Mobile

 self-­‐defense  

Karsten  Nohl  <[email protected]>  

SRLabs  Template  v12  

Agenda  

§  SS7  a0acks  

§  3G  security  

§  Self-­‐defense  opFons  

2  
SS7  network  enables  exchange  of  SMS  and  cryptographic  keys  

Mobile   Mobile  operator   User  

operator   Exchange  SMS   moves  into  
MSC  
new  area  
Global  SS7   Internal   Please  send  
network   SS7   current  key  

MSC  
Please  send  new   Roaming  
encrypFon  key   user  

SS7  is  used  between  operators   …  and  network-­‐internally  

3  
  A  
       Tracking  over  SS7  has  become  commonplace  

Phone  number   Subscriber  locaAon  (Cell  ID)  

AnytimeInterrogation  

4  
  A  
       Tracking  can  happen  using  many  more  signaling  messages  

Phone  number   Subscriber  locaAon  (Cell  ID)  

§  AnytimeInterrogation  
§  AnytimeModification  

§  SRI/-­‐SM/-­‐LCS   IMSI     Impersonate  

§  AnytimeSubscription-­‐ &   HLR  towards  
Interrogation   MSC   MSC:  
 
SendIMSI   IMSI     §  PSI  
§  PSL  
Brute-­‐force  all  MSCs   MSC  

5  
SS7  enables  mobile  abuse  on  five  fronFers   Focus  of  this  
presentaFon  

A0acker  objecAve  

Find  subscriber’s  whereabouts  

A   Tracking  

Listen  to  calls,  read  short  messages,  

B   Intercept  
intercept  Internet  traffic  

C   DoS   Interfere  with  user  connecFvity  or  

network  availability    

Make  illegiFmate  calls/send  SMS;  disable  

D   Fraud  
usage  limits  

Send  unsolicited  messages  

E   Spam  

6  
  1  
       2G  +  3G  transacFons  can  be  decrypted  with  help  of  SS7  

Target   Global   Rogue  

operator   SS7   operator  

MSC   MSC  

I   II  
Intercept  radio   Ask  for  current  
transmission   decrypFon  key  

7  
  2  
       SS7  enables  3G  IMSI  Catcher  

Here  is  my  idenFty  (IMSI),    

3G  Fake  Base  
now  prove  that  you  are     StaFon    
the  real  network   (“IMSI  
catcher”)  

3G  Fake  Base   Global   Mobile  

StaFon   SS7   operator  
I.  Prove  your  authenFcity  
II.  Request  key  
III.  Sends  auth.  proof    

8  
  3  
       RerouFng  agacks  over  SS7  allow  for  remote  intercept  

SS7  man-­‐in-­‐the-­‐middle  a0acks  

Capture  incoming  calls   Capture  outgoing  calls  

§  Agacker  acFvates  call  forwar-­‐ §  Agacker  adds  a  number  
ding  over  SS7  for  target  number   rewriFng  rule  for  dialed  
numbers  
§  When  a  call  is  received,  the  
agacker  forwards  it  back  to  the   §  Called  numbers  are  rewrigen    
original  number   to  reach  agacker  and  are  then  
forwarded  to  intended  recipient  

9  
  B  
       Not  all  SS7  agacks  can  simply  be  blocked  

Abuse  scenario   Offending  SS7  message   MiAgaAon  effort  

1  
Local  passive  
§  SendIdentification   §  Easy  –  Block  message  
intercept   at  network  boundary  

2   §  SendAuthenticationInfo   §  More  complex  –  

IMSI  Catcher   Messages  are  
required  for  
3   operaFons,  need  to  
§  SS_activate/register  
RerouAng   be  plausibility-­‐
§  UpdateLocation  
a0acks   checked  
§  Camel  messages  
§  (Probably  others)  

10  
SS7     Phone   SRI-­‐SM   MSC,   PSI   LocaFon Key  
queries   number   IMSI   SI  
PSI   (Cell  ID)  
Radio   Decoded  
TMSI   Record   SMS/call  
capture   3G  traffic  

See  31C3  talk  for    

full  demo  video  

11  
Agenda  

§  SS7  agacks  

§  3G  security  

§  Self-­‐defense  opFons  

12  
Remember?  IntercepFng  GSM  A5/1  calls  and  SMS  is  cheap  

§  A  reprogrammed  EUR  20  phone  

Intercept   captures  2G  calls  and  SMS    
GSM  call   §  MulFple  such  phones  could  be  
clustered  for  wide-­‐scale  intercept  

+  

Crack     Standard  server  cracks  key  in  

A5/1  key   seconds  

13  
IntercepFng  3G  is  also  surprisingly  cheap,  thanks  to  SS7  

§  Solware-­‐defined  radio  captures    

Intercept   3G  transacFons  
3G  call   §  We  use:  BladeRF  –  USD  420  
§  Development  took  3  months  

+  

Request   §  SS7  query  SendIdentification  

decrypAon   provides  decrypFon  key  
key   §  Also  works  for  GSM  A5/3  

14  
Some  networks  are  so  poorly  configured  that  SS7  is  not  even  
needed  to  intercept  their  3G  transacFons  
AuthenAcates   Protects  
Network   Encrypts   calls  /  SMS   integrity  

