Post on 25-May-2018
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Session ID:Session Classification:
Aaron TurnerN4STRUCT
Mobile Infrastructure Security: Licensed Spectrum Eavesdropping and GSM Threat
HT2-106Intermediate
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Introductions
Aaron TurnerPartner at newly-formed Security Services Firm
Founder of Mobile Security Firm
(which was acquired by N4STRUCT)
2
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Format & Focus Areas
Lightning Round30 minutes to amaze and entertain youTwo topics @ 15 minutes each
Topic 1: How real is the risk of licensed spectrum eavesdropping?
Understanding the threatMeasuring scope
Topic 2: Enterprise GSM Threat LandscapeWhat the carriers are not telling businessesWhat to do about the problem
3
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Before we begin…
How to see the ‘un-seeable’?A quick example… anyone know what these are?
Ethanethiol & ThiopheneOR…
What makes Liquified Petroleum Gas stink!
4
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
How can we ‘see’ wireless?
5
Used with permission – Timo Arnall – elasticspace.com
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
How do we visualize enterprise networks?
6
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
How can we visualize licensed spectrum INSIDE of enterprises?
7
GSM 2G 3G 4G
How many enterprises measure this today?
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Without a monitoring plan…
What does an ‘normal’ look like?If there were any anomalies, how would an enterprise know?Anomalies seen in the past year:
Cellular intercept equipment permanently installed at foreign officesPortable cellular intercept equipment detected at US officesPersistent cellular monitors installed on corporate-liable handsets which constantly ‘beacon’
8
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Key variables to consider
‘Normal’ should be established on several levelsLicensed spectrum signal strengthLocation of license-holder’s towers
If variances from baseline are observed, incident must be managed properly
License-holder must be informedBut… if you’re outside of the US… and the carrier is colluding against you?
How to manage a licensed spectrum incident at an enterprise
Very new territory for InfoSec staffBe very careful proceeding – only attempt action after appropriate legal counsel has been obtained
9
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Key network incident indicators
10
False BTS Appears
Persistent 3G/4GSignals
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Key handset incident indicator
When you’re expecting this
But seeing this
11
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Licensed Spectrum Eavesdropping
12
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
How it works & barriers to entry
Carrier-independent eavesdropping requires physical proximity
… but you don’t have to be too close (12 km)Best results are achieved when you know the IMSI of the target
… catch them all and sort them out laterCrooked international carriers will sell you the IMSI (if you know the phone #)
How much does it cost to do this at scale?$100,000 = 10K IMSI catcher (grabs 10K IMSI’s simultaneously)Voice intercept capability limited by processing powerData intercept limited by brute-force GPRS packet replay
13
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Enterprise GSM Threat Landscape
14
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
GSM Enterprise Threat Spectrum
15
Information Harvesting• Insider financial data• Trade secrets
Information Consolidation• Nation/state intelligence• Industrial espionage• Market arbitrage
Financial Motives• Corporate SMiShing• Billing fraud
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Current state of the market
Enterprises have few Spectrum Awareness toolsAttend LAW-401 on 3/2 for further discussion
Enterprises have few Signal Integrity toolsDifficult to correlate tower-to-handset intelligence
Enterprises have few Billing Integrity optionsSome tools available, but all are after-the-factClawback is tough when dealing with carriers
International challengesWhich roaming partners are compromised?How to establish a baseline in a place you’ve never been?
16
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Immediate action items
Begin a collaborative conversation with carriersCan you deploy sensors to help the carriers protect their spectrum?Proactively set policies to prevent corporate SMiShing
Demand improved handset integrity featuresPush requirements to platform providersDevelop awareness of 2G/3G coverage and take notice of anomalies
Establish a spectrum baseline at key facilitiesHow many phones should be on?What carriers should they be talking to?Which towers should usually be there?
18
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Insert presenter logo here on slide master. See hidden
slide 4 for directions
Contact info
Aaron Turner
aaron.turner@n4struct.com
@integricell
http://www.n4struct.com
19
Session ID:Session Classification:
Rob MalanARBOR NETWORKS
Chief Technology Officer Rob Malan, Ph.D.Exploring the Mobile Enterprise Landscape: A GSM Threat Overview
HT2106Intermediate
Outline
Overview of GSM mobile network infrastructure and their IP analogsHow Enterprise Networks interface with this infrastructureSummary of the new opensource GSM components:
BasestationHandset
New GSM-specific threats enabled by this infrastructureImpact on the Enterprise threat surface to these threatsBest practices for Enterprises and their service providers
2
Why Mobile is DifferentSpectrum, Cell-sites, Backhaul, Battery
Much of the costOptimized for QoS, fine-grained billing, intelligence in the network
Voice-centric assumptions (LTE vs. TD-LTE)Latency
Signaling loadIncurs latency, strains infrastructureWeak-link
State trackingIntelligence in the networkEasy to attack (imagine a syn flood disabling a router)
Complex, brittle protocols and stacks Massive specs, seldom used code paths, little scrutiny TLVs within TLVs within TLVs Result: buffer overrun cup runneth over
New Vulnerable Surface #3
Stateless versus Connection Oriented Network Protocols
14
TCP/IP•Open Source•IETF - RFC•Stevens•BSD Stacks•Linux•Anyone can code & break it!
GSM•Closed source monopolies•ITU•No public description of implementations•No open source stacks•Only small set of people in handful of companies can see source
Single Application Action Cascade of Connections
Example: Web Request from remote employee translates into dozens of connections:
• Initial DNS request• Followon DNS requests• Initial page load• Redirects• Content loads• Additional DNS resolutions• Additional content loads• Streaming/Updating content – rinse, repeat
16
GSM Protocol Builders (Handset & Network)
22
Handset:Very few companies GSM baseband chips today
They buy software from 3rd parties
Very few handset makers are large enough to become a customer
Limited access to hardware documentationDon’t get access to the firmware source
Network Equipment Vendor:Very few companies build GSM network equipment
Ericsson, Nokia-Siemens, Alcatel-Lucent, Samsung, and Huawei
Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
Hard to buy fromCost is $$$Not for kid in basement
Uh Oh….
28
Seachange coming to 3G worldOpensource basestationsOpensource handset baseband
For the first time everPeople can program a cellphone’s baseband to do WHATEVER they want it to do!
BAD THINGS will happenWhen... not if....How much damage?
Bottom line…
Lots of stack componentsLots of session stateBrittle brittle brittle… ripe for attackMany new threat surfaces for remote connectivityNew risks that impact:
ConfidentialityIntegrityAvailability
29
Apply Slide
The mobile threat landscape is changing rapidlyMany new threat surfacesStateful Infrastructure ripe for attackHuge implications for enterprises, consumers and operators
30