Crash course of Mobile (SS7) privacy and security
-
Upload
arturo-filasto -
Category
Technology
-
view
7.024 -
download
1
description
Transcript of Crash course of Mobile (SS7) privacy and security
Photo: Fotoagentur/Alamy
TELECOM / SECURITY
COVER
The Athens AffairHow some extremely smart hackers pulled off the most audacious cell-network break-in everBy VASSILIS PREVELAKIS, DIOMIDIS SPINELLIS / JULY 2007
On 9 March 2005, a 38-year-old Greek electrical engineer named CostasTsalikidis was found hanged in his Athens loft apartment, an apparentsuicide. It would prove to be merely the first public news of a scandal thatwould roil Greece for months.
The next day, the prime minister of Greece was told that his cellphone wasbeing bugged, as were those of the mayor of Athens and at least 100 otherhigh-ranking dignitaries, including an employee of the U.S. embassy [seesidebar "CEOs, MPs, & a PM."]
The victims were customers of Athens-based Vodafone-Panafon, generallyknown as Vodafone Greece, the country's largest cellular service provider;Tsalikidis was in charge of network planning at the company. A connectionseemed obvious. Given the list of people and their positions at the time ofthe tapping, we can only imagine the sensitive political and diplomaticdiscussions, high-stakes business deals, or even marital indiscretions thatmay have been routinely overheard and, quite possibly, recorded.
Even before Tsalikidis's death, investigators had found rogue softwareinstalled on the Vodafone Greece phone network by parties unknown.Some extraordinarily knowledgeable people either penetrated the network
from outside or subverted it from within, aided by an agent or mole. In either case, the software at the heart of thephone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen beforeor since.
A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphoneservice provider, sheds considerable light on the measures networks can and should take to reduce their vulnerabilityto hackers and moles.
It's also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations ofany kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.
Even among major criminal infiltrations, the Athens affair stands out because it may have involved state secrets, and ittargeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly. The most notoriouspenetration to compromise state secrets was that of the ”Cuckoo's Egg,” a name bestowed by the wily networkadministrator who successfully pursued a German programmer in 1986. The programmer had been selling secretsabout the U.S. Strategic Defense Initiative (”Star Wars”) to the Soviet KGB.
But unlike the Cuckoo's Egg, the Athens affair targeted the conversations of specific, highly placed government andmilitary officials. Given the ease with which the conversations could have been recorded, it is generally believed thatthey were. But no one has found any recordings, and we don't know how many of the calls were recorded, or evenlistened to, by the perpetrators. Though the scope of the activity is to a large extent unknown, it's fair to say that noother computer crime on record has had the same potential for capturing information about affairs of state.
Crash course of Mobile (SS7) privacy and security
Monday, October 3, 2011
• Jacob Appelbaum
• The Tor Project
• I break bad software and build better alternatives
• Understanding censorship
$ whoarewe
• Arturo Filastò
• The Tor Project
• A Random GlobaLeaks Developer
• I hack on stuff for fun and profit!
@ioerror@hellais
Monday, October 3, 2011
Once upon a time...Monday, October 3, 2011
The 3 issues
• Interception
• Geolocation
• Denial of Service
Monday, October 3, 2011
Interception
• Can be lawful or unlawful
• Tactical vs Non-Tactical
Monday, October 3, 2011
“Lawful Intercept”
Monday, October 3, 2011
What technologies can be intercepted?
• GSM
• CDMA
• iDEN
• Thuraya
• BGAN/Inmarsat
• VSAT
Monday, October 3, 2011
Who?• Law enforcement
• National Secret Service
• Foreign Secret Service
• Large corporations
• Outsourced intelligence service providers
• Organized crime
• Military organizations
Monday, October 3, 2011
Targets of Interception
• A person
• A medium (think wire tap)
• A device (think rootkit)
• Parametric
• Keywords (sniffing for triggers)
• Perimeter (area sniffing)
Monday, October 3, 2011
Why?
• The architecture is designed for it
• To suppress uprisings
• To collect intelligence
• Monitor behavior
Monday, October 3, 2011
How is this possible?
• The security is outdated; take GSM...
• No effort has been made to fix it
• A5/1 is broken
• A5/2 is purposefully broken
• A5/3 is a bit better but not implemented(http://security.osmocom.org/trac/ticket/4)
Monday, October 3, 2011
IMSI catchers
Monday, October 3, 2011
Active IMSI catchers
Monday, October 3, 2011
More accessible
• This equipment used to be very expensive
• But with projects such as USRP and OsmocomBB this is no longer true
Monday, October 3, 2011
Passive GSM sniffers
+
=
Monday, October 3, 2011
Passive GSM sniffers
+
=
Interception for 50$Monday, October 3, 2011
Geolocation
• Where are you?
• Various technologies give various levels of accuracy
• SS7 (HLR, ATI)
• Stingray and AmberJack
Monday, October 3, 2011
Location Tracking
Monday, October 3, 2011
Walled Garden
• For accessing SS7 there used to be:
• High costs
• Strict peering agreements
• Not designed with security in mind
Monday, October 3, 2011
The GSM network
BSC
VLR
BTS MSC
HLR
MSC
BSC
VLR
OsmocommBB
OpenBSC
OpenBTS
APIs to HLR
SMSC
SMS Injection
subscriber
Monday, October 3, 2011
Macro Area Geolocation
• With network interrogations
• A feature to SMS sending
• The level of detail goes from 1km in cities to 200km in rural areas
Monday, October 3, 2011
More detail is possible
• Other privacy invading queries exists
• PSI, ATI
• Reach a level of detail of ~100m
• Require, more strict agreements with telcos
• If you know where to ask...
• ... you will get them
• (that means if you have the $$$)
Monday, October 3, 2011
Denial of Service
• You just want to stop that or those people communicating.
Monday, October 3, 2011
Monday, October 3, 2011
Jammers
Monday, October 3, 2011
Jammers
Monday, October 3, 2011
Help!• Ok, so you have scared me. Now what should I do?
• be aware of patterns and realities
• use software on top of what is available
• Tor, RedPhone, TextSecure, PrivateGSM, etc
• Avoid bad software - eg: UltraSurf, SMS
• Resist giving your ID for a SIM card!
• If you are really worried or privacy and security don’t use mobile phones.
• Until we create a free telco, we’re doomed.
Monday, October 3, 2011
Thanks for listening!Any questions?
Monday, October 3, 2011