-­‐   ✗   ✗   ✔

-­‐   ✗   ✗   ✔

-­‐   ✗   ✗   ✔

-­‐   ✗   ✗   ✔

-­‐   ✗   ✗   ✔

Risk  –  Calls,  SMS,  and  Internet  traffic  

on  these  networks    can  be  intercepted  
passively  with  a  programmable  radio  
(but  without  SS7)  

15  
ProtecFon  status  of  3G  networks  is  tracked  in  online  tool  

gsmmap.org  network  security  comparison  

IniAal  
3G  
metric:  
TMSI  
update  
German  networks  encrypt  3G,   [10%]  
but  do  not  all  change  TMSIs   +  

3G  
encryp-­‐
Fon  
[90%]  

16  
Networks  without  USIMs  are  vulnerable  to  brute-­‐force  agacks    

NSA  
apparently  
broke    
64-­‐bit  A5/3  

NSA–vulnerable  
EncrypAon   SIM   USIM  
Not  brute-­‐forceable  

EncrypAon   A5/3   64  bit   64  bit  

keys  are   GSM  
o]en  too  
A5/4   64  bit   128  bit  
short  to  
resist  NSA  
UMTS   UEA/1  or  2   64  bit   128  bit  

17  
Source  –  The  intercept:  wolframite-­‐encrypFon-­‐agack.pdf  
Agenda  

§  SS7  agacks  

§  3G  security  

§  Self-­‐defense  opAons  

18  
Many  mobile  network  abuse  scenarios  can  be  detected  
A0ack  scenario   DetecAon  heurisAc  

§  SIM  OTA  a0acks   §  Unsolicited  binary  SMS    

SMS  A0acks   §  Semi-­‐lawful  Tracking   §  Silent  SMS  
through  silent  SMS    
SS7  A0acks   §  SS7  abuse:  Tracking,   §  Empty  paging  
Intercept,  etc.  

§  Tracking  or  Intercept   §  Unusual  cell  

through  2G  or  3G  fake   configuraFon  and  cell  
IMSI  Catcher   base  staFon   behavior  (detailed  
later  in  this  chapter)    

§  Insufficient  encrypFon   §  EncrypFon  level  and  

leads  to  Intercept  and   key  change  frequency  
Network   ImpersonaAon    
Security  
§  Lack  of  TMSI  updates   §  TMSI  update  
enables  Tracking   frequency  

19  
New  tool  detects  common  abuse  scenarios  

Tool  
SnoopSnitch  
name  

§  Collect  network  traces  on  Android  

phone  and  analyze  for  abuse  
Purpose  
§  OpFonally,  upload  to  GSMmap  for  
further  analysis  

§  Android  4.1  or  newer  

§  Rooted,  (CyanogenMod  may  work)  
Require-­‐
ments   §  Qualcomm  chipset:  Samsung  S5/
S4/S3  Neo,  Sony  Z1,  LG  G2,  Moto  E,  
and  many  more  

Source   Google  Play:  Search  for  SnoopSnitch  

20  
IMSI  catcher  detecFon  analyzes  a  cell’s  configuraFon  and  behavior    

SnoopSnitch  combines  a  number  of  IMSI  Catcher  heurisFcs  

Suspicious  cell  configuraAon  

§  EncrypFon  downgrade  /  no  encrypFon  
§  High  cell  reselect  offset  
§  Large  number  of  paging  groups  
§  Low  registraFon  Fmer  
Suspicious  cell  behavior  
§  Delayed  Cipher  Mode  Complete  acknowledgement  
§  Cipher  Mode  Complete  message  without  IMEISV  
§  ID  requests  during  locaFon  update  
§  Paging  without  transacFon  
§  Orphaned  traffic  channel  
 
A  number  of  other  rules  could  not  be  implemented  based  on  data  available  from  
Qualcomm  chipsets.  (Future  work?)  

21  
SnoopSnitch  collects  data  in  the  background  and  on  request  

Directed  
agacks  are  
constantly  
analyzed  in  a  
background  
process  

Network  tests  
are  uploaded  
only  on  
demand  
Alerts  can  
be  shared  
for  further  
analysis  

22  
It’s  now  on  you  to  contribute  data  and  progress  the  toolbox  of    
self-­‐defense  apps  
Mobile  self-­‐defense  strategy  

1   Check  your  network  operator  on  gsmmap.org  

for  vulnerabiliFes;  possibly  switch  to  a  more  
secure  operator  

2   Install  SnoopSnitch  from  Google  Play  (needs  

Android  4.1+,  Qualcomm  chipset,  root,  may  
not  work  with  custom  ROM)  

3   Conduct  a  network  test  and  upload  any  a0ack  

alarms  (SMS,  SS7,  IMSI  catcher)  for  further  
analysis  

4   Contribute  to  the  SnoopSnitch  code  or  use  the  

source  to  build  your  own  applicaFon  based  on  
raw  2G/3G/4G  data  

23  
Thank  you!  

Research  supported  by

Many  thanks  to  Alex  Senier,  Luca  Mele0e,  

Lukas  Kuzmiak,  Linus  Neumann,  Jakob  Lell,  
and  dexter!  

QuesFons?  

Karsten  Nohl  <[email protected]>  

24