Mobile Infrastructure Security: Licensed Spectrum ... Infrastructure Security: Licensed Spectrum Eavesdropping ... False BTS Appears ... slide 4 for directions

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Session ID:Session Classification:

Aaron TurnerN4STRUCT

Mobile Infrastructure Security: Licensed Spectrum Eavesdropping and GSM Threat

HT2-106Intermediate





Introductions

Aaron TurnerPartner at newly-formed Security Services Firm

Founder of Mobile Security Firm

(which was acquired by N4STRUCT)

2





Format & Focus Areas

Lightning Round30 minutes to amaze and entertain youTwo topics @ 15 minutes each

Topic 1: How real is the risk of licensed spectrum eavesdropping?

Understanding the threatMeasuring scope

Topic 2: Enterprise GSM Threat LandscapeWhat the carriers are not telling businessesWhat to do about the problem

3





Before we begin…

How to see the ‘un-seeable’?A quick example… anyone know what these are?

Ethanethiol & ThiopheneOR…

What makes Liquified Petroleum Gas stink!

4





How can we ‘see’ wireless?

5

Used with permission – Timo Arnall – elasticspace.com





How do we visualize enterprise networks?

6





How can we visualize licensed spectrum INSIDE of enterprises?

7

GSM 2G 3G 4G

How many enterprises measure this today?





Without a monitoring plan…

What does an ‘normal’ look like?If there were any anomalies, how would an enterprise know?Anomalies seen in the past year:

Cellular intercept equipment permanently installed at foreign officesPortable cellular intercept equipment detected at US officesPersistent cellular monitors installed on corporate-liable handsets which constantly ‘beacon’

8





Key variables to consider

‘Normal’ should be established on several levelsLicensed spectrum signal strengthLocation of license-holder’s towers

If variances from baseline are observed, incident must be managed properly

License-holder must be informedBut… if you’re outside of the US… and the carrier is colluding against you?

How to manage a licensed spectrum incident at an enterprise

Very new territory for InfoSec staffBe very careful proceeding – only attempt action after appropriate legal counsel has been obtained

9





Key network incident indicators

10

False BTS Appears

Persistent 3G/4GSignals





Key handset incident indicator

When you’re expecting this

But seeing this

11



Licensed Spectrum Eavesdropping

12





How it works & barriers to entry

Carrier-independent eavesdropping requires physical proximity

… but you don’t have to be too close (12 km)Best results are achieved when you know the IMSI of the target

… catch them all and sort them out laterCrooked international carriers will sell you the IMSI (if you know the phone #)

How much does it cost to do this at scale?$100,000 = 10K IMSI catcher (grabs 10K IMSI’s simultaneously)Voice intercept capability limited by processing powerData intercept limited by brute-force GPRS packet replay

13



Enterprise GSM Threat Landscape

14





GSM Enterprise Threat Spectrum

15

Information Harvesting• Insider financial data• Trade secrets

Information Consolidation• Nation/state intelligence• Industrial espionage• Market arbitrage

Financial Motives• Corporate SMiShing• Billing fraud





Current state of the market

Enterprises have few Spectrum Awareness toolsAttend LAW-401 on 3/2 for further discussion

Enterprises have few Signal Integrity toolsDifficult to correlate tower-to-handset intelligence

Enterprises have few Billing Integrity optionsSome tools available, but all are after-the-factClawback is tough when dealing with carriers

International challengesWhich roaming partners are compromised?How to establish a baseline in a place you’ve never been?

16



What to do now

17





Immediate action items

Begin a collaborative conversation with carriersCan you deploy sensors to help the carriers protect their spectrum?Proactively set policies to prevent corporate SMiShing

Demand improved handset integrity featuresPush requirements to platform providersDevelop awareness of 2G/3G coverage and take notice of anomalies

Establish a spectrum baseline at key facilitiesHow many phones should be on?What carriers should they be talking to?Which towers should usually be there?

