. So let's hack some things belonging to the real world!
Intense and wide workshop on major voice encryption technologies for private, business, military, public safety and internet.
Strong review of wiretapping technical and political context.
IEEE Standard for Securing Legacy Scada Protocols (Sequi, Inc)sequi_inc
Presentation for Industrial Control Systems Joint Working Group (ICSJWG).
This presentation will lend insight to IEEE 1711-2010, a standard for securing substation serial-based SCADA assets, and its applicability across industry sectors: electric, oil, gas, water, and chemical. Also addressed are the benefits of its implementation on legacy retrofits, SCADA link management, and integrating legacy systems and Ethernet IP SCADA networks.
This document describes the design of a dual band mobile phone jammer that can jam signals in the GSM 900 and GSM 1800 frequency bands. [1] The jammer works by transmitting noise signals within the downlink frequencies of 935-960 MHz and 1805-1880 MHz to overwhelm mobile signals and cause a "no service" message on phones. [2] Key components include a voltage controlled oscillator, power amplifier, and antenna for each band. [3] The device was tested successfully in jamming all major mobile carriers in Jordan.
Similar to Intercoms presentation OSSIR - IoT Hacking (20)
Long Range Wide Area Network (LoRaWAN) devices have been hacking targets for quite some time. We dive into attacks that malicious actors can use against vulnerable LoRaWAN devices, and review the state of LoRaWAN security. This is the first in a three-part series.
This document discusses a framework for fuzzing the GSM protocol stack. It begins with an abstract and introduction describing the challenges of fuzzing GSM due to its complexity. It then provides background on GSM basics including the network architecture, protocol layers, and message formats. The document focuses on describing the prerequisites and architecture developed for automated GSM fuzzing, including generating test cases, monitoring mobile phone states, and managing the fuzzing process.
This document summarizes a presentation on attacking HomePlugAV powerline communication devices. It provides background on PLC technology, describing how PLCs transmit data over electrical wiring and discussing previous research. It then outlines several attacks against PLC networks, including eavesdropping on unencrypted communication between a computer and PLC, spoofing devices to intercept network information requests, and manipulating configuration files to backdoor devices.
1. The document describes a framework called MobiDeke that was created to fuzz the GSM protocol stack over-the-air by generating and mutating malformed GSM messages and monitoring the target's behavior for crashes or errors.
2. MobiDeke addresses limitations with existing fuzzing methods by automating the generation, mutation, transmission and monitoring processes.
3. The key components of MobiDeke are modules for generating and mutating GSM messages, transmitting payloads over-the-air via a software-defined radio, and monitoring the target phone and base station for crashes or abnormal behavior.
This document summarizes a paper on practical attacks against HomePlugAV powerline communication devices. It begins by providing background on powerline communication technology and discussing the HomePlugAV specification. It then describes analyzing HomePlugAV networks using various tools to understand the protocols and encryption. The document outlines several practical attacks demonstrated, including intercepting network keys, bruteforcing passwords, and gaining remote memory access on devices once on the network. It concludes by discussing future work areas like firmware analysis and authentication message fuzzing.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
Article on V2G Hacking - V2G Injector: Whispering to cars and charging statio...📡 Sebastien Dudek
The document discusses a tool called V2G Injector that was developed to interface with, analyze, and inject traffic into Vehicle-to-Grid (V2G) systems. V2G systems allow electric vehicles to store and return energy to the electric grid through bidirectional charging stations. The tool exploits vulnerabilities in the HomePlug GreenPHY standard used for powerline communication between electric vehicles and charging stations.
SSTIC 2019 - V2G injector: Whispering to cars and charging units through the ...📡 Sebastien Dudek
A presentation discusses vehicle-to-grid (V2G) communication and security. It summarizes the development of a tool called the "V2G Injector" that can monitor and inject crafted packets into V2G networks communicating over power lines. The tool decodes V2G data formats and circumvents security in the HomePlug Green PHY standard to extract network keys from charging stations. The tool allows an attacker to intercept and manipulate V2G communications between electric vehicles and charging stations.
