SlideShare a Scribd company logo

Secure Mobile Communications: Understanding Critical Vulnerabilities

Download as PPTX, PDF
Paul Parke
Paul Parke

Introduction to the threats of Mobile Calls and Messaging and an introduction to CSG's Cellcrypt and Seecrypt Products

Software
1 of 39
Secure Mobile Communications INTRODUCTION
‘How Safe Are Your Mobile Calls and Messages?’
Mobile Phone Calls and Messages are Vulnerable to Attack • Many organizations and individuals falsely trust the safety and security of making calls and sending and receiving texts from their mobile devices. • However, there are a number of critical vulnerabilities inherent with mobile phones and mobile networks that put our personal privacy and organizations’ confidentiality at risk. • Understanding and preventing these risks are critical to protect your business, your employees and your clients and customers.
Fake Cell Towers • IMSI Catchers, e.g. Harris Stingray, pretends to be a cell tower • Can be used to turn of the standard GSM/3G network encryption on a call • Undetectable, listens passively to calls • Used widely by law enforcement and intelligence services, also available at low cost Network Attacks • 3G networks: weak encryption on backhaul* • 4G networks: encryption from the mobile phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul unprotected. • Open to Insider threat from rogue employees Signalling Attacks • Inter-Carrier Signalling protocol SS7 is vulnerable to numerous attacks • Through SS7 calls and SMS messages can be intercepted and the mobile phone tracked. • Femto cells and Wi-Fi hotspots integrated with cellular networks make attacks easy to carry out. Device Attacks • Hardware or software listening/recording device is placed on device to bypass network call encryption • Requires device access so can be foiled by device management There are Multiple Threats to Cellular Networks
Fake Cell Towers IMSI Catchers • An IMSI-catcher is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. • They are "fake" cell towers acting between the target mobile phone and the service provider's real cell towers. • IMSI Catchers grab International Mobile Subscriber Numbers (IMSI) and the Electronic Serial Numbers (ESM) from targeted mobile phones. • They can force a mobile phone connected to it to use no encryption making calls easy to intercept and can intercept both calls and messages.
Fake Cell Towers A threat to Business and Personal Security • While, to date, IMSI catchers – in particular the Harris Corp. Stingray - have been used mainly for law enforcement purposes, hostile use of IMSI catchers is increasingly likely. • Low-cost IMSI catchers are now available for as little as $1400. • In September 2015, International Business Times reported that the Chinese Government spied on aeroplane passengers using IMSI catchers. • This highlights the threat to international business travellers and organizations.
Network Attacks • In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller, so both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected. • However if a hacker gains access to the Core Mobile Network, the encryption used for GSM and 3G is ineffective. – In 2009, hackers computed and published a codebook free on the internet to decrypt calls made over GSM networks – In 2010, A Practical-Time Attack on the A5/3 Cryptosystem exposed the weakness of the encryption used in 3G GSM Telephony : http://eprint.iacr.org/2010/013.pdf • In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected. Gaining access to the core Network is becoming easier due to the higher density and diversity of eNBs. In particular, residential femto cells – effectively eNBs that can be purchased for around $100, are an ideal target.
Signalling Attacks Signalling System No.7 (SS7) • Signalling System No. 7 (SS7) is a set of telephony signaling protocols standardized, by the International Telecommunication Union (ITU), a part of the United Nations, that provides the backbone for all cell phone communication everywhere in the world. • It allows mobile networks to communicate between themselves in order to connect users and pass messages between networks, ensure correct billing, and to allow users to roam on other networks. • Ever since 2008 it has been widely known that vulnerabilities in SS7 allow cell phone users to be secretly hacked. • In 2014 the vulnerabilities in SS7 allowed hackers to record an unencrypted phone call between the US ambassador to the Ukraine and US Assistant Secretary of State.
Signalling Attacks SS7 is Easily Hacked • The vulnerabilities in SS7 allow an an intruder with basic skills to perform numerous attacks including: – IMSI Disclosure – Intercepting and Redirecting Phone Calls – Intercepting SMS Messages – Tracking of a Mobile User – Block a Mobile User From receiving incoming calls and messages • SS7 exploits are easily within reach of hostile parties and access to SS7 can be bought from network operators for a few hundred dollars per month. Some SS7 exploits such as cell phone tracking have been commercialized
Signalling Attacks Examples Intercepting SMS Messages The target is registered with a fake Mobile Switching Center (MSC) and Visitor Location Register (VLR) - meaning that SMS messages can be diverted to an alternative host. This allows the attacker to send fake message received confirmations, and withhold or send new/altered messages. The target sees no interruption of service, and therefore has no reason to suspect anything is amiss. The goal is often to steal passwords for services such as banking, email and social media etc. Intercepting Calls As part of a VLR attack, the phone owner’s profile can be manipulated so that when they make a call the billing request and number they are calling are sent to the attacker. This allows the attacker to create a conference call, with themselves unseen, and listen and record the resulting conversation unobserved.
Mobile Threats are not limited to state-actors or high-cost hackers • With nothing more than a browser, an internet connection and maybe a pre-pay debit card, anyone can spoof SMS messages and Caller IDs. • The fact that the receiving mobile number recognizes the and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call. • Combined with basic social engineering, recipients could give up critical information such as passwords etc. • More concerning is where a number of organisation use SMS as an emergency alerting procedure, to evacuate buildings or request the location of an employee.
‘What are the Risks for Organizations?’
With the relative ease for standard mobile communications to be intercepted potential threats include: Economic Espionage • When employees use their mobile phones for confidential business discussions, particularly when travelling on business, the risk of those texts, images or calls being intercepted is real. • If that confidential information is intercepted by competitors or interested third parties, the damage can far- reaching. • Reports on the economic impact of industrial espionage vary, but in the US alone, BlackOps Partners Corporation, which works with Fortune 500 companies on counter-intelligence and protection puts the number at $500 billion in raw innovation stolen every year. • As far back as 2012, General Keith Alexander, NSA director and commander of U.S. Cyber Command described economic espionage as “the greatest transfer of wealth in history.” The Risks to Organizations and their Employees