18





Contact info

Aaron Turner

[email protected]

@integricell

http://www.n4struct.com

19

Session ID:Session Classification:

Rob MalanARBOR NETWORKS

Chief Technology Officer Rob Malan, Ph.D.Exploring the Mobile Enterprise Landscape: A GSM Threat Overview

HT2106Intermediate

Outline

Overview of GSM mobile network infrastructure and their IP analogsHow Enterprise Networks interface with this infrastructureSummary of the new opensource GSM components:

BasestationHandset

New GSM-specific threats enabled by this infrastructureImpact on the Enterprise threat surface to these threatsBest practices for Enterprises and their service providers

2

Why Mobile is DifferentSpectrum, Cell-sites, Backhaul, Battery

Much of the costOptimized for QoS, fine-grained billing, intelligence in the network

Voice-centric assumptions (LTE vs. TD-LTE)Latency

Signaling loadIncurs latency, strains infrastructureWeak-link

State trackingIntelligence in the networkEasy to attack (imagine a syn flood disabling a router)

Complex, brittle protocols and stacks Massive specs, seldom used code paths, little scrutiny TLVs within TLVs within TLVs Result: buffer overrun cup runneth over

Mobile Networking -- Alphabet Soup

4

Simple: Every Mobile Network

5

Not as Simple: 3G Overview

6

Not as Simple: LTE Overview

7

Packet Data Elements (as Opposed to Voice)

8

Cheat Sheet – Changes for Remote Access

9

New Vulnerable Surface #1

10


11


12

What’s the Bad News?

13


Stateless versus Connection Oriented Network Protocols

14

TCP/IP•Open Source•IETF - RFC•Stevens•BSD Stacks•Linux•Anyone can code & break it!

GSM•Closed source monopolies•ITU•No public description of implementations•No open source stacks•Only small set of people in handful of companies can see source

Good Ol’ TCP/IP!

15

Single Application Action Cascade of Connections

Example: Web Request from remote employee translates into dozens of connections:

• Initial DNS request• Followon DNS requests• Initial page load• Redirects• Content loads• Additional DNS resolutions• Additional content loads• Streaming/Updating content – rinse, repeat

16

3G Infrastructure Stacks Components touched per Connection

17

Single 3G Connection Establishment

18

OK, so it’s Messy, so What….

19

Old School (Pre 2010)

20

GSM/3G Protocol Security

21

GSM Protocol Builders (Handset & Network)

22

Handset:Very few companies GSM baseband chips today

They buy software from 3rd parties

Very few handset makers are large enough to become a customer

Limited access to hardware documentationDon’t get access to the firmware source

Network Equipment Vendor:Very few companies build GSM network equipment

Ericsson, Nokia-Siemens, Alcatel-Lucent, Samsung, and Huawei

Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment

Hard to buy fromCost is $$$Not for kid in basement

What has his Meant?

• No open source stacks

• No hackers

• No independent security research

23

New School!! 2009-2010

24

Newer School!!

25

Why Do We Care?

26

It’s the Apocalypse

27

Uh Oh….

28

Seachange coming to 3G worldOpensource basestationsOpensource handset baseband

For the first time everPeople can program a cellphone’s baseband to do WHATEVER they want it to do!

BAD THINGS will happenWhen... not if....How much damage?

Bottom line…

Lots of stack componentsLots of session stateBrittle brittle brittle… ripe for attackMany new threat surfaces for remote connectivityNew risks that impact:

ConfidentialityIntegrityAvailability

29

Apply Slide

The mobile threat landscape is changing rapidlyMany new threat surfacesStateful Infrastructure ripe for attackHuge implications for enterprises, consumers and operators

30

31

Rob [email protected]

+1.734.327.0000

Thank You

Documents

Mobile Infrastructure Security: Licensed Spectrum ... Infrastructure Security: Licensed Spectrum Eavesdropping ... False BTS Appears ... slide 4 for directions