Modmobtools provides tools for monitoring and jamming 2G, 3G, and 4G cellular networks. The tools include Modmobmap for scanning cellular towers and cells, and Modmobjam for targeted jamming of specific frequencies used by cellular networks. The presentation discusses using older Nokia phones or exposed diagnostic interfaces on Android phones to monitor cells, and leveraging software-defined radios to precisely jam only targeted frequency channels.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
2. About me
Company: Synacktiv
(http://www.synacktiv.com)
Twitter: @fluxius
Interests: radio-communications (Wi-Fi,
RFID, GSM, PLC...), networking, web, Linux
security… and intercoms!
Developer of http://DomzZilla.fr
Engine to quickly find a housing
3. I’m not
CEH
CISSP
CSSP
OSCP
CISA
CISM
GIAC
or whatever….
6. Red team tests
At Synacktiv we do red team tests:
spear phishing
web and network intrusions
backdoored devices
physical intrusions
7. Physical intrusions (1)
Enter a building to:
to plug a malicious device,
dump computers memory,
or let malicious USB keys indoor, …
Final goal:
have a foot in the targeted network
browse and report sensitive documents of the
clients
8. Physical intrusion (2)
Main problem: we always need a way to enter to a
building
How?:
lock-picking
pros: subtle
cons: sometimes hard and time consuming, break locks sometimes
RF attacks
pros: subtle and clean
cons: hard sometimes with authentication tags like MIFARE DESfire
(when it’s used to authenticate and not to identify...)
social engineering → it’s all about improvisation
pros: being natural works like a charm
cons: leaving a trace of our face
9. Social engineering: a true story
In a public building (ERP rules):
came with a “crafted” convocation
with the convocation → trick the reception
plugged the intrusion network equipment
quit the building
and an alert was raised after 3 hours
10. The alert
The client sent a picture to the boss
asking: “is it one of your employees?”
11. Avoid alerts or traces
We have to be subtle
To do so:
RF attacks
lock-picking tricks
Social engineering→ okay without
interaction
But what about attacking the intercoms?
12. Intercoms today
Features:
Pass code
RF tag access
Call a resident:
The resident can then
open the door
When calling a resident, this intercoms uses the mobile network
→ that explains the (+33)6* prefix displayed on the resident’s phone
13. Assumptions
Would it be possible to play with the intercom?
We tried to directly call the intercom
but the intercom doesn’t answer to the call
Dump and modify the flash
good option, but difficult to do without being spotted in
the street…
A mobile attack → Better!
but we need to understand the functioning of these
intercoms first!
15. Context
Intercom / door phone / house intercom
A voice communication device → within a
building
Numeric for our case → use the mobile network
(SIM/USIM cards)
Allows to call a resident to identify the visitor and
open a door
Different types of intercoms exist
16. Different types of intercoms
Conventional Simplified Numeric
Description
Used for medium
sized buildings
/
Medium sized
building, or private
residents
# of wires
4+n (2 for power, 2
for the door system
and n → number of
residents)
1 wire for power and
door system + n →
number of residents
Generally: no wires
for each resident
17. Numeric intercoms
Wires replaced by:
GSM, 3G, rarely in 4G
or Wi-Fi…
⇒ Avoid complicated and cumbersome cables
⇒ Easy installation
20. Different brands market
4 brands are well-known in France:
Comelit
Intratone
Norasly
Urmet Captiv… that cost ~2000€
Cheaper alternatives:
Linkcom → commonly used by private residents
→ Our choice for our 1st analysis
21. How to recognize a mobile intercom
Not easy… maybe spotting a nice LCD
screen, new stainless steel case…
Or...
Looks like
a mobile
module?
22. State Of the Art: intercoms
Publications about intercoms are nearly
nonexistent
But research on mobile security can be
applied to attack these devices...
23. State Of the Art: Mobile security
Many publications exist:
Attacks on GSM A5/1 algorithm with rainbow tables
(at 26c3, Chris Paget and Karsten Nohl)
OsmocomBB
(at 2010 at 27c3, Harald Welte and Steve Markgraf)
Hacking the Vodaphone femtocell
(at BlackHat 2011, Ravishankar Borgaonkar, Nico Golde, and Kevin Redon)
An analysis of basebands security
(at SSTIC 2014, Benoit Michau)
Attacks on privacy and availability of 4G
(In October 2015, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi
and Jean-Pierre Seifert)
How to not break LTE crypto
(at SSTIC 2016, Christophe Devine and Benoit Michau)
And many others...
24. State Of the Art: tools
Hardware
USRP from 700 € (without daughter-boards and antennas)
SysmoBTS from 2,000 €
BladeRF from 370 € (without antennas)
Software
Setup a mobile network
OpenBTS: GSM and GPRS network compatible with USRP and BladeRF
OpenUMTS: UMTS network compatible with some USRP
OpenLTE: LTE network compatible with BladeRF and USRP
OpenAir: LTE network compatible with some USRP
YateBTS: GSM and GPRS network compatible with USRP and BladeRF
Analyze traffic
libmich: Analyze and craft mobile packets captured with GSMTAP
Wireshark: Analyze GSMTAP captured packets
OsmocomBB: sniff and capture GSM packets
25. GSM and GPRS: authentication
● BTS: Base
Transceiver Station
● BSC: Base Station
Controller
● MSC: Mobile
Switch Center
● VLR: Visitor
Location Register
● HLR: Home
Location Register
● AuC:
Authentication
Center
26. GSM and GPRS: Handover
Source: article.sapub.org
A stronger signal will likely attract User Equipments
→ Useful for attackers
27. GSM and GPRS: possible attacks
No mutual authentication → Fake rogue
BTS
Reuse of Authentication triplet RAND, RES,
Kc many times
Signaling channel not encrypted → open
for attacks
Attacks on the A5/1 algorithm
⇒ Interception is possible on GSM and GPRS
28. 3G/4G: advantages
GSM 3G 4G
Client
authentication
YES YES YES
Network
authentication
NO
Only if USIM is
used (not SIM)
YES
Signaling
integrity
NO YES YES
Encryption A5/1
KASUMI |
SNOW-3G
SNOW-3G |
AES | ZUC...
29. Mobile interception: signal attraction
A User Equipment connects to the closest
Base Station
3G/4G downgrades to 2G via
protocol attacks → difficult
jamming attacks → a simple Gaussian noise in
targeted channels
31. The 3G module
Found in a public documentation:
« Lorsque le réseau 3G est inexistant sur les lieux de l’installation, le bloc 3G
cherchera le réseau GSM automatiquement et pourra résumer ses fonctionnalités dans
ce mode :
- Appel Audio (sans Visio).
- Mise à jour en temps réel sur le réseau GSM et non plus 3G. »
= If 3G is unreachable → use 2G instead!
32. To jam a 3G channel
We can buy a jammer + disable 2G Tx
Or for each operator:
enumerate the list of close UARFCN (UTRA
Absolute Radio Frequency Channel Number)
with UARFCN → translate into central frequencies
to jam the channels
send Gaussian noise into each detected channel
using SDR
34. Baseband diag interfaces (1)
Android phones with a XGold baseband →
/dev/ttyACM0 → use xgoldmon tool
UMTS RRC (Radio Resource Control) messages
→ get DL UARFCN
35. Baseband diag interfaces (2)
Qualcomm basebands sometimes expose
a /dev/diag interface that could be
exploited
But a universal (and dirty) method exists
with Samsung mobiles
36. Cheap and dirty UARFCN
enumerator with Samsung Mobiles
When entering the ServiceMode (e.g:
*#0011#) in Samsung and trying to register
→ the DL and UL UARFCN are logged in
logcat
We can parse the logcat output to get the
UARFCN
[...]
LOG:>>[HIGH]oemtestmode.c,403,Idle: dl_uarfcn 10688
ul_uarfcn 9738<<
[...]
