Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Digital Self-Defense in Mobile Networks
Adrian [email protected]
2014-03-18
Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl
A Mobile Network
A Mobile Network with a Mobile Station
Location Areas
A Wild IMSI Catcher Appeares...
Use GSM Protocol – not very effective!
A Real Network
Source: Let me answer that for you, Golde et al., TROOPERS & USENIX
Cell tower density
Source: Sendekataster.at
“IMSI Catchers”
Identification only
● Retrive IMSI / IMEI / TMSI
● Reject Location Update
● Tracking
Traffic Man-in-the-Middle
● Hold in Cell
● Actively intercept traffic
● Relay to real network
● Active or passive decryption
Hold but intercept passively
● Imprison in cell, so phone is not lost to a neighbor cell
UMTS downgrade
● Blocking UMTS transmission
● Spoofing System messages
“IMSI Catchers”
Source: Verfassungsschutz (via DuD 26, 2006)ISBN 6220-2845-4832-5932-9228
IC: Car Installation
Source: Gamma Group
IC: Car Installation
Source: Gamma Group
Car Installation
Source: Gamma Group
IC: Car Installation
Source: Gamma Group
IC: Car Installation
Source: Gamma Group
Body IMSI Catcher
Source: Gamma Group
Only for Law Enforcement?
● Known Producers● Rohde & Schwarz● Gamma Group● Ability● IAI Elta● Septier● Meganet● NeoSoft● Proximus● Cyttek● …
● DIY● Kirstin Paget
– DEFCON 19– US$1,500
● D. Werhle– Master's Thesis– Freiburg
● B. Postl– Master's Thesis– Vienna
How to catch an IMSI Catcher?
Artifact: Frequency
● Unused or guard channel
– Only found in Full Scan
● Announced neighbor freq., but unused
– Careful not to create interference
● Detactability● Frequency plans
– e.g. radio regulatory
– Self created
Artifact: Cell ID
● New CID/LAC needed● To provoke
“Location Update Request”
● Random?● Use real one not
used in that geographical region
● Detectability● Cell IDs are very
stable● Cell Database
(local)– Also for
frequencies● Correlation with
GPS coordinates
Artifact: Location Update / Register
● Just providing a better signal Is not enough● Timers, Hysteresis● Unpredictable radio
environment
● RF Jamming?● Forcing full scan
● Detectability:● Watching noise
levels
Artifact: UMTS handling
● Downgrading to GSM● e.g. Mayer and
Wetzel, 2005 [1]– GSM layer in most
deployed UMTS networks
● (selectively) Jamming
● Others...
● Detectability: ● Noise and Signal
levels● Database of
regions where UMTS is available, and GSM usage is unlikely– Cell Database
[1] Mayer and Wetzel, “A man-in-the-middle attack on UMTS”, ACM Workshopon Wireless security, 2005
Encryption
● Older IMSI Catchers: Downgrade encryption to 'none' (A5/0)
● A5/1 and A5/2 can be decrypted with rainbow tables ● In realtime
● A5/3 rolled out at the moment● IC will have to do active
MITM again
● Detectability:● Cipher Indicator
– Feature request in Android, 2009, assigned 2013
● Roaming!
Artifact: Cell Imprisonment
● Networks provides up to 32 neighbor frequencies● MS stores typ. 6+1● Used for hand overs,
LAR, …
● IC will likely provide an empty (eq.) NL● To not loose phone to a
neighbor cell
● Detectability:● Neighbor cell list
Traffic forwarding
a) relay via other MS● Loose caller ID● No incoming calls
b) via SS7 or similar● Caller ID correct● Loose incoming
calls
c) recover secret SIM key
● Impersonate to network with victims identity
● Detectability:● Call tests (?)
Usage Pattern
● Identification Mode● Short living cells
● MITM Mode● Longer living cells
● Both:● Unusual locations
for cells
Cell capabilities and parameter fingerprinting
● Cell capabilities & parameters
● Organization of logical channels on physical channels
● Timeout values
● Can be different on each cell, but typically they are the same over the whole network
● Differ between networks
● Detectability:
● Cell and network database
Network Monitor Mode
9731-3006-8132-3476-9712
Detection Matrix
Two approaches
Mobile IMSI Catcher Catcher
● Standard Android API
● No need to root phone
● No need for a specific chipset (e.g. GoldX)
● Easy Interface
Stationary IMSI Catcher Catcher
● Network of measuring stations
● Good locations, larger coverage
● Cheap – RaspberryPi
based
Two approaches - Features
Mobile IMSI Catcher Catcher
● GPS + Neighbor cell listing– Geographical
correlation– Cell-IDs
● Cell Capabilities● RF and NCL
manipulations● Limited to NCL but
mobile
Stationary IMSI Catcher Catcher
● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,
network parameters
● Jamming
Mobile IMSI Catcher Catcher
Two approaches - Features
Mobile IMSI Catcher Catcher
● GPS + Neighbor cell listing– Geographical
correlation– Cell-IDs
● Cell Capabilities● RF and NCL
manipulations● Limited to NCL but
mobile
Stationary IMSI Catcher Catcher
● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,
network parameters
● Jamming
Stationary IMSI Catcher Catcher
3614-1721-8632-7399-7977
Rooftop installation
More Data
Digital Self-Defense in Mobile Networks
Questions?
Adrian [email protected]
Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl