digital self-defense in mobile networks - ernw · digital self-defense in mobile networks adrian...
TRANSCRIPT
![Page 1: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/1.jpg)
Digital Self-Defense in Mobile Networks
Adrian [email protected]
2014-03-18
Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl
![Page 2: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/2.jpg)
A Mobile Network
![Page 3: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/3.jpg)
A Mobile Network with a Mobile Station
![Page 4: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/4.jpg)
Location Areas
![Page 5: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/5.jpg)
A Wild IMSI Catcher Appeares...
![Page 6: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/6.jpg)
Use GSM Protocol – not very effective!
![Page 7: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/7.jpg)
A Real Network
Source: Let me answer that for you, Golde et al., TROOPERS & USENIX
![Page 8: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/8.jpg)
Cell tower density
Source: Sendekataster.at
![Page 9: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/9.jpg)
“IMSI Catchers”
Identification only
● Retrive IMSI / IMEI / TMSI
● Reject Location Update
● Tracking
Traffic Man-in-the-Middle
● Hold in Cell
● Actively intercept traffic
● Relay to real network
● Active or passive decryption
Hold but intercept passively
● Imprison in cell, so phone is not lost to a neighbor cell
UMTS downgrade
● Blocking UMTS transmission
● Spoofing System messages
![Page 10: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/10.jpg)
“IMSI Catchers”
Source: Verfassungsschutz (via DuD 26, 2006)ISBN 6220-2845-4832-5932-9228
![Page 11: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/11.jpg)
IC: Car Installation
Source: Gamma Group
![Page 12: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/12.jpg)
IC: Car Installation
Source: Gamma Group
![Page 13: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/13.jpg)
Car Installation
Source: Gamma Group
![Page 14: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/14.jpg)
IC: Car Installation
Source: Gamma Group
![Page 15: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/15.jpg)
IC: Car Installation
Source: Gamma Group
![Page 16: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/16.jpg)
Body IMSI Catcher
Source: Gamma Group
![Page 17: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/17.jpg)
Only for Law Enforcement?
● Known Producers● Rohde & Schwarz● Gamma Group● Ability● IAI Elta● Septier● Meganet● NeoSoft● Proximus● Cyttek● …
● DIY● Kirstin Paget
– DEFCON 19– US$1,500
● D. Werhle– Master's Thesis– Freiburg
● B. Postl– Master's Thesis– Vienna
![Page 18: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/18.jpg)
How to catch an IMSI Catcher?
![Page 19: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/19.jpg)
Artifact: Frequency
● Unused or guard channel
– Only found in Full Scan
● Announced neighbor freq., but unused
– Careful not to create interference
● Detactability● Frequency plans
– e.g. radio regulatory
– Self created
![Page 20: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/20.jpg)
Artifact: Cell ID
● New CID/LAC needed● To provoke
“Location Update Request”
● Random?● Use real one not
used in that geographical region
● Detectability● Cell IDs are very
stable● Cell Database
(local)– Also for
frequencies● Correlation with
GPS coordinates
![Page 21: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/21.jpg)
Artifact: Location Update / Register
● Just providing a better signal Is not enough● Timers, Hysteresis● Unpredictable radio
environment
● RF Jamming?● Forcing full scan
● Detectability:● Watching noise
levels
![Page 22: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/22.jpg)
Artifact: UMTS handling
● Downgrading to GSM● e.g. Mayer and
Wetzel, 2005 [1]– GSM layer in most
deployed UMTS networks
● (selectively) Jamming
● Others...
● Detectability: ● Noise and Signal
levels● Database of
regions where UMTS is available, and GSM usage is unlikely– Cell Database
[1] Mayer and Wetzel, “A man-in-the-middle attack on UMTS”, ACM Workshopon Wireless security, 2005
![Page 23: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/23.jpg)
Encryption
● Older IMSI Catchers: Downgrade encryption to 'none' (A5/0)
● A5/1 and A5/2 can be decrypted with rainbow tables ● In realtime
● A5/3 rolled out at the moment● IC will have to do active
MITM again
● Detectability:● Cipher Indicator
– Feature request in Android, 2009, assigned 2013
● Roaming!
![Page 24: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/24.jpg)
Artifact: Cell Imprisonment
● Networks provides up to 32 neighbor frequencies● MS stores typ. 6+1● Used for hand overs,
LAR, …
● IC will likely provide an empty (eq.) NL● To not loose phone to a
neighbor cell
● Detectability:● Neighbor cell list
![Page 25: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/25.jpg)
Traffic forwarding
a) relay via other MS● Loose caller ID● No incoming calls
b) via SS7 or similar● Caller ID correct● Loose incoming
calls
c) recover secret SIM key
● Impersonate to network with victims identity
● Detectability:● Call tests (?)
![Page 26: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/26.jpg)
Usage Pattern
● Identification Mode● Short living cells
● MITM Mode● Longer living cells
● Both:● Unusual locations
for cells
![Page 27: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/27.jpg)
Cell capabilities and parameter fingerprinting
● Cell capabilities & parameters
● Organization of logical channels on physical channels
● Timeout values
● Can be different on each cell, but typically they are the same over the whole network
● Differ between networks
● Detectability:
● Cell and network database
![Page 28: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/28.jpg)
Network Monitor Mode
9731-3006-8132-3476-9712
![Page 29: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/29.jpg)
Detection Matrix
![Page 30: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/30.jpg)
Two approaches
Mobile IMSI Catcher Catcher
● Standard Android API
● No need to root phone
● No need for a specific chipset (e.g. GoldX)
● Easy Interface
Stationary IMSI Catcher Catcher
● Network of measuring stations
● Good locations, larger coverage
● Cheap – RaspberryPi
based
![Page 31: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/31.jpg)
Two approaches - Features
Mobile IMSI Catcher Catcher
● GPS + Neighbor cell listing– Geographical
correlation– Cell-IDs
● Cell Capabilities● RF and NCL
manipulations● Limited to NCL but
mobile
Stationary IMSI Catcher Catcher
● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,
network parameters
● Jamming
![Page 32: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/32.jpg)
Mobile IMSI Catcher Catcher
![Page 33: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/33.jpg)
![Page 34: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/34.jpg)
Two approaches - Features
Mobile IMSI Catcher Catcher
● GPS + Neighbor cell listing– Geographical
correlation– Cell-IDs
● Cell Capabilities● RF and NCL
manipulations● Limited to NCL but
mobile
Stationary IMSI Catcher Catcher
● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,
network parameters
● Jamming
![Page 35: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/35.jpg)
Stationary IMSI Catcher Catcher
3614-1721-8632-7399-7977
![Page 36: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/36.jpg)
Rooftop installation
![Page 37: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/37.jpg)
![Page 38: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/38.jpg)
![Page 39: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/39.jpg)
More Data
![Page 40: Digital Self-Defense in Mobile Networks - ERNW · Digital Self-Defense in Mobile Networks Adrian Dabrowski adabrowski@sba-research.org 2014-03-18 Related paper to be published at](https://reader030.vdocuments.mx/reader030/viewer/2022041020/5ecfd0631d881f6a336c5e0d/html5/thumbnails/40.jpg)
Digital Self-Defense in Mobile Networks
Questions?
Adrian [email protected]
Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl