IMSI-Catch Me If You Can:
IMSI-Catcher-Catchers
Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Wei...
Adrian Dabrowski, adabrowski@sba-research.org
IMSI Catchers
● Used for
● Tracking users
● Eavesdropping calls, data, texts...
Adrian Dabrowski, adabrowski@sba-research.org
A Mobile Network
Adrian Dabrowski, adabrowski@sba-research.org
A Mobile Network
with a Mobile Station
Adrian Dabrowski, adabrowski@sba-research.org
Location Areas
Adrian Dabrowski, adabrowski@sba-research.org
A wild IMSI Catcher appears..
Adrian Dabrowski, adabrowski@sba-research.org
A wild IMSI Catcher appears –
Use UMTS/GSM Protocol; not very effective!
Adrian Dabrowski, adabrowski@sba-research.org
A Real Network
Source: Let me answer that for you, Golde et al., TROOPERS & ...
Adrian Dabrowski, adabrowski@sba-research.org
Cell tower density
Source: Sendekataster.at
Adrian Dabrowski, adabrowski@sba-research.org
“IMSI Catchers”
Identification only
● Retrive
IMSI / IMEI / TMSI
● Reject Lo...
Adrian Dabrowski, adabrowski@sba-research.org
“IMSI Catchers”
Source: Verfassungsschutz (via DuD 26, 2006)
Adrian Dabrowski, adabrowski@sba-research.org
Only for Law Enforcement?
● Known Producers
● Rohde & Schwarz
● Gamma Group
...
Adrian Dabrowski, adabrowski@sba-research.org
How to catch an
IMSI Catcher?
Adrian Dabrowski, adabrowski@sba-research.org
Artifact: Frequency
● Unused or guard
channel
– Only found in Full
Scan
● An...
Adrian Dabrowski, adabrowski@sba-research.org
Artifact: Cell ID
● New CID/LAC
needed
● To provoke
“Location Update
Request...
Adrian Dabrowski, adabrowski@sba-research.org
Artifact: Location Update /
Register
● Just providing a
better signal Is not...
Adrian Dabrowski, adabrowski@sba-research.org
Artifact: UMTS handling
● Downgrading to
GSM
● e.g. Mayer and
Wetzel, 2005 [...
Adrian Dabrowski, adabrowski@sba-research.org
Encryption
● Older IMSI Catchers:
Downgrade encryption
to 'none' (A5/0)
● A5...
Adrian Dabrowski, adabrowski@sba-research.org
Artifact: Cell Imprisonment
● Networks provides up to
32 neighbor frequencie...
Adrian Dabrowski, adabrowski@sba-research.org
Traffic forwarding
a) relay via other MS
● Loose caller ID
● No incoming cal...
Adrian Dabrowski, adabrowski@sba-research.org
Usage Pattern
● Identification Mode
● Short living cells
● MITM Mode
● Longe...
Adrian Dabrowski, adabrowski@sba-research.org
Cell capabilities and parameter
fingerprinting
● Cell capabilities &
paramet...
Adrian Dabrowski, adabrowski@sba-research.org
Network Monitor Mode
9731-3006-8132-3476-9712
Adrian Dabrowski, adabrowski@sba-research.org
Detection Matrix
Adrian Dabrowski, adabrowski@sba-research.org
Two approaches
Mobile IMSI Catcher
Catcher
● Standard Android
API
● No need ...
Adrian Dabrowski, adabrowski@sba-research.org
Two approaches - Features
Mobile IMSI Catcher
Catcher
● GPS + Neighbor cell
...
Adrian Dabrowski, adabrowski@sba-research.org
Mobile IMSI Catcher Catcher
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Two approaches - Features
Mobile IMSI Catcher
Catcher
● GPS + Neighbor cell
...
Adrian Dabrowski, adabrowski@sba-research.org
Stationary IMSI Catcher Catcher
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Adrian Dabrowski, adabrowski@sba-research.org
Work in Progress
● Verified with USRP
based IMSI Catcher
● Need commercial
d...
Adrian Dabrowski, adabrowski@sba-research.org
Not covered in the talk
● Detecting Race-condition DOS attacks
● “Let me ans...
3831c3 in 20 min
SS7: Locate. Track. Manipulate
ID:
Speaker:
Track:
Info:
Video:
6249
Tobias Engel
Security & Hacking
http...
3931c3 in 20 min
Mobile Self-Defense
(SnoopSnitch)
ID:
Speaker:
Track:
Info:
Video:
6122
Karsten Nohl
Security & Hacking
h...
IMSI-Catch Me If You Can:
IMSI-Catcher-Catchers
Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin
Mulazzani, Edgar Wei...
Próxima SlideShare
Cargando en…5
×

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers

4.430 visualizaciones

Publicado el

Bedrohungen ausgehend von simulierten Mobilfunkzellen (s.g. IMSI Catcher) und wie diese aufgespürt werden können

Publicado en: Tecnología
0 comentarios
7 recomendaciones
Estadísticas
Notas
  • Sé el primero en comentar

Sin descargas
Visualizaciones
Visualizaciones totales
4.430
En SlideShare
0
De insertados
0
Número de insertados
463
Acciones
Compartido
0
Descargas
0
Comentarios
0
Recomendaciones
7
Insertados 0
No insertados

No hay notas en la diapositiva.

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers

  1. 1. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl Adrian Dabrowski adabrowski@sba-research.org Seccuriy Afterworks 12.2.2015
  2. 2. Adrian Dabrowski, adabrowski@sba-research.org IMSI Catchers ● Used for ● Tracking users ● Eavesdropping calls, data, texts ● Man-in-the-Middle ● Attack phone using operator system messages (e.g. Management Interface, reprogram APN, HTTP-Proxy, SMS/WAP-Server...) ● Attack SIM (c.f. SIM card rooting, otherwise filtered by most mobile carriers), Attack Baseband ● Geotargeting ads (e.g. SMS) ● Intercept TAN, mobile phone authentication, …
  3. 3. Adrian Dabrowski, adabrowski@sba-research.org A Mobile Network
  4. 4. Adrian Dabrowski, adabrowski@sba-research.org A Mobile Network with a Mobile Station
  5. 5. Adrian Dabrowski, adabrowski@sba-research.org Location Areas
  6. 6. Adrian Dabrowski, adabrowski@sba-research.org A wild IMSI Catcher appears..
  7. 7. Adrian Dabrowski, adabrowski@sba-research.org A wild IMSI Catcher appears – Use UMTS/GSM Protocol; not very effective!
  8. 8. Adrian Dabrowski, adabrowski@sba-research.org A Real Network Source: Let me answer that for you, Golde et al., TROOPERS & USENIX
  9. 9. Adrian Dabrowski, adabrowski@sba-research.org Cell tower density Source: Sendekataster.at
  10. 10. Adrian Dabrowski, adabrowski@sba-research.org “IMSI Catchers” Identification only ● Retrive IMSI / IMEI / TMSI ● Reject Location Update ● Tracking Traffic Man-in-the-Middle ● Hold in Cell ● Actively intercept traffic ● Relay to real network ● Active or passive decryption Hold but intercept passively ● Imprison in cell, so phone is not lost to a neighbor cell UMTS downgrade ● Blocking UMTS transmission ● Spoofing System messages
  11. 11. Adrian Dabrowski, adabrowski@sba-research.org “IMSI Catchers” Source: Verfassungsschutz (via DuD 26, 2006)
  12. 12. Adrian Dabrowski, adabrowski@sba-research.org Only for Law Enforcement? ● Known Producers ● Rohde & Schwarz ● Gamma Group ● Ability ● IAI Elta ● Septier ● Meganet ● NeoSoft ● Proximus ● Cyttek ● … ● DIY – USRP based ● Kirstin Paget – DEFCON 19 – US$1,500 ● D. Werhle – Master's Thesis – Freiburg ● B. Postl – Master's Thesis – Vienna
  13. 13. Adrian Dabrowski, adabrowski@sba-research.org How to catch an IMSI Catcher?
  14. 14. Adrian Dabrowski, adabrowski@sba-research.org Artifact: Frequency ● Unused or guard channel – Only found in Full Scan ● Announced neighbor freq., but unused – Careful not to create interference ● Detactability ● Frequency plans – e.g. radio regulatory – Self created
  15. 15. Adrian Dabrowski, adabrowski@sba-research.org Artifact: Cell ID ● New CID/LAC needed ● To provoke “Location Update Request” ● Random? ● Use real one not used in that geographical region ● Detectability ● Cell IDs are very stable ● Cell Database (local) – Also for frequencies ● Correlation with GPS coordinates
  16. 16. Adrian Dabrowski, adabrowski@sba-research.org Artifact: Location Update / Register ● Just providing a better signal Is not enough ● Timers, Hysteresis ● Unpredictable radio environment ● RF Jamming? ● Forcing full scan ● Detectability: ● Watching noise levels
  17. 17. Adrian Dabrowski, adabrowski@sba-research.org Artifact: UMTS handling ● Downgrading to GSM ● e.g. Mayer and Wetzel, 2005 [1] – GSM layer in most deployed UMTS networks ● (selectively) Jamming ● Others... ● Detectability: ● Noise and Signal levels ● Database of regions where UMTS is available, and GSM usage is unlikely – Cell Database [1] Mayer and Wetzel, “A man-in-the-middle attack on UMTS”, ACM Workshop on Wireless security, 2005
  18. 18. Adrian Dabrowski, adabrowski@sba-research.org Encryption ● Older IMSI Catchers: Downgrade encryption to 'none' (A5/0) ● A5/1 and A5/2 can be decrypted with rainbow tables ● In realtime ● A5/3 rolled out at the moment ● IC will have to do active MITM again ● Detectability: ● Cipher Indicator – Feature request in Android, 2009, assigned 2013 ● Roaming!