Employee and Personal Safety • For businesses with employees travelling and working abroad, the risk of interception may be higher as nation states, competitors, terrorists and kidnappers target business travelers • Cell phones can exponentially increase this risk as eavesdropping and message interception can provide crucial information, while the growing use of IMSI catchers can provide accurate real-time location information. The Risks to Organizations and their Employees Crime and Fraud • The criminal targeting of personal cell phones is an increasingly rich area, with scams growing in complexity and reach. • Early in 2016, millions of customers of Australia’s biggest banks were targeted in a sophisticated Android attack, using fake log in screens for the banking apps, WhatsApp, Skype, PayPal, eBay and Google services. • The malware was used to both intercept log-in details and to steal SMS two-factor authentication codes, meaning the bank’s security measures were bypassed.
‘Can I trust consumer Apps for encrypted voice and messaging?’
Signalling (SS7) Attacks can be used against many Encrypted Messaging Apps • It is possible for attackers who have access to the SS7 network to take control of a victim’s phone number, and then use this number to register the app in the victim’s name. The attacker can then masquerade as the victim to the victim’s contacts. • Because apps such as WhatsApp, Viber, FaceBook, Telegram, etc. rely solely on phone numbers to verify the identity of users (at least by default), this presents a major security threat. • Such exploits can be used to write messages on behalf of the victim as well as read all of their the correspondence.
Consumer-focused Encrypted Voice and Messaging Apps have other risks Non-Call and Message Data • Even when the actual voice call content and messages are encrypted, a great deal of information can be gleamed from other information, outside of the content of calls and texts. • Personal, account, location and device information can be used by a hostile attacker to build a profile of an individual or group of targets. • This is obviously a concern for personal privacy, but when organization rely on these services this could put deals, acquisitions and even employees physical safety at risk. For example: WhatsApp’s recent change to their Privacy Policy states that they will collect and share the following information: • Your phone number, profile name and photo, online status and status message, last seen status. • Your e-mail when you communicate with them for customer service • Device data, such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers. • Location data. • Information on your online status such as when you were last seen online, when you updated your status message, etc. • Information from third party services that are integrated with WhatsApp, e.g. if you share any article from the web using WhatsApp. • Information on who is messaging you, calling you or which groups you belong to.
Consumer-focused Encrypted Voice and Messaging Apps have other risks Encryption • Not all encryption is equal. Though difficult to verify, it has been reported that the majority of consumer apps have already been compromised in a variety of ways. • For example, The Russian Federal Security Service (FSB) has recently announced that it has the ability to collect encryption keys that enable the creation of a back door for WhatsApp and similar consumer messaging app Telegram. “Organizations with higher-than-average security requirements and/or regulatory requirements (healthcare, finance, government and energy) should adopt mobile voice and text protection. Certain companies look for a best-effort secure messaging option among a number of freeware alternatives. Often, the sole presence of an encryption algorithm is not enough to ensure proper enterprise-level security, and we do not recommend relying on such solutions for the use cases described in this note. The way ciphering is implemented, the performance and customer support delivered are all fundamental differentiators.” Market Guide for Mobile Voice and Texting Protection, Gartner, 22 July 2015.
SECURE MOBILE COMMUNICATION SOLUTIONS
SECURE MOBILE COMMUNICATIONS • CSG’s Cellcrypt and Seecrypt mobile apps provide secure voice / conference calling and private messaging with file sharing • The highest level of protection for mobile communications, all calls and messages are protected by military-grade, authenticated, end-to-end encryption • Secure calls are VOIP-based data calls that are transport and carrier agnostic • Calls and messages over Cellcrypt and Seecrypt are not susceptible to attack from IMSI catchers, SS7 or other mobile network threats
SECURE MOBILE COMMUNICATIONS • Cellcrypt and Seecrypt are now available for Microsoft Windows and Apple Mac computers, so that the same secure communication technologies can be utilized on desktops, laptops and tablets • Coming soon, multi-device support will allow users to switch seamlessly between desktop and their smartphones without compromising security
Military-Grade Encryption for Secure Communication Strong Encryption Protocols Using double-layer encryption in an end-to-end configuration with a new key for each and every call and text message. • Confidentiality Dual-encryption using RC4-384 and AES-256 • Authentication 384-bit Elliptic Curve Cryptography • Integrity AES-GCM authentication tag (128 bit MAC) • Perfect Forward Secrecy (PFS) Ephemeral ECDH-384 • Off-The-Record (OTR) PFS + no digital signatures The Best Crypto Standards The CSG Crypto engine is designed to be modular and adhere to best practice cryptographic standards and protocols. Cellcrypt is FIPS 140-2 certified and Seecrypt is FIPS 140-2 compliant through the use of these standards. • ANSI X9.63 Full Unified Model Scheme with Bilateral Key Confirmation • FIPS SP800-56A Rev. 2 ECC-DH C (2,2) + bilateral key confirmation • FIPS SP800-22 Rev. A Pseudo Random Number tests • FIPS SP 800-56C and RFC’s 4868 and 5869 HKDF key derivation • FIPS SP 800-133 “Direct Method” key generation • FIPS SP 800-38 AES in CTR mode and AES in GCM mode (rev D) • FIPS SP 800-132 Password-Based Key Derivation (PBKDF)
KEY FEATURES Strong Encryption Cellcrypt/Seecrypt provides the highest level of encryption and authentication to protect against call interception and eavesdropping. Messages and file transfers are also encrypted end-to-end to ensure privacy. Cellcrypt/Seecrypt is certified to the FIPS 140-2 standard, approved by the US National Institute of Standards & Technology (NIST). Secure Voice Calls Voice calls are fully encrypted end-to-end and are routed through the mobile device’s data connection. Cellcrypt/Seecrypt’s adaptive voice codecs ensure low data and battery use, with no degradation of voice quality. Provides full authentication of all parties on a call eliminating the risks of impersonation through Caller ID spoofing. Private Messaging Protect your conversations between smartphones, Macs and PCs with secure messaging and total privacy. Share file attachments, voice clips, photos, with the ease of a consumer app. Group Messaging, for collaboration can be defined centrally by the organization or locally by the user, providing total security and control. Approved For Government Use Cellcrypt/Seecrypt is in active use within Enterprises and Governments/Armed Forces worldwide. Cellcrypt/Seecrypt also provides solutions certified for use beyond Sensitive But Unclassified (US) and Restricted (UK) use with replaceable cryptography where required, for use in Classified environments.
KEY FEATURES Works Across Any Network Calls can be made over any network including 2G/EDGE, CDMA, 3G/HSDPA, 4G/LTE, Wi-Fi and Satellite networks. Cellcrypt/Seecrypt optimizes delivery of encrypted real-time voice and data content between mobile devices, even across low-bandwidth mobile/wireless networks. Eliminates Roaming Costs All voice calls are routed through the mobile device’s data connection. Cellcrypt/Seecrypt’s secure Voice over IP (VoIP) network eliminates long-distance and international call costs between mobile devices and between landlines/office phone systems and mobile users through the Cellcrypt/Seecrypt Voice Gateway.
NEW Instant, Ad Hoc Conference Calls Select participants from your phone’s contacts list Press call and a secure conference bridge is created, connecting you directly The other participants get a message to join the call
Forget Passwords, PINs and Dial-ins • Ensuring all participants have the correct information to join a call is major inconvenience with normal conference calling. • Pins, passwords and international dial-in numbers can slow everything down, incur expensive long- distance charges, and even prevent crucial participants from joining calls. • With just one touch, Cellcrypt and Seecrypt‘s Conferencing enables participants to join a cost- effective, secure VoIP conference call, already fully authenticated and ready to contribute.
Secure Scheduling and Call Controls • Schedule mobile and desktop conference calling with no need for third- party service providers or passwords. • Conference Calling web UI ensures that your business can enjoy secure, authenticated conference calling, safe in the knowledge that the right people are on the line. • Call initiator or administrators have a full attendee list, and can easily invite new participants, mute and even eject callers if the need arises.
PRIVATE SWITCH Your own, private, voice and messaging service • An on premise or cloud hosted solution allows organizations to maintain confidentiality of user, device and call details. • The Private Switch is the core of control for Cellcrypt and Seecrypt and is administered via a web-based management console with access restricted to authorized users. • It manages users; call signalling; call control and media communications and authenticates/authorizes every interaction within the network.
VOICE (PBX) GATEWAY Secure, Encrypted Calls Between Land Lines and a Mobile Workforce • Securely connect from your mobile to the company’s PBX to reach offices, customers and colleagues • Protection from data interception using military- grade encryption on VoIP calls between mobile devices and the PBX • Access PBX infrastructure, including conferencing and voicemail, securely from anywhere in the world • Dramatically reduces calling costs to an from your mobile workforce, eliminating international roaming and long distance charges • Interfaces to a wide-range of digital PBXs so that you can leverage and maximize the benefits of your existing infrastructure without the need for a costly rip/replace strategy
• The cost savings using Cellcrypt and Seecrypt are similar to the cost savings associated with moving to standard VoIP due to its removal of long distance and roaming charges. – An Avaya study*, showed that in a U.S. sampling of a 15,000-person enterprise with 2,500 mobile users, the yearly mobile cost was $5,871,289. – If that same company could eliminate or reduce international charges, reduce voice overages by 80%, and eliminate roaming charges the yearly cost drops by nearly 32% or $1,875,434. – Further savings can also be realized by taking into account the costs of conference calling services. • Unlike some VOIP approaches the Voice Gateway will interface directly with virtually any existing digital PBX avoiding a costly rip and replace strategy. • Cellcrypt and Seecrypt will also enable these savings to be realized where, due to security concerns, an organization has been prevented from moving to VoIP. *Avaya – A Business Case for Mobility Solutions The Economics
Industry Specific Solutions RETAIL AND PRIVATE BANKING Cellcrypt and Seecrypt can address specific customer communication needs for Retail and Private Banks – Use secure instant messaging as means of communicating with their customers, including high-net worth, private banking clients – Make encrypted calls directly with customers on their mobile phone, wherever they are, without incurring costly mobile charges for the bank or the customer even when the client is travelling or is resident in another country​ – Securely send and receive account related correspondence directly to the user’s mobile device – To avoid, lengthy security question and answer sessions at the start of the call to identify and authenticate the client ​ – A secure mechanism for the client to authorize a financial transaction on their mobile device, anytime, anywhere
Industry Specific Solutions GOVERNMENT Cellcrypt and Seecrypt address the secure communication needs of many Government Agencies including: • Administrative Agencies – Agency employees regularly have sensitive but unclassified (SBU) on smartphones. This may be inconsequential as standalone conversations, but could be extremely valuable when aggregated, and are therefore in in need of protection. • Department of Defense and Armed Forces – The military relies on the ability to communicate time-sensitive, mission critical information in real-time, both at home and abroad. At times, military personnel need to leverage public cellular networks when private networks are unavailable. They also increasingly communicate with inter- agency partners in civilian government, including homeland security, emergency response organizations and NGOs. • Homeland Security – Disparate agencies engage with each other regularly to protect the homeland. Secure communication is necessary for disaster response and post-event management. These scenarios often involve the exchange of information that is considered sensitive but unclassified (SBU) across mobile devices and public access networks
ABOUT CSG
CSG is the pioneer of Mobile Voice and Text Protection and can claim a number of World Firsts in this sector: 2000s 2008: Secure mobile- to-mobile, IP-based, software-only call encryption solution 2009: World’s first mobile to landline IP-based, software- only call encryption solution 2010: World’s first Blackberry / CDMA secure voice call 2011: World’s first interoperable, secure messaging and encrypted voice calls between BlackBerry, iPhone, and Android 2012: Seecrypt formed to develop Non-Certified Secure Communications solutions. 2005: Founders began developing core encryption and communication technology in the UK. 2009: World’s first IP-based, software-only call encryption solution over satellite 2009: World’s first Blackberry Secure Voice Solution (and the first IP call on Blackberry) 2010: World’s First Encrypted Conference solution for mobile 2014: Seecrypt releases Secure Communications solution for iPhone, Android, Blackberry and Windows Phone. 2014: Next Generation of Cellcrypt code released 2010s 2016: Cellcrypt and Seecrypt relaunched 2016: First Secure Ad-hoc and scheduled Conference Calling 2005: Cellcrypt formed to productize and commercialize encryption engine CSG The Pioneer in Secure Mobile Communication
CSG AND MOBILE OPERATORS CARRIER-GRADE SECURITY AND SCALE • In 2012, CSG began collaborating with Verizon Wireless to provide Verizon Voice Cypher offering secure mobile voice calling and messaging, across iOS, Blackberry, Windows Mobile and Android devices • In 2016, Verizon launched Verizon Voice Cypher Ultra based on the next generation of CSG technology
CSG AND MOBILE OPERATORS EXPANDING THE CARRIER STRATEGY • 2016 sees the announcement of other mobile carriers launching a secure call and text service based on CSG technology • Viva Telecom Bahrain announced Viva Communicator in April, which it is selling to Enterprise and Government clients. Viva is part of Saudi Telecom (STC)
CSG AND MOBILE OPERATORS EXPANDING THE CARRIER STRATEGY • MTN South Africa is the latest mobile carrier to partner with CSG for secure voice and messaging services using CSG’s technology. • MTN SA is part of the MTN Group, a multinational telecommunications group, operating in 21 countries in Africa and the Middle East, with over 232 million subscribers.
Calls made using Cellcrypt and Seecrypt in 121 countries The #1 choice for Government and Enterprise
Secure Mobile Communications: Understanding Critical Vulnerabilities

Recommended

E commerce- securing the business on internet
E commerce- securing the business on internetE commerce- securing the business on internet
E commerce- securing the business on internetSandhi Shivanya
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesFaizan Shaikh
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
Chapter three e-security
Chapter three e-securityChapter three e-security
Chapter three e-securityMarya Sholevar
 
Seminar
SeminarSeminar
SeminarKavis Pandey
 
Cn35499502
Cn35499502Cn35499502
Cn35499502IJERA Editor
 

Recommended

E commerce- securing the business on internet
E commerce- securing the business on internetE commerce- securing the business on internet
E commerce- securing the business on internetSandhi Shivanya
 
Attacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesAttacks on Mobiles\Cell Phones
Attacks on Mobiles\Cell PhonesFaizan Shaikh
 
Advanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAdvanced Phishing The Art of Stealing
Advanced Phishing The Art of StealingAvinash Sinha
 
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSE-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONS
E-COMMERCE SECURITY, FRAUD ISSUES AND PROTECTIONSrausdeen anfas
 
Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?Are Mobile Banking Apps Safe?
Are Mobile Banking Apps Safe?VISTA InfoSec
 
Chapter three e-security
Chapter three e-securityChapter three e-security
Chapter three e-securityMarya Sholevar
 
Seminar
SeminarSeminar
SeminarKavis Pandey
 
Cn35499502
Cn35499502Cn35499502
Cn35499502IJERA Editor
 
Internet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security ConcernsInternet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security ConcernsAkshay Jain
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?Spire Research and Consulting
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure" Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure" Frontier Small Business
 
Unit 4 e security
Unit 4 e securityUnit 4 e security
Unit 4 e securityDr. C.V. Suresh Babu
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threadsLeena Reddy
 
E Commerce security
E Commerce securityE Commerce security
E Commerce securityMayank Kashyap
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd Iaetsd
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
 
Internet security
Internet securityInternet security
Internet securityمحمد عدنان أبو ورد
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014EMC
 
End end-security
End end-securityEnd end-security
End end-securityPatatino Melis
 
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?acijjournal
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESEFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESIJNSA Journal
 
The Defense Industry Under Attack
The Defense Industry Under AttackThe Defense Industry Under Attack
The Defense Industry Under AttackBooz Allen Hamilton
 
Security issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a surveySecurity issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a surveyIAEME Publication
 
Cell phone cloning seminar
Cell phone cloning seminarCell phone cloning seminar
Cell phone cloning seminarSreedevV
 
Smartphone and mobile device safety & security
Smartphone and mobile device safety & securitySmartphone and mobile device safety & security
Smartphone and mobile device safety & securityAlbanMichael
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 

More Related Content

What's hot

Internet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security ConcernsInternet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security ConcernsAkshay Jain
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & SecurityNetstarterSL
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internetAlexander Decker
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure" Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure" Frontier Small Business
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threadsLeena Reddy
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd Iaetsd
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a reviewINFOGAIN PUBLICATION
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014EMC
 
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?acijjournal
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksRohan Fernandes
 
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESEFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESIJNSA Journal
 
The Defense Industry Under Attack
The Defense Industry Under AttackThe Defense Industry Under Attack
The Defense Industry Under AttackBooz Allen Hamilton
 

What's hot (18)

Internet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security ConcernsInternet and Global Connectivity – Security Concerns
Internet and Global Connectivity – Security Concerns
 
E-commerce & Security
E-commerce & SecurityE-commerce & Security
E-commerce & Security
 
An overview study on cyber crimes in internet
An overview study on cyber crimes in internetAn overview study on cyber crimes in internet
An overview study on cyber crimes in internet
 
220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?220715_Cybersecurity: What's at stake?
220715_Cybersecurity: What's at stake?
 
Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure" Frontier Secure: Handout for small business leaders on "How to be Secure"
Frontier Secure: Handout for small business leaders on "How to be Secure"
 
Unit 4 e security
Unit 4 e securityUnit 4 e security
Unit 4 e security
 
Mis security system threads
Mis security system threadsMis security system threads
Mis security system threads
 
E Commerce security
E Commerce securityE Commerce security
E Commerce security
 
Iaetsd cyber crimeand
Iaetsd cyber crimeandIaetsd cyber crimeand
Iaetsd cyber crimeand
 
1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review1 ijaems sept-2015-3-different attacks in the network a review
1 ijaems sept-2015-3-different attacks in the network a review
 
Internet security
Internet securityInternet security
Internet security
 
The Current State of Cybercrime 2014
The Current State of Cybercrime 2014The Current State of Cybercrime 2014
The Current State of Cybercrime 2014
 
End end-security
End end-securityEnd end-security
End end-security
 
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
Do New Mobile Devices in Enterprises Pose A Serious Security Threat?
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Protect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacksProtect your IPPBX against VOIP attacks
Protect your IPPBX against VOIP attacks
 
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIESEFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
EFFECT MAN-IN THE MIDDLE ON THE NETWORK PERFORMANCE IN VARIOUS ATTACK STRATEGIES
 
The Defense Industry Under Attack
The Defense Industry Under AttackThe Defense Industry Under Attack
The Defense Industry Under Attack
 

Similar to Secure Mobile Communications: Understanding Critical Vulnerabilities

Security issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a surveySecurity issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a surveyIAEME Publication
 
Cell phone cloning seminar
Cell phone cloning seminarCell phone cloning seminar
Cell phone cloning seminarSreedevV
 
Smartphone and mobile device safety & security
Smartphone and mobile device safety & securitySmartphone and mobile device safety & security
Smartphone and mobile device safety & securityAlbanMichael
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxMurulidharLM1
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxRohithKumarKishtam
 
6 Steps to SIP trunking security
6 Steps to SIP trunking security6 Steps to SIP trunking security
6 Steps to SIP trunking securityFlowroute
 
Mobile phone cloning
Mobile phone cloningMobile phone cloning
Mobile phone cloninghcls
 
How Government-Level Encryption For Telecommunications Ensures Data Confident...
How Government-Level Encryption For Telecommunications Ensures Data Confident...How Government-Level Encryption For Telecommunications Ensures Data Confident...
How Government-Level Encryption For Telecommunications Ensures Data Confident...VOROR
 
Mobile phone technology
Mobile phone technologyMobile phone technology
Mobile phone technologyRhithu
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber SecurityGeo Marian
 

Similar to Secure Mobile Communications: Understanding Critical Vulnerabilities (20)

Security issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a surveySecurity issues vs user awareness in mobile devices a survey
Security issues vs user awareness in mobile devices a survey
 
Cell phone cloning seminar
Cell phone cloning seminarCell phone cloning seminar
Cell phone cloning seminar
 
Smartphone and mobile device safety & security
Smartphone and mobile device safety & securitySmartphone and mobile device safety & security
Smartphone and mobile device safety & security
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Unit-3.pptx
Unit-3.pptxUnit-3.pptx
Unit-3.pptx
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
 
6 Steps to SIP trunking security
6 Steps to SIP trunking security6 Steps to SIP trunking security
6 Steps to SIP trunking security
 
Mobile phone cloning
Mobile phone cloningMobile phone cloning
Mobile phone cloning
 
Mobile phone-cloning
Mobile phone-cloningMobile phone-cloning
Mobile phone-cloning
 
14A81A05B5
14A81A05B514A81A05B5
14A81A05B5
 
How Government-Level Encryption For Telecommunications Ensures Data Confident...
How Government-Level Encryption For Telecommunications Ensures Data Confident...How Government-Level Encryption For Telecommunications Ensures Data Confident...
How Government-Level Encryption For Telecommunications Ensures Data Confident...
 
Mobile phone technology
Mobile phone technologyMobile phone technology
Mobile phone technology
 
Test
TestTest
Test
 
Mobile Cloning
Mobile Cloning Mobile Cloning
Mobile Cloning
 
B010331019
B010331019B010331019
B010331019
 
Mobile Phone Cloning
Mobile Phone CloningMobile Phone Cloning
Mobile Phone Cloning
 
Mobile security in Cyber Security
Mobile security in Cyber SecurityMobile security in Cyber Security
Mobile security in Cyber Security
 
VoIP Threat and Security - I
VoIP Threat and Security - IVoIP Threat and Security - I
VoIP Threat and Security - I
 

Recently uploaded

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxRTS corp
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 

Recently uploaded (20)

Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptxReal-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
Real-time Tracking and Monitoring with Cargo Cloud Solutions.pptx
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 

Secure Mobile Communications: Understanding Critical Vulnerabilities

  • 2. ‘How Safe Are Your Mobile Calls and Messages?’
  • 3. Mobile Phone Calls and Messages are Vulnerable to Attack • Many organizations and individuals falsely trust the safety and security of making calls and sending and receiving texts from their mobile devices. • However, there are a number of critical vulnerabilities inherent with mobile phones and mobile networks that put our personal privacy and organizations’ confidentiality at risk. • Understanding and preventing these risks are critical to protect your business, your employees and your clients and customers.
  • 4. Fake Cell Towers • IMSI Catchers, e.g. Harris Stingray, pretends to be a cell tower • Can be used to turn of the standard GSM/3G network encryption on a call • Undetectable, listens passively to calls • Used widely by law enforcement and intelligence services, also available at low cost Network Attacks • 3G networks: weak encryption on backhaul* • 4G networks: encryption from the mobile phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul unprotected. • Open to Insider threat from rogue employees Signalling Attacks • Inter-Carrier Signalling protocol SS7 is vulnerable to numerous attacks • Through SS7 calls and SMS messages can be intercepted and the mobile phone tracked. • Femto cells and Wi-Fi hotspots integrated with cellular networks make attacks easy to carry out. Device Attacks • Hardware or software listening/recording device is placed on device to bypass network call encryption • Requires device access so can be foiled by device management There are Multiple Threats to Cellular Networks
  • 5. Fake Cell Towers IMSI Catchers • An IMSI-catcher is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. • They are "fake" cell towers acting between the target mobile phone and the service provider's real cell towers. • IMSI Catchers grab International Mobile Subscriber Numbers (IMSI) and the Electronic Serial Numbers (ESM) from targeted mobile phones. • They can force a mobile phone connected to it to use no encryption making calls easy to intercept and can intercept both calls and messages.
  • 6. Fake Cell Towers A threat to Business and Personal Security • While, to date, IMSI catchers – in particular the Harris Corp. Stingray - have been used mainly for law enforcement purposes, hostile use of IMSI catchers is increasingly likely. • Low-cost IMSI catchers are now available for as little as $1400. • In September 2015, International Business Times reported that the Chinese Government spied on aeroplane passengers using IMSI catchers. • This highlights the threat to international business travellers and organizations.
  • 7. Network Attacks • In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller, so both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected. • However if a hacker gains access to the Core Mobile Network, the encryption used for GSM and 3G is ineffective. – In 2009, hackers computed and published a codebook free on the internet to decrypt calls made over GSM networks – In 2010, A Practical-Time Attack on the A5/3 Cryptosystem exposed the weakness of the encryption used in 3G GSM Telephony : http://eprint.iacr.org/2010/013.pdf • In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected. Gaining access to the core Network is becoming easier due to the higher density and diversity of eNBs. In particular, residential femto cells – effectively eNBs that can be purchased for around $100, are an ideal target.
  • 8. Signalling Attacks Signalling System No.7 (SS7) • Signalling System No. 7 (SS7) is a set of telephony signaling protocols standardized, by the International Telecommunication Union (ITU), a part of the United Nations, that provides the backbone for all cell phone communication everywhere in the world. • It allows mobile networks to communicate between themselves in order to connect users and pass messages between networks, ensure correct billing, and to allow users to roam on other networks. • Ever since 2008 it has been widely known that vulnerabilities in SS7 allow cell phone users to be secretly hacked. • In 2014 the vulnerabilities in SS7 allowed hackers to record an unencrypted phone call between the US ambassador to the Ukraine and US Assistant Secretary of State.
  • 9. Signalling Attacks SS7 is Easily Hacked • The vulnerabilities in SS7 allow an an intruder with basic skills to perform numerous attacks including: – IMSI Disclosure – Intercepting and Redirecting Phone Calls – Intercepting SMS Messages – Tracking of a Mobile User – Block a Mobile User From receiving incoming calls and messages • SS7 exploits are easily within reach of hostile parties and access to SS7 can be bought from network operators for a few hundred dollars per month. Some SS7 exploits such as cell phone tracking have been commercialized
  • 10. Signalling Attacks Examples Intercepting SMS Messages The target is registered with a fake Mobile Switching Center (MSC) and Visitor Location Register (VLR) - meaning that SMS messages can be diverted to an alternative host. This allows the attacker to send fake message received confirmations, and withhold or send new/altered messages. The target sees no interruption of service, and therefore has no reason to suspect anything is amiss. The goal is often to steal passwords for services such as banking, email and social media etc. Intercepting Calls As part of a VLR attack, the phone owner’s profile can be manipulated so that when they make a call the billing request and number they are calling are sent to the attacker. This allows the attacker to create a conference call, with themselves unseen, and listen and record the resulting conversation unobserved.
  • 11. Mobile Threats are not limited to state-actors or high-cost hackers • With nothing more than a browser, an internet connection and maybe a pre-pay debit card, anyone can spoof SMS messages and Caller IDs. • The fact that the receiving mobile number recognizes the and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call. • Combined with basic social engineering, recipients could give up critical information such as passwords etc. • More concerning is where a number of organisation use SMS as an emergency alerting procedure, to evacuate buildings or request the location of an employee.
  • 12. ‘What are the Risks for Organizations?’
  • 13. With the relative ease for standard mobile communications to be intercepted potential threats include: Economic Espionage • When employees use their mobile phones for confidential business discussions, particularly when travelling on business, the risk of those texts, images or calls being intercepted is real. • If that confidential information is intercepted by competitors or interested third parties, the damage can far- reaching. • Reports on the economic impact of industrial espionage vary, but in the US alone, BlackOps Partners Corporation, which works with Fortune 500 companies on counter-intelligence and protection puts the number at $500 billion in raw innovation stolen every year. • As far back as 2012, General Keith Alexander, NSA director and commander of U.S. Cyber Command described economic espionage as “the greatest transfer of wealth in history.” The Risks to Organizations and their Employees
  • 14. Employee and Personal Safety • For businesses with employees travelling and working abroad, the risk of interception may be higher as nation states, competitors, terrorists and kidnappers target business travelers • Cell phones can exponentially increase this risk as eavesdropping and message interception can provide crucial information, while the growing use of IMSI catchers can provide accurate real-time location information. The Risks to Organizations and their Employees Crime and Fraud • The criminal targeting of personal cell phones is an increasingly rich area, with scams growing in complexity and reach. • Early in 2016, millions of customers of Australia’s biggest banks were targeted in a sophisticated Android attack, using fake log in screens for the banking apps, WhatsApp, Skype, PayPal, eBay and Google services. • The malware was used to both intercept log-in details and to steal SMS two-factor authentication codes, meaning the bank’s security measures were bypassed.
  • 15. ‘Can I trust consumer Apps for encrypted voice and messaging?’
  • 16. Signalling (SS7) Attacks can be used against many Encrypted Messaging Apps • It is possible for attackers who have access to the SS7 network to take control of a victim’s phone number, and then use this number to register the app in the victim’s name. The attacker can then masquerade as the victim to the victim’s contacts. • Because apps such as WhatsApp, Viber, FaceBook, Telegram, etc. rely solely on phone numbers to verify the identity of users (at least by default), this presents a major security threat. • Such exploits can be used to write messages on behalf of the victim as well as read all of their the correspondence.
  • 17. Consumer-focused Encrypted Voice and Messaging Apps have other risks Non-Call and Message Data • Even when the actual voice call content and messages are encrypted, a great deal of information can be gleamed from other information, outside of the content of calls and texts. • Personal, account, location and device information can be used by a hostile attacker to build a profile of an individual or group of targets. • This is obviously a concern for personal privacy, but when organization rely on these services this could put deals, acquisitions and even employees physical safety at risk. For example: WhatsApp’s recent change to their Privacy Policy states that they will collect and share the following information: • Your phone number, profile name and photo, online status and status message, last seen status. • Your e-mail when you communicate with them for customer service • Device data, such as hardware model, operating system information, browser information, IP address, mobile network information including phone number, and device identifiers. • Location data. • Information on your online status such as when you were last seen online, when you updated your status message, etc. • Information from third party services that are integrated with WhatsApp, e.g. if you share any article from the web using WhatsApp. • Information on who is messaging you, calling you or which groups you belong to.
  • 18. Consumer-focused Encrypted Voice and Messaging Apps have other risks Encryption • Not all encryption is equal. Though difficult to verify, it has been reported that the majority of consumer apps have already been compromised in a variety of ways. • For example, The Russian Federal Security Service (FSB) has recently announced that it has the ability to collect encryption keys that enable the creation of a back door for WhatsApp and similar consumer messaging app Telegram. “Organizations with higher-than-average security requirements and/or regulatory requirements (healthcare, finance, government and energy) should adopt mobile voice and text protection. Certain companies look for a best-effort secure messaging option among a number of freeware alternatives. Often, the sole presence of an encryption algorithm is not enough to ensure proper enterprise-level security, and we do not recommend relying on such solutions for the use cases described in this note. The way ciphering is implemented, the performance and customer support delivered are all fundamental differentiators.” Market Guide for Mobile Voice and Texting Protection, Gartner, 22 July 2015.
  • 20. SECURE MOBILE COMMUNICATIONS • CSG’s Cellcrypt and Seecrypt mobile apps provide secure voice / conference calling and private messaging with file sharing • The highest level of protection for mobile communications, all calls and messages are protected by military-grade, authenticated, end-to-end encryption • Secure calls are VOIP-based data calls that are transport and carrier agnostic • Calls and messages over Cellcrypt and Seecrypt are not susceptible to attack from IMSI catchers, SS7 or other mobile network threats
  • 21. SECURE MOBILE COMMUNICATIONS • Cellcrypt and Seecrypt are now available for Microsoft Windows and Apple Mac computers, so that the same secure communication technologies can be utilized on desktops, laptops and tablets • Coming soon, multi-device support will allow users to switch seamlessly between desktop and their smartphones without compromising security
  • 22. Military-Grade Encryption for Secure Communication Strong Encryption Protocols Using double-layer encryption in an end-to-end configuration with a new key for each and every call and text message. • Confidentiality Dual-encryption using RC4-384 and AES-256 • Authentication 384-bit Elliptic Curve Cryptography • Integrity AES-GCM authentication tag (128 bit MAC) • Perfect Forward Secrecy (PFS) Ephemeral ECDH-384 • Off-The-Record (OTR) PFS + no digital signatures The Best Crypto Standards The CSG Crypto engine is designed to be modular and adhere to best practice cryptographic standards and protocols. Cellcrypt is FIPS 140-2 certified and Seecrypt is FIPS 140-2 compliant through the use of these standards. • ANSI X9.63 Full Unified Model Scheme with Bilateral Key Confirmation • FIPS SP800-56A Rev. 2 ECC-DH C (2,2) + bilateral key confirmation • FIPS SP800-22 Rev. A Pseudo Random Number tests • FIPS SP 800-56C and RFC’s 4868 and 5869 HKDF key derivation • FIPS SP 800-133 “Direct Method” key generation • FIPS SP 800-38 AES in CTR mode and AES in GCM mode (rev D) • FIPS SP 800-132 Password-Based Key Derivation (PBKDF)
  • 23. KEY FEATURES Strong Encryption Cellcrypt/Seecrypt provides the highest level of encryption and authentication to protect against call interception and eavesdropping. Messages and file transfers are also encrypted end-to-end to ensure privacy. Cellcrypt/Seecrypt is certified to the FIPS 140-2 standard, approved by the US National Institute of Standards & Technology (NIST). Secure Voice Calls Voice calls are fully encrypted end-to-end and are routed through the mobile device’s data connection. Cellcrypt/Seecrypt’s adaptive voice codecs ensure low data and battery use, with no degradation of voice quality. Provides full authentication of all parties on a call eliminating the risks of impersonation through Caller ID spoofing. Private Messaging Protect your conversations between smartphones, Macs and PCs with secure messaging and total privacy. Share file attachments, voice clips, photos, with the ease of a consumer app. Group Messaging, for collaboration can be defined centrally by the organization or locally by the user, providing total security and control. Approved For Government Use Cellcrypt/Seecrypt is in active use within Enterprises and Governments/Armed Forces worldwide. Cellcrypt/Seecrypt also provides solutions certified for use beyond Sensitive But Unclassified (US) and Restricted (UK) use with replaceable cryptography where required, for use in Classified environments.
  • 24. KEY FEATURES Works Across Any Network Calls can be made over any network including 2G/EDGE, CDMA, 3G/HSDPA, 4G/LTE, Wi-Fi and Satellite networks. Cellcrypt/Seecrypt optimizes delivery of encrypted real-time voice and data content between mobile devices, even across low-bandwidth mobile/wireless networks. Eliminates Roaming Costs All voice calls are routed through the mobile device’s data connection. Cellcrypt/Seecrypt’s secure Voice over IP (VoIP) network eliminates long-distance and international call costs between mobile devices and between landlines/office phone systems and mobile users through the Cellcrypt/Seecrypt Voice Gateway.
  • 25. NEW Instant, Ad Hoc Conference Calls Select participants from your phone’s contacts list Press call and a secure conference bridge is created, connecting you directly The other participants get a message to join the call
  • 26. Forget Passwords, PINs and Dial-ins • Ensuring all participants have the correct information to join a call is major inconvenience with normal conference calling. • Pins, passwords and international dial-in numbers can slow everything down, incur expensive long- distance charges, and even prevent crucial participants from joining calls. • With just one touch, Cellcrypt and Seecrypt‘s Conferencing enables participants to join a cost- effective, secure VoIP conference call, already fully authenticated and ready to contribute.
  • 27. Secure Scheduling and Call Controls • Schedule mobile and desktop conference calling with no need for third- party service providers or passwords. • Conference Calling web UI ensures that your business can enjoy secure, authenticated conference calling, safe in the knowledge that the right people are on the line. • Call initiator or administrators have a full attendee list, and can easily invite new participants, mute and even eject callers if the need arises.
  • 28. PRIVATE SWITCH Your own, private, voice and messaging service • An on premise or cloud hosted solution allows organizations to maintain confidentiality of user, device and call details. • The Private Switch is the core of control for Cellcrypt and Seecrypt and is administered via a web-based management console with access restricted to authorized users. • It manages users; call signalling; call control and media communications and authenticates/authorizes every interaction within the network.
  • 29. VOICE (PBX) GATEWAY Secure, Encrypted Calls Between Land Lines and a Mobile Workforce • Securely connect from your mobile to the company’s PBX to reach offices, customers and colleagues • Protection from data interception using military- grade encryption on VoIP calls between mobile devices and the PBX • Access PBX infrastructure, including conferencing and voicemail, securely from anywhere in the world • Dramatically reduces calling costs to an from your mobile workforce, eliminating international roaming and long distance charges • Interfaces to a wide-range of digital PBXs so that you can leverage and maximize the benefits of your existing infrastructure without the need for a costly rip/replace strategy
  • 30. • The cost savings using Cellcrypt and Seecrypt are similar to the cost savings associated with moving to standard VoIP due to its removal of long distance and roaming charges. – An Avaya study*, showed that in a U.S. sampling of a 15,000-person enterprise with 2,500 mobile users, the yearly mobile cost was $5,871,289. – If that same company could eliminate or reduce international charges, reduce voice overages by 80%, and eliminate roaming charges the yearly cost drops by nearly 32% or $1,875,434. – Further savings can also be realized by taking into account the costs of conference calling services. • Unlike some VOIP approaches the Voice Gateway will interface directly with virtually any existing digital PBX avoiding a costly rip and replace strategy. • Cellcrypt and Seecrypt will also enable these savings to be realized where, due to security concerns, an organization has been prevented from moving to VoIP. *Avaya – A Business Case for Mobility Solutions The Economics
  • 31. Industry Specific Solutions RETAIL AND PRIVATE BANKING Cellcrypt and Seecrypt can address specific customer communication needs for Retail and Private Banks – Use secure instant messaging as means of communicating with their customers, including high-net worth, private banking clients – Make encrypted calls directly with customers on their mobile phone, wherever they are, without incurring costly mobile charges for the bank or the customer even when the client is travelling or is resident in another country​ – Securely send and receive account related correspondence directly to the user’s mobile device – To avoid, lengthy security question and answer sessions at the start of the call to identify and authenticate the client ​ – A secure mechanism for the client to authorize a financial transaction on their mobile device, anytime, anywhere
  • 32. Industry Specific Solutions GOVERNMENT Cellcrypt and Seecrypt address the secure communication needs of many Government Agencies including: • Administrative Agencies – Agency employees regularly have sensitive but unclassified (SBU) on smartphones. This may be inconsequential as standalone conversations, but could be extremely valuable when aggregated, and are therefore in in need of protection. • Department of Defense and Armed Forces – The military relies on the ability to communicate time-sensitive, mission critical information in real-time, both at home and abroad. At times, military personnel need to leverage public cellular networks when private networks are unavailable. They also increasingly communicate with inter- agency partners in civilian government, including homeland security, emergency response organizations and NGOs. • Homeland Security – Disparate agencies engage with each other regularly to protect the homeland. Secure communication is necessary for disaster response and post-event management. These scenarios often involve the exchange of information that is considered sensitive but unclassified (SBU) across mobile devices and public access networks
  • 34. CSG is the pioneer of Mobile Voice and Text Protection and can claim a number of World Firsts in this sector: 2000s 2008: Secure mobile- to-mobile, IP-based, software-only call encryption solution 2009: World’s first mobile to landline IP-based, software- only call encryption solution 2010: World’s first Blackberry / CDMA secure voice call 2011: World’s first interoperable, secure messaging and encrypted voice calls between BlackBerry, iPhone, and Android 2012: Seecrypt formed to develop Non-Certified Secure Communications solutions. 2005: Founders began developing core encryption and communication technology in the UK. 2009: World’s first IP-based, software-only call encryption solution over satellite 2009: World’s first Blackberry Secure Voice Solution (and the first IP call on Blackberry) 2010: World’s First Encrypted Conference solution for mobile 2014: Seecrypt releases Secure Communications solution for iPhone, Android, Blackberry and Windows Phone. 2014: Next Generation of Cellcrypt code released 2010s 2016: Cellcrypt and Seecrypt relaunched 2016: First Secure Ad-hoc and scheduled Conference Calling 2005: Cellcrypt formed to productize and commercialize encryption engine CSG The Pioneer in Secure Mobile Communication
  • 35. CSG AND MOBILE OPERATORS CARRIER-GRADE SECURITY AND SCALE • In 2012, CSG began collaborating with Verizon Wireless to provide Verizon Voice Cypher offering secure mobile voice calling and messaging, across iOS, Blackberry, Windows Mobile and Android devices • In 2016, Verizon launched Verizon Voice Cypher Ultra based on the next generation of CSG technology
  • 36. CSG AND MOBILE OPERATORS EXPANDING THE CARRIER STRATEGY • 2016 sees the announcement of other mobile carriers launching a secure call and text service based on CSG technology • Viva Telecom Bahrain announced Viva Communicator in April, which it is selling to Enterprise and Government clients. Viva is part of Saudi Telecom (STC)
  • 37. CSG AND MOBILE OPERATORS EXPANDING THE CARRIER STRATEGY • MTN South Africa is the latest mobile carrier to partner with CSG for secure voice and messaging services using CSG’s technology. • MTN SA is part of the MTN Group, a multinational telecommunications group, operating in 21 countries in Africa and the Middle East, with over 232 million subscribers.
  • 38. Calls made using Cellcrypt and Seecrypt in 121 countries The #1 choice for Government and Enterprise

Editor's Notes

  1. * A Practical-Time Attack on the A5/3 Cryptosystem Used in Third Generation GSM Telephony Orr Dunkelman, Nathan Keller, and Adi Shamir : http://eprint.iacr.org/2010/013.pdf