37. With our mobiletools framework
Our development → tool that monitor 3G and 4G cells with
a cheap Samsung device
~# ./ServiceMode.py
=> Requesting a list of MCC/MNC
[+] List of operators:
{'F-Bouygues Telecom': ['20820'], 'Orange F': ['20801'], 'F SFR': ['20810'], 'Free':
['20815']}
=> Changing MCC/MNC for: 20810
[+] New cell detected [Cell-ID/TAC (30***)]
Network type=4G
PLMN=208-20
Band=3
Downlink EARFCN=1850
[+] New cell detected [Cell-ID/TAC (46***)]
Network type=4G
PLMN=208-10
Band=3
Downlink EARFCN=1850 [...]
38. Downgrade 3G → 2G demo
Targeted channels jamming
Using a simple HackRF for ~300€
→ works also with a USRP (~700€), or a bladeRF
(~400€)
40. GSM Lab setup: for interception
No full duplex with hackRF → we use a bladeRF instead!
● 1 BladeRF = 370 € minimum
● 2 Antennas = 15 € minimum each
● YateBTS software = FREE
● Total cost = 400 €Linkcom iDP GSM
41. Intercom setup: configuration
This intercom can be configured in 3 ways:
With a programming interface and the Link iDP
manager software
With a SIM card reader/programmer
Via SMS messages
The SIM card is used as a memory → contains
all the settings
A first administrator number “ADMIN1” has to
be setup in the SIM card contacts
42. First impressions
Our goals:
impersonate a number, or
find a way to bypass it
then open a door, or send
commands to the intercoms
…
A good indicator → after
sending commands, an
acknowledgment is
performed by SMS
43. Hypotheses as a potential attacker
We don’t know the mobile operator
We don’t know intercom’s number
The commands could be found with public
or leaked documentations, or by
performing a firmware analysis
44. Attacker steps to open the door
1. Recognize intercom’s operator to trap it
2. Leak, or guess, numbers to impersonate
3. Register my phone with the leaked
resident number on the fake BTS
4. Call myself
5. Open the door!
45. To trap the intercom
Bruteforcing the 4
MCC/MNC (FR)
15min~ waiting for
each MCC/MNC
Strong GSM signal
Button push →
calling intercepted
→ success!
Note: The used MCC/MNC but mostly the used channel can be discovered with
jamming tests over the different channels.
46. What’s next? Let's leak numbers!
Activate GSM tapping on YateBTS →
Wireshark
Then push on buttons → CC SETUP
47. What’s next? Let's open the door!
Leaked number → affect it to your IMSI in tmsidata.conf
[tmsi]
last=007b0005
[ues]
20820<attacker’s IMSI>=007b0003,35547XXXXXXXXXX,
<resident or admin number>,1460XXXXXX,
ybts/TMSI007b0003
# associating attacker IMSI with a resident number
[...]
48. What’s next? Let's backdoor it!
Leak the admin number:
buttons (call, or alarm triggers, etc.)
social engineering
Find commands:
public or leaked documentations
Passive channel monitoring → good luck!
or buy the same model in commercial web sites such as “leboncoin”, eBay,
and so on.
In our case with Linkcom iDP:
Command Description
READ <NAME> Read the number of a button, or an admin (ADMIN[1-9]).
WRITE <NAME> <number> Add or update a number associated to a name.
CAL AT<command suffix> Send an AT command to the baseband through SMS!
49. AT commands?
We can interact with Intercom’s baseband:
retrieve SMS messages → AT+CMGL="ALL"
spying building door conversations with auto-
answer feature (if not disabled) → ATS0=1
and so on.
54. Intercoms using M2M SIM/USIM
cards
Provided with a M2M SIM/USIM card
→ more than 10 years subscription
→ the mobile operator provides a virtual network to
manage the intercoms
Use the UMTS network by default
→ GSM is used if UMTS is unreachable
Intercoms → managed by a centralized server
→ It’s an interesting new vector of attacker, but there
are many others...
56. RF features
To enter into the building, a resident can
also:
use the pass code
but also a RF tag and or push a button from a
same remote case
57. RF tag
The tag is shown as a ISO/IEC 14443 Type A tag → like
MIFARE classic it’s a Vigik token
Vigik token of a resident can be cloned
But people are still interested to have a multipass tag → be
able to break 1024-bit RSA keys → see the state of the art
by Renaud Lifchitz at Hackito Ergo Sum 2014
# nfc-list
[...]
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
ATQA (SENS_RES): 00 04
UID (NFCID1): eb 34 ** **
SAK (SEL_RES): 08
58. Remote control
The remote control use RF frequencies to
send a signal → open the door
To capture the signal we have two
approach:
enumerating frequencies and catch the strange
signal when hitting the remote button
or open the remote’s case
59. Deep within the remote
Includes:
a Vigik paper tag
and a RF transmitter Vigik token
RF transmitter
60. Zoom on the transmitter
We can read its identifier: 1840T39A
62. Identify the frequency
Slicing across different ranges: 310, 433,
868 and 915 MHz (e.g. RF explorer)
63. Identify the modulation
Capture 1 button (e.g with the HackRF)
=> looks like a classic OOK
modulation
64. Demodulation of the captured signal
We can perform an amplification
demodulation (AM demod)
But when comparing two pushes, the code
is different:
65. Cleaned tracks (e.g with scipy)
Short impulses Longer impulses
here
1st
push 2nd
push
66. Seems to be rolling code
At each push the code is different → it’s
probably rolling code
rolling code is briefly referenced when looking
at product’s documents
replay is theoretically impossible
but other attacks exist:
side channels or firmware+memory dumping → recover
the algorithm and the initial seed
cloning the next code → attack presented by Silvio
Cesare at Black Hat USA 2014
67. To resume
The remote and Vigik are secure → almost good!
Attacks on these devices exists but are kind tricky
→ need the leak of Vigik token ID
→ or jam, relay 1 code and clone some rolling codes
These intercoms use 3G → could be
downgraded to 2G → vulnerable to the previous
attacks
With 3G intercoms use TCP/IP stack → what
about their web services?
69. Attack vectors with M2M Intercoms
Vulnerabilities in
Services: Web,
SIP, etc.
SIM/USIM →
look for
vulnerabilities
in the virtual
network
3G downgrade to
2G + GSM
interception
70. Website vulnerabilities
Websites → manage one or multiple intercoms
thanks to their mobile number
Vulnerabilities could be found:
account guessing + bruteforce → we’ve tested it on a
product
authentication bypasses → could be identified crawling
with Google!
SQL injections,
LFI,
and so on.
71. Our tests on “Product A”
We’ve tested a 3G intercom that is
provided with a M2M SIM Card
Lets call it “Product A”
72. Bruteforce accounts
By default, “Product A” website doesn’t
enforce a password to manage intercoms:
But we need a valid number…
73. Number enumeration (quick PoC)
url = "http://<login page of product A>/<login page>"
[...]
prefixes = [ "07", "08", "30", "70", "71", "72", "73", "74", […] ]
prefixes = reversed(sorted(prefixes))
init = 100000
numbers = []
for p in prefixes: # number generation
init = 100000
while init <= 999999:
if init == 100000:
numbers.append("06" + p + "000000")
numbers.append("06" + p + str(init))
Init += 1
f = open("numbers.list", "a+")
for x in numbers: # for each generated number, log existing account
t = int(time.time()) # timestamp added for the POST query
data = {"**CENSORED1**":x, "**CENSORED2**":t}
r = requests.get(url, params=data, headers=headers)
if r.url != u"http://<login page of product A>/<error page>":
f.write(x+"n")
74. Enumerated accounts
The server doesn’t mitigate wrong tries
So 90 numbers have been enumerated for 1 prefix
(+33 6 77 ******) < 4 hours
We are able to manage intercoms without the need of
SDR tools!
75. Attack scenarios
Without the need of any SDR tool:
Update all intercoms with a premium rate number
=/
open doors → but we need the locations...
76. How to get the location?
In general, people add their home number
first...
78. Get a free internet connection
or intrude Product A’s private
network
79. The M2M virtual network as a
second attack vector
Provided SIM/USIM cards could be plugged
on other devices
→ we can scan the virtual network
But product’s “A” SIM/USIM card has a PIN
code… =/
→ not a problem for the SIMtrace tool!
80. SIMtrace setup and results
Entering main loop
ATR APDU: 3b 9f 96 80 1f c7 80 31
e0 73 fe 21 1b 64 40 91 11 00 82
90 00 01
PPS(Fi=9/Di=6) APDU: 00 a4 00 04
02 3f 00 61 23
[…]
APDU: 00 20 00 01 08 ** ** ** ** ff
ff ff ff 90 00
APDU: 00 2c 00 01 00 63 ca
[…]
SIMtrace as a “proxy” between the SIM/USIM ↔ intercom:
PIN code typed by the “Product A” intercom itself
Intercom USIM card
81. Connecting to the M2M network
Put the SIM/USIM in your phone
Optionally change the IMEI (possible with some Chinese
phones)
Setup the right APN (Access Point Name) of the M2M
network → documented
Tether the communication
→ use a computer
Changing the IMEI within the engineer mode
82. Traceroute in the M2M virtual
network
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.42.129 (192.168.42.129) 0.622 ms 0.643 ms 0.705 ms
2 10.***.***.250 (10.***.***.250) 105.629 ms 125.547 ms 185.628 ms
3 10.***.***.209 (10.***.***.209) 195.783 ms 195.900 ms 195.831 ms
[...]
14 google-public-dns-a.google.com (8.8.8.8) 50.771 ms 50.248 ms
51.016 ms
Check the connection with a tethered computer:
An attacker will now be able to:
1) scan the virtual network
2) search for vulnerable services
3) then exploit vulnerable services
4) and so on… or use the SIM/USIM to get a free internet
access ^^
84. SIP as an attack surface
“Product A” has a mobile application to
provide Video calls
Video calls use SIP
To use this app a premium
account is required =(
But let’s analyze it!
85. Application analysis: first results
Mainly (very) bad/NULL SSL checks… →
MITM possible
Also one SIP credential seems to be
hardcoded:
86. Registering in the SIP server
Using hardcoded credentials → success!
SIP/2.0 200 OK
Via: SIP/2.0/TCP
10.***.***.11:38703;alias;branch=z9hG4bK.rfZ5uXs1W;rpor
t=38703;received=19**********2
From: <sip:user@sip.**********>;tag=qmu7Mgc8t
To: sip:user@sip.***********;tag=***********
CSeq: 21 REGISTER
87. Results on “product A” SIP vector
Not satisfying =/
We are able to contact simple users like:
“user”;
“root”, …
But impossible to contact a known number
→ Maybe because the number needs be registered as a premium
extension
Sandro Gauci (@sandrogauci) helped to understand my
issue → we need a valid prefix format and/or a valid device
connected to that platform to begin to go further =/
This vector as been set in stand by → waiting to get an
access to the premium offer
88. Security recommendations for
M2M solutions
Enforce a PIN code on SIM/USIM cards → like in “Product A”
Whitelist IMEIs
Audit/pentest regularly the management website against web
vulnerabilities, but also other services
Restrict actions and requests on APNs
Firewall the virtual network, or do some segmentation
Audit/pentest the virtual network against network attacks
and vulnerabilities in services
Monitor and block SIM/USIM cards that have a suspicious
behavior
89. Conclusion
With GSM intercoms we can:
open a door
call premium rate numbers
spy on conversations if ATS0 is supported
Intercoms using the mobile network → same flaws as
mobile phones
Other devices in the IoT ecosystem use the mobile network
M2M intercoms introduce new vectors of attack → much
more destructive → require a simple Internet connection
(no SDR tools needed)
But M2M SIM/USIM cards are also used in many other IoT products!