More info here: http://secupwn.github.io/Android-IMSI-Catcher-Detector/ P. S. Developers needed. :-) Regards, M.
On Mon, Dec 9, 2013 at 5:49 AM, Matej Kovacic <matej.kovacic@owca.info> wrote:
fun :) i always liked osmocomBB, since openmoko days... these days i prefer SDR and wider band, wider freq. transceivers, but TI Calypso and MTK definitely more accessible! will you provide a developer mailing list in addition to github? best regards,
It looks like it doesn't function as a 'detector' yet? On Mon, Dec 9, 2013 at 10:53 AM, coderman <coderman@gmail.com> wrote:
On Mon, Dec 9, 2013 at 5:49 AM, Matej Kovacic <matej.kovacic@owca.info> wrote:
fun :) i always liked osmocomBB, since openmoko days...
these days i prefer SDR and wider band, wider freq. transceivers, but TI Calypso and MTK definitely more accessible! will you provide a developer mailing list in addition to github?
best regards,
-- Twitter <https://twitter.com/tbiehn> | LinkedIn<http://www.linkedin.com/in/travisbiehn>| GitHub <http://github.com/tbiehn> | TravisBiehn.com<http://www.travisbiehn.com>
Hi,
it doesn't "function" yet, period. *grin*
i leave it as an exercise for the reader to implement A0 detection on Android... Unfortunaltely I have no idea how to implement detection of A5/x ciphering used or detection of silent SMS'es on Android. However, it is very simple on Osmocom platform.
Anyway, IMSI Catcher detection project needs developers. P. S. A little more info about GSM hacking is here: http://matej.owca.info/predavanja/GSM_security_2012.pdf We also have some nice videos showing identity theft in GSM network... :-)) I have also found out how to completely fake traffic data (data retention anyone :-)) ) and even how to insert arbitrary voice recording into eavesdropping database (in case police is eavesdropping to some mobile phone). Nice to know how "strong" could be computer generated evidence... Regards, M.
IDD, I've searched for an Android API for detecting crypto algo for ages and turned up empty. However, you can get the tower ID, so a distributed, communally (cantenna?) verified whitelist of 'good' towers is doable, with automatic disconnection if an unwhitelisted tower connects..? Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor. Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your phone to do likewise. Indeed, a strong signal tower which still asks your phone to dial up the juice should be regarded as an attack. Matej Kovacic <matej.kovacic@owca.info> wrote:
Hi,
it doesn't "function" yet, period. *grin*
i leave it as an exercise for the reader to implement A0 detection on Android... Unfortunaltely I have no idea how to implement detection of A5/x ciphering used or detection of silent SMS'es on Android. However, it is very simple on Osmocom platform.
Anyway, IMSI Catcher detection project needs developers.
P. S. A little more info about GSM hacking is here: http://matej.owca.info/predavanja/GSM_security_2012.pdf We also have some nice videos showing identity theft in GSM network... :-))
I have also found out how to completely fake traffic data (data retention anyone :-)) ) and even how to insert arbitrary voice recording into eavesdropping database (in case police is eavesdropping to some mobile phone). Nice to know how "strong" could be computer generated evidence...
Regards,
M.
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Mon, Dec 9, 2013 at 2:31 PM, Cathal Garvey (Phone) <cathalgarvey@cathalgarvey.me> wrote:
IDD, I've searched for an Android API for detecting crypto algo for ages and turned up empty.
i feel your pain... (~_~;)
However, you can get the tower ID, so a distributed, communally (cantenna?) verified whitelist of 'good' towers is doable, with automatic disconnection if an unwhitelisted tower connects..?
sort of; there are some interesting attacks using a force-pushed silent PRL update (see DC19/DC20 cell attacks threads) which would be observable by tower ID oddities, not to mention decremented or zero PRL version. however, you'd have to be paying attention (who checks their PRL regularly? :). if you simply check if a tower is in http://www.opencellid.org/cell/list for example, you're open to attacks spoofing a legitimate but remote (out of range) tower. using direction finding techniques to cross reference the transmitter location against the expected GPS coordinates in a tower database relative to your position would also detect these tower impersonators, but requires more hardware than a mobile baseband...
Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor.
the expensive, limited distribution kit will be hard to distinguish without a high performance software defined radio. if you're able to detect an identically spoofed tower using OsmocomBB with high confidence i'd love to know how you did it!
Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your phone to do likewise. Indeed, a strong signal tower which still asks your phone to dial up the juice should be regarded as an attack.
truth. also, an inversion of observed data link capacity (suddenly seeing receive bandwidth drop in half or more while transmit rate doubles) is no bueno. best regards,
Hi,
Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor. No, the problem is, that mobile phone authenticates to mobile network, but the opposite is not true. Since mobile network does not authenticate itself to mobile phone, IMSI Catcher attacks are possible.
There has been also demonstration of "home-made" IMSI Catcher based on Osmocom platform last year at the CCC conference. The video of the presentation "Further hacks on the Calypso platform" by Sylvain Munaut is here: http://media.ccc.de/browse/congress/2012/29c3-5226-en-further_hacks_calypso_... So, it is very easy to set up fake cell with any cell ID.
Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your
This would not work, because cells are not static (new cell emerge, covered area changes, etc.) and opencellid database is not regularly updated. There could also be femtocells used, etc... Regards, M.
This morning's NSA article from WaPo contains some slides mentioning USRP equipment[1]. It's hard to say without more context whether it's referring to the GSM equipment from Ettus...anyone care to speculate? The USRP series doesn't exactly seem like carrier-grade equipment, but perhaps the NSA has a good reason to use it. Maybe baseband exploitation, as coderman has previously mentioned? Simply getting cell tower database dumps from the telcos would suffice for location info, so I would guess this has a different purpose. [1] http://apps.washingtonpost.com/g/page/national/nsa-signal-surveillance-succe... On 12/10/2013 05:56 AM, Matej Kovacic wrote:
Hi,
Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor. No, the problem is, that mobile phone authenticates to mobile network, but the opposite is not true. Since mobile network does not authenticate itself to mobile phone, IMSI Catcher attacks are possible.
There has been also demonstration of "home-made" IMSI Catcher based on Osmocom platform last year at the CCC conference.
The video of the presentation "Further hacks on the Calypso platform" by Sylvain Munaut is here: http://media.ccc.de/browse/congress/2012/29c3-5226-en-further_hacks_calypso_...
So, it is very easy to set up fake cell with any cell ID.
Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your
This would not work, because cells are not static (new cell emerge, covered area changes, etc.) and opencellid database is not regularly updated. There could also be femtocells used, etc...
Regards,
M.
-- http://disman.tl OpenPGP key: http://disman.tl/pgp.asc Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
On Wed, Dec 11, 2013 at 6:34 AM, Dan Staples <danstaples@disman.tl> wrote:
This morning's NSA article from WaPo contains some slides mentioning USRP equipment[1]. It's hard to say without more context whether it's referring to the GSM equipment from Ettus...anyone care to speculate? The USRP series doesn't exactly seem like carrier-grade equipment, but perhaps the NSA has a good reason to use it.
the partnership with NGA to deploy them gives a hint: this is putting USRPs up close and personal to target for exploitation. (the USRP's are definitely more portable than my favorite SDR, the Noctar[0]!) given the obtained bits mentioned (WLLids, DSL accounts, Cookies, GooglePREFIDs) gathered and then handed off to TAO for further QUANTUM INSERT fucking of target systems it is likely they are doing GSM/cell MitM to observe identifiers, along with WiFi attacks, and other egress rather than deploying baseband exploits or deep active attacks directly against the devices or other networks they're communicating with. thus CNE in this case is cell MitM/WiFi pwn with a USRP rogue tower to get identifiers for TAO. and TAO is where they get dirty with "remote exploitation" of the device itself and other targets on networks it uses. we've seen how they have a smorgasbord of weaponized exploits to cover the gamut of target hardware and technical acumen in the QUANTUM INSERT / TURMOIL / TRAFFICTHIEF / MUTANT BROTH / etc, etc. style efforts. it appears they're using this same infrastructure where possible for mobile; restricting CNE on the ground only to target. best regards, 0. Pervices Noctar http://www.pervices.com/support/
On Wed, Dec 11, 2013 at 7:17 AM, coderman <coderman@gmail.com> wrote:
... thus CNE in this case is cell MitM/WiFi pwn with a USRP rogue tower to get identifiers for TAO. and TAO is where they get dirty with "remote exploitation" of the device itself and other targets ...
see also this section on the OPEC hacks: http://arstechnica.com/information-technology/2013/11/quantum-of-pwnness-how... """ Here’s how the NSA and GCHQ go after an organization like OPEC step by step, based on an analysis of the NSA and GCHQ documents exposed by Snowden: Step 1: Identify. Using the NSA-built packet capture and inspection system called TURMOIL, the agencies filter through Internet traffic at a network choke point looking for specific "fingerprints" in traffic that identify users with the organization being targeted. Data from TURMOIL gets pulled into a number of traffic analysis tools, such as XKeyscore and TRAFFICTHIEF, which do different sorts of packet analysis. XKeyscore is the NSA's distributed search engine, catching a large chunk of international Internet traffic for analysis. It helps find things deep in the clutter of the Internet that analysts might miss by allowing them to use search terms to find things in both live and cached Internet traffic. TRAFFICTHIEF, on the other hand, is much more focused. It filters for very "strong" indicators, like known sets of IP addresses, addresses within e-mail traffic, or user names in logins to social networks or other services. It provides less depth of analysis than XKeyscore, but it can handle much larger loads of data because it is more selective about what it processes. Together, the tools can be used to identify the systems used by an individual or organization, including ranges of addresses that they may use from work or home. Step 2: Target. Using the profiles built using the surveillance tools, the agencies can then identify potential points of attack. XKeyscore, for example, can be used to search for patterns that identify known security vulnerabilities within a range of addresses. Web visit histories, e-mail traffic, and other data are analyzed looking for the most likely (and least detectable) approach to gain access, and a specific attack plan is crafted, including the identification of where to launch the attack from. At the NSA, this sort of thing is the work of Tailored Access Operations. In the case of OPEC, the targeting process apparently went on for several years as the NSA sought openings for an attack. Step 3: Attack. Depending on who the target is, the NSA and GCHQ have a variety of options. The least costly is to use access provided by one of the intelligence agencies' telecommunications "partners" who own network equipment at an exchange or other choke point that the target's Internet traffic passes through. The agency running the attack can use that access to introduce changes to Internet routing tables that detour the targeted individual's traffic. But in some cases, the NSA and GCHQ may have to perform "unilateral" taps on network backbones to gain that level of access—targeting a piece of network hardware to take over or splicing directly into the target's own connection to the Internet. It's not clear which attack the NSA used to gain access to OPEC's systems, though the GCHQ used a Quantum attack two years later to gain its own very special access to the cartel's network. In the case of the Belgacom hack, the GCHQ used a Quantum insert attack—routing the Web requests for LinkedIn and Slashdot from the engineer being targeted to a server posing as those sites. The NSA has used the same approach to intercept traffic to sites such as Google. The man-in-the-middle server can present content from the actual sites the target intended to visit, but it can also add content to the traffic, using what's called packet injection—modifying the contents of the data as it passes through—and intercept the user's credentials. And by using a forged certificate, the NSA can intercept encrypted traffic intended for the destination site. Once the user has connected to the fake server, the intelligence agencies can use the connection to launch attacks against the target's Web browser to install monitoring software or other malware, using similar techniques to those used by hackers. They can also use credentials exposed via the man-in-the-middle attack to gain access to other accounts owned by the target and to troll through connections in those services that might be potential targets. Step 4: Exploit. Once the target's computer has been successfully attacked, the effort begins to look much like that of the Chinese cyber warriors' attack of the New York Times or what cyber criminals typically do when they score access to high-value targets. The agencies' hackers work to stealthily expand their level of access, using customized remote administration tools to grab user privileges and gain access to other network resources—mail servers, file servers, and other network systems. They then start to "exfiltrate" data from these systems and deliver them to analysts. """
coderman writes
... a lot. Which I've elided...
As a vaguely snarky remark on my part, when one quotes von Clausewitz, "War is the continuation of politics by other means," is the kind of remote penetration of potential enemies by technical means, such as coderman postulated at length, closer to politics or closer to war? Or, in current argot, is it closer to cyberpolitics or closer to cyberwar? See, http://ecir.mit.edu/ (Office of Naval Research N00014-09-1-0597) http://www.atlanticcouncil.org/publications/books/a-fierce-domain-conflict-i... (viz., book _Fierce Domain_) --dan
On Wed, Dec 11, 2013 at 12:07 PM, <dan@geer.org> wrote:
... is the kind of remote penetration of potential enemies by technical means, such as coderman postulated at length, closer to politics or closer to war? Or, in current argot, is it closer to cyberpolitics or closer to cyberwar?
CNE+TAO as non destructive espionage (politics) but they also play CNE+TAO as kinetic force multiplier (war) so the answer is: both! depending on the target...
Regarding the CCP FY 2013 goals per https://peertech.org/dist/nsa-cpp-goals-FY2013-unredact.png, "Make gains in enabling decryption and Computer Network Exploitation (CNE) access to fourth generation/Long Term Evolution (4G/LTE) networks via enabling. [CCP_00009]" i wonder if they upgraded to N210 (pairs?) for good 4G/LTE performance? https://www.ettus.com/product/details/UN210-KIT
Dan Staples ha scritto:
Simply getting cell tower database dumps from the telcos would suffice for location info, so I would guess this has a different purpose.
The NSA doesn't seem to want to play by the typical LEA best practices. So they might not be willing to send a formal request for data on a particular party (lest it be leaked or the target find out). My bet is real-time call interception for high-value targets. If ye-random security researcher can crack most GSM encryption and listen in or inject fake content with cheap hardware, then the NSA certainly has people who can make that happen as well (and with billions of dollars to throw at the problem). ~Griffin
On Mon, Dec 9, 2013 at 12:59 PM, Matej Kovacic <matej.kovacic@owca.info> wrote:
... Unfortunaltely I have no idea how to implement detection of A5/x ciphering used or detection of silent SMS'es on Android. However, it is very simple on Osmocom platform.
carrierIQ is good for something ;) you're going to have to go ARM native (or ?) to observe use of A0 over GSM, since android.telephony.gsm screwed us.
I have also found out how to completely fake traffic data (data retention anyone :-)) ) and even how to insert arbitrary voice recording into eavesdropping database (in case police is eavesdropping to some mobile phone). Nice to know how "strong" could be computer generated evidence...
this came up on the cryptome list last week: camouflage, jamming, obfuscation are all useful techniques to apply against unwelcome observers. c.f. high power infra red LED camera dazzlers and LADAR jammers, etc. while equally effective on the cell bands, you'll want to be sure to check your 20 before emitting with gusto! ;P best regards,
Hi *, This might be of interest to you guys: https://opensource.srlabs.de/projects/catcher/wiki Cheers, azet
participants (8)
-
Aaron Zauner -
Cathal Garvey (Phone) -
coderman -
Dan Staples -
dan@geer.org -
griffin@cryptolab.net -
Matej Kovacic -
Travis Biehn