  19. 19. Adrian Dabrowski, adabrowski@sba-research.org Artifact: Cell Imprisonment ● Networks provides up to 32 neighbor frequencies ● MS stores typ. 6+1 ● Used for hand overs, LAR, … ● IC will likely provide an empty (eq.) NL ● To not loose phone to a neighbor cell ● Detectability: ● Neighbor cell list
  20. 20. Adrian Dabrowski, adabrowski@sba-research.org Traffic forwarding a) relay via other MS ● Loose caller ID ● No incoming calls b) via SS7 or similar ● Caller ID correct ● Loose incoming calls c) recover secret SIM key ● Impersonate to network with victims identity ● Detectability: ● Call tests (?)
  21. 21. Adrian Dabrowski, adabrowski@sba-research.org Usage Pattern ● Identification Mode ● Short living cells ● MITM Mode ● Longer living cells ● Both: ● Unusual locations for cells
  22. 22. Adrian Dabrowski, adabrowski@sba-research.org Cell capabilities and parameter fingerprinting ● Cell capabilities & parameters ● Organization of logical channels on physical channels ● Timeout values ● Can be different on each cell, but typically they are the same over the whole network ● Differ between networks ● Detectability: ● Cell and network database
  23. 23. Adrian Dabrowski, adabrowski@sba-research.org Network Monitor Mode 9731-3006-8132-3476-9712
  24. 24. Adrian Dabrowski, adabrowski@sba-research.org Detection Matrix
  25. 25. Adrian Dabrowski, adabrowski@sba-research.org Two approaches Mobile IMSI Catcher Catcher ● Standard Android API ● No need to root phone ● No need for a specific chipset (e.g. GoldX) ● Easy Interface Stationary IMSI Catcher Catcher ● Network of measuring stations ● Good locations, larger coverage ● Cheap – RaspberryPi based
  26. 26. Adrian Dabrowski, adabrowski@sba-research.org Two approaches - Features Mobile IMSI Catcher Catcher ● GPS + Neighbor cell listing – Geographical correlation – Cell-IDs ● Cell Capabilities ● RF and NCL manipulations ● Limited to NCL but mobile Stationary IMSI Catcher Catcher ● Cell-ID mapping ● Frequency usage ● Cell lifetime ● Cell capabilities, network parameters ● Jamming
  27. 27. Adrian Dabrowski, adabrowski@sba-research.org Mobile IMSI Catcher Catcher
  28. 28. Adrian Dabrowski, adabrowski@sba-research.org
  29. 29. Adrian Dabrowski, adabrowski@sba-research.org Two approaches - Features Mobile IMSI Catcher Catcher ● GPS + Neighbor cell listing – Geographical correlation – Cell-IDs ● Cell Capabilities ● RF and NCL manipulations ● Limited to NCL but mobile Stationary IMSI Catcher Catcher ● Cell-ID mapping ● Frequency usage ● Cell lifetime ● Cell capabilities, network parameters ● Jamming
  30. 30. Adrian Dabrowski, adabrowski@sba-research.org Stationary IMSI Catcher Catcher
  31. 31. Adrian Dabrowski, adabrowski@sba-research.org
  32. 32. Adrian Dabrowski, adabrowski@sba-research.org
  33. 33. Adrian Dabrowski, adabrowski@sba-research.org
  34. 34. Adrian Dabrowski, adabrowski@sba-research.org
  35. 35. Adrian Dabrowski, adabrowski@sba-research.org
  36. 36. Adrian Dabrowski, adabrowski@sba-research.org Work in Progress ● Verified with USRP based IMSI Catcher ● Need commercial devices for testing ● Build dense measurement network ● Goal: 20-40 stations ● Android-APP ● Fine tune ruleset for everyday situations ● Problem zones: – Tunnels – Underground
  37. 37. Adrian Dabrowski, adabrowski@sba-research.org Not covered in the talk ● Detecting Race-condition DOS attacks ● “Let me answer that for you”, Golde et al., ● Tropospheric ducting < 1Ghz ● Cooperation with Austrian Central institution for meteorology and geodynamics (ZAMG) ● New Design for sICC ● RTL-SDR, Hack-RF
  38. 38. 3831c3 in 20 min SS7: Locate. Track. Manipulate ID: Speaker: Track: Info: Video: 6249 Tobias Engel Security & Hacking http://events.ccc.de/congress/2014/Fahrplan/ events/6249.html www.youtube.com/watch?v=lQ0I5tl0YLY SS7 Access buyable Providers expose internal data (e.g. Location) Providers expose encryption keys Enables UMTS Full-MITM IMSI Catchers
  39. 39. 3931c3 in 20 min Mobile Self-Defense (SnoopSnitch) ID: Speaker: Track: Info: Video: 6122 Karsten Nohl Security & Hacking http://events.ccc.de/congress/2014/Fahrplan/ events/6122.html www.youtube.com/watch?v=GeCkO0fWWqc
  40. 40. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl Adrian Dabrowski adabrowski@sba-research.org

×