DEF CON 18 - Chris Paget - Practical Cellphone Spying

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Essentially, you can do this yourself (legally on the 33cm band), using https://en.wikipedia.org/wiki/Universal_Software_Radio_Peripheral , however I have see people using ~~ADALM-PLUTO~~ [Edit: I think it was BladeRF] SDRs in some videos as well.

You need a quad-band cell phone since the US ISM Band: 902-928Mhz overlaps with the European GSM-900 band of 880-914Mhz, giving you 902-914Mhz to run your network with any European (or Quad-Band/Global) GSM phone.

More information here: https://blog.marinetelecom.net/2010/08/01/ham-radio-operator-chris-paget-kj6gcg-spoofs-as-900mhz-gsm-tower-and-15-phones-in-defcon-hacker-convention-log-onto-his-network/

He also uses an IM-ME Mattel toy that can be easily flashed and is using that as the CW callsign signal every 10 minutes: https://hackaday.com/2010/03/12/easy-im-me-flashing/

Further reading on OpenBTS implementation: http://timbuktuchronicles.blogspot.com/2010/05/build-your-cellular-network-openbts.html

👍︎︎ 12 👤︎︎ u/ZimaZimaZima 📅︎︎ Aug 27 2019 🗫︎ replies

One of the few DEFCON's I have missed. Got my tech 5 years ago at DEFCON and never looked back. A few friends of mine still have their original NinjaTel cell phones from when they setup their own GSM network back in the day. Good stuff all around.

👍︎︎ 7 👤︎︎ u/dclaw 📅︎︎ Aug 28 2019 🗫︎ replies

nice

👍︎︎ 3 👤︎︎ u/livingyeet 📅︎︎ Aug 28 2019 🗫︎ replies

Old news, copypasta haqqors. I recall a free GSM network operating at a Burning Man about a decade ago. (OpenBTS, etc.)

👍︎︎ 3 👤︎︎ u/[deleted] 📅︎︎ Aug 28 2019 🗫︎ replies

Okay, this is just *hearsay* I got tonight from a fellow ham that attended this year's DEFCON - he said there were discussion/presentation(?) on building and using a hotspot for DMR, with an implication that it's 'open' and can't really be controlled, suggesting that a license wasn't required ... ?!

👍︎︎ 1 👤︎︎ u/PKCore 📅︎︎ Aug 28 2019 🗫︎ replies

Captions

so welcome to practical cellphone spying before we start a couple of notes on privacy first off cellular phone calls will be recorded during the talk surprise if you do not want your cell phone calls recorded turn your phone off if you're on Sprint or Verizon you're not GSM my system is not going to talk to your cell phones at all so don't even worry about it having said that I would encourage people to keep their phones on during the talk especially if you've got a gsm handset because the whole point of this is to show how your phone calls can be intercepted and if you're not using your phone then that kind of doesn't work okay the this is the machine that's actually running the demo I know if you can see this big gap here where the hard drive should be it's actually booted from this USB key and at the end of the talk I'm going to be cutting that USB key in half with a pair of with a Leatherman so I'm recording all kinds of very very sensitive information all kinds of settings about your phone logging phone calls all this kind of stuff but it is all going to be destroyed at the end of the talk so don't don't worry about that too much let me just get my power back in here ah thank you okay finally I do have back hole in place here I'm currently connected to my verizon Droid which is giving me voice over IP backhaul so if you do connect to the network generally the only way that you'll know that you're connected to the network is when you try and make a call if you do make a call from the network you'll get a recorded message saying you're being intercepted yada yada yada so effectively keep your phones on during the talk and every so often just just dial a number see what happens if you hear that recorded message then then you're attached to my system here if you don't hear the message you're fine in either case anytime that anyone is connected to this network a best-effort is going to be made to connect calls subject to the limitations of asterisk going over voice over IP going over Verizon and and given that Verizon's the only cell phone network that well one or two we may have unpredictable results policy okay so the whole I do have a talk is talking about MZ caches but in order to know what an energy catcher is you need to know what I mean Z is an MC is an international mobile subscriber identity you can think of it kind of like a GSM username it's it's one of two parts of the two the two things that live in your SIM card that authenticate you your MZ is like your username ki is the secret key that authenticate you into the network so that the MZ lives on the the SIM card obviously it's somewhat protected when you connect to a network one of the first things that that network does is it'll say stop using your MZ use this temporary MZ instead and what I'm gonna be showing you on the on the demo a little later is you know how many of these Tim Z's have been allocated as a way of seeing how many people are associated with the base station so an mg is it's kind of a secret the ICC ID that the long string of numbers that's printed on your SIM card it's fairly closely related for most US networks and a lot of networks around the world actually you can derive the MZ from the ICC ID and vice versa so it's not really that secret other places do a slightly better and the the iccid is just a random number either way the iccid doesn't really play too much of a part I only mention it because you can derive the MZ from it in the United States at least so what's a ninja catcher basic idea is that it's a spoofed gsm tower it's it's a fake base station the idea is that when your phone is looking for a signal it'll look for the strongest tower it'll connect to the tower that offers it the best signal and in this case because I'm you know right in front of you with high gain antennas pointed directly at you I'm going to be your strongest signal here I'm only emitting about 25 milli watts here tiny tiny tiny amount of power but because I'm so close and because I'm using these directional antennas hopefully I'll be your strongest signal and you should camp over to my network and you know have some fun another thing to bear in mind is that in GSM it's the base station that picks all of the settings so when you connect to my tower it's my tower that gets to instruct whether or not to use encryption whether or not to use frequency hopping all of this kind of stuff if I if I decide not to enable encryption then I just disable it and your phone just goes oh you've disabled encryption that's fine I'll talk plaintext seriously it's it's that simple there's there's all kinds of stuff that the the base station can instruct the handset to do please take my word on it that I'm not doing anything malicious here that this test is for functionality only that there should be no permanent changes made to your phones whatsoever if you do connect to the network but if I wanted to there's all kinds of stuff I could do I could update your SIM card I could all kinds of fun to be had so essentially if you've got the ability to deliver a reasonably strong radio signal and your base station will negotiate a 5-0 which is plain text your pwned there's nothing you can do about it and there's a good chance that you won't even know about it I find the tower then not only am i your network but I also control your handset as well to a pretty significant degree the actual idea of an mg capture has been around almost as long as GSM has it was urgently patented by rodents warts in Europe in 1993 I've never seen reference to any US patents for it but either way patents in Europe are just as public as they are here so you know all of the details of this is all public the the main important point about this is if you've got if you were to go to rohde & schwarz and say i want to buy an mg catcher they'll charge you a couple of million dollars the equipment that i have laid out on the table here by far the most expensive part is the laptop second up is the US RP at about fifteen hundred bucks and then well I think the next most expensive thing is this $20 instant messaging device so the the whole point is that using these techniques you can intercept phone calls for a thousand times less money than the commercial systems that do exactly the same thing so quick note about the the crypto involved in in MZ caches if I'm the attacker and I create the base station you have a cell phone that connects to my base station I just say disable crypto I don't need to break crypto I don't need any rainbow tables I don't need any solid state hard drives for fast look ups nothing I just say turn off encryption it's that simple in reality the the gsm specification does actually say that when your handset connects to a network that does not use encryption it has to put up a warning message but then if you read further in the spec there's another place where it says if you want to disable this warning message set this little configuration bit in the SIM card so every SIM card that I have ever seen in my entire life and I've seen a few from various networks around the world every single one of them has that bit set every single operator that I've ever seen disables that warning message so no phone I've never seen a warning message on a cell phone that actually says you're connected to a nun ciphered Network even though the GSM specification requires it so this is this is a deliberate choice on the part of the operators the idea of it is that if you go to a country like India in India they don't support cell phone encryption it's actually illegal so obviously you want to be able to roam in India you want to be able to make cell phone calls so your phone has to support a five zero and if you're getting a warning every time that you connect to a new tower in India you're going to be wondering what the hell's going on and you know hassling AT&T or whoever so it's it's one of those areas where you know functionality and security are directly at odds so note on spectrum usage one of the the issues that was raised with this talk in the press is that operating a transmitter on a US Cellular frequency is a very big FCC nono you got in a lot of trouble for doing that fortunately we don't actually need to the reason for this is there's full bands used for GSM around the world 850 900 1800 1900 850 and 1900 are the two that are used in the USA 900 and 1800 a Union era used in Europe if you actually look at the the size of those bands in the frequencies that they cover there is an overlap between European GSM 900 and the United States is M band at 902 - 9 - 8 megahertz so I'm actually running my transmitter here a legal I ham radio transmitter in the I call it the isn man but is technically a ham radio band and as far as your cell phones are concerned I'm just a European radio transmitter I'm I'm a European tower your phones don't care that I'm in the States they don't get it they're in the States they don't care that they're on a completely inappropriate band for the location that they're in they're just quite happily so yeah there's a tower let's let's party it's pretty crazy so if you've got a European phone if you've got a quad band phone you'll see the network if you've got a US phone that only works on u.s. frequencies you will not see the network so the is M band industrial scientific medical the idea of it is it's for very low-power devices that use very low utilization in a very low actual time on the air they change frequency very rapidly generally designed to be very non interfering but if you look at the regulations I assume is actually secondary in the band it's a ham radio band how many operators don't tend to like it because you know there's all this bias em crap cluttering up it third the place so the noise is too much of a problem for most ham radio applications so you know most hams dismiss it but for our purposes here we can run a GSM base station on a GSM frequency within a ham radio band how do we do that well first thing we need is a license this URL is is great the the licenses for the ham but the questions set for the ham radio exams are all public so if you go to this website what they do is they just keep asking you the questions over and over and over and over and over again until you get them right and if you keep getting it wrong then it'll keep asking you and if you get it right then it'll stop asking you and it just it just beats the right answer into you and you can sit down with this site for a few hours and walk into a ham radio exam and just pass it I'd recommend that you if you do want to get into this stuff take the time to learn it take the time to understand I certainly learned a lot from from taking my hand tests and I'd recommend it to all of you as we're a ham radio operator now we we have a 1.5 kilowatt power limit that's a lot I have another amplifier that I've been using for RFID that's 600 watts and I've yet to turn that on because it's it's a terrifying amount of power even 600 is too much so 1500 should be you know plenty for anything in terms of what we're actually allowed to transmit technically we're transmitting an unspecified digital code it's it's bits going back and forth between your phone and my tower so in ham radio terms you're allowed to transmit an unspecified digital code as long as the specification is public and in this case all of the specs for all of the various GSM protocols they're all public so it's all good you're also not allowed to use cryptography you're not allowed to obscure the meaning of the message in any way so I guess by law if I'm running my BTS and a hammer I have to disable crypto damn no no limits on antenna size antenna gain what basically if you can get your hands on it and run power to it you're you're golden the only thing that you ever need to be careful of is RF exposure limits the FCC publishes guidelines for what absorption rate people can tolerate safely in this case I am nowhere near those limits this this site is my my transmit antenna I think as this site and it's putting out a total of about 25 milli watts to put that in perspective your cell phones if they're on the the European if they're on the higher bands the 1800 1900 they'll be putting on a watt that's 40 times more if they're operating on the lower bands the 800 900 they're putting out two watts so that's 80 times more so the phone in your pocket is exposing you to significantly more RF than my big scary antennas the only other real requirement that we have is that the station has to identify itself every 10 minutes that's actually pretty easy to do because to be a ham compliant callsign ID it straight carrier wave Morse code you know every 10 minutes just you know more something out we could have integrated into into the the USRP certainly the the USRP is capable of it but it's that's doing it the hard way it is there's an easier way to do it and that being you take a second transmitter you tune it to the same frequency you make sure that the power level of that second transmitter is slightly higher so that whenever that transmitter is on it's effectively do essing the gsm signal with a ham radio call sign so all we need is an easily scriptable 900 megahertz transmitter and as it turns out this little pink instant messaging device is perfect this is called the IME this was brought to me by Travis good speed they're fabulous little devices they have you know reasonably good power output obviously keypad and screen is helpful no firmware security you can program them with a good fat unfortunately they don't come standard with JTAG and you know RF connectors but easy enough to add so yeah we we can write firmware for this we can you know match the frequency because we've got control over that in software and then we just need to MUX the signals together and amplify it up so I'll actually pause there for one quick demo no actually I won't I'll come back to that one so in terms of the the BTS itself so we've got the IME for the ham radio side what do we need for the gsm side it's actually pretty easy you need a USRP universal software radio peripheral these things are available online there they go for about $1500 with the two daughter boards that you need I'd also recommend if you're going to get into GSM check out the clock tamer the URLs up here the thing about clock tailor is that the in GSM the handsets derive their timing from the base station so the base stations have extremely accurate clocks and the handsets figure out how much their own frequency is drifting compared to the tower so if I come along with a third-party tower if my frequency stability doesn't match that of the local towers around me all of your phones are going to be calibrated to those local towers and you're not even going to see my tower because I'm you know maybe just a few kilohertz off clock tamer actually gives me plus or minus 100 Hertz accuracy at 1.9 gigahertz that's in its out-of-the-box configuration it's about 0.26 parts per billion accuracy and then you can get a GSM I beg your pardon a GPS module that drops it down to something ridiculous crazy crazy crazy accuracy and it's it's all programmable and very flexible it's highly recommended on the software side just a laptop computer debian open BTS and asterisk open BTS provides the software the GSM stack and then asterisk takes the calls in from open BT and sends them out over the the back hall as voice-over-ip it's a fairly basic base station it does do voice it does do SMS it does not do data and in fact for the purposes of this that this demonstration I've even disabled SMS purely because there's no way I can get your caller ID easily so when you send an SMS yes I can route it out through the internet and connect it to where it goes but the the person who receives it is not going to know who it's from and they're not going to be able to reply so figured it was just easier to disable it but the system does support it so let's let's get the BTS going here so I wanted to see if we can get some some video here is there a camera that we can get up on stage or do you need me to turn the screen around okay so I'm actually just going to plug in my US RP now that's all on and then start the base station or try to if it would actually let's try this again and there we go so open BTS is up I don't know how much detail you're going to be able to see on the screen here with the camera zooming in one thing I do want to show you is the Tim Z's come on so I know if you can actually make that out on the screen the command I typed it with Tim Z's TMS is what that shows me is a list of all of the the temporary mzs that have been allocated by the base station in other words how many people are currently associated with it so you can see right at the bottom here zero Tim Z's in table so I've started it up clean there's you know nothing there nobody's connected a couple of other things I'm going to show you as well I'm just going to turn this around so I can type so a couple of other commands that I've typed here cell ID that shows you that my mobile country code that I'm using at the moment is zero zero one in the GSM specification country code one is test I'm then using a mobile network code an MNC of zero one so again that's test so I'm a test network in a test country I'm operating on a non European cellular sorry a non American cellular frequency and then if you look at the bottom here the short name of the network that I'm starting is called DEFCON 18 some phones will display that others won't but the point that I want to make across is that at the moment this is in a non-hostile configuration it's in a test mode it's not advertising any known network it's not operating on a US Cellular frequency and certainly as it started up nobody was connected to it so I'll leave that running for a few minutes if people really want to do a scan for the network you can but I prefer people to just leave their phones alone just you know take it out of your pocket every couple of minutes try and make a call see if it's actually handed over because we'll come back to this in just a second and you know show you how easy it is to make phones hand over here so we've got the BTS in test mode how do we then make this into an MG catcher instead of just a random cellular network well the way that cellphones identify the network is by two values I mention them already the mobile country code mobile network code mobile country code three one zero for USA there's a full list on Wikipedia for every country around the world three-digit number not really that hard to spoof mobile network code again two or three two-digit number maybe a three-digit number that you can look up on Wikipedia not really much security there it's pretty trivial to change it you can I'll show you in a sec how to do it on on open BTS it's not hard it's it's really not hard and then once I've I've set the MNC in the MCC I can change the network name as well so that when it displays on your phone instead seeing DEFCON 18 you'll see whatever network it is that that that I want you to see in most cases well in some cases I've noticed that handsets will not hand across to the base station unless the short name of the network that the network name is entered tastes correctly so it's kind of sad when the security of your cell phone calls comes down to a case sensitive string comparison not much security there so that's really all that's involved in spoofing a network so let's come over here and actually do it before we do I'm just going to type Tim's ease again Wow that's 15 people 15 handsets are currently connected to my tower and that's without spoofing any cellular network so 15 people in this room are currently having their at their cellular phone calls intercepted by me and my BTS is not advertising any known network in the world it's in a test mode is on a non frequency and you're still connected one quick thing raise your hand if you have an iPhone okay if you do not have your hand in the air you're probably not connected to my network in my experience it's it's generally the iPhones that that connect most easily it's actually been quite the bane of my existence trying to keep the damn iPhones away I killed you not it's it's impossible to get rid of the damn things so okay so we have oh wow we now have 30 Tim Z's in the table you know people are still handing over to this so in the few seconds that it took me to explain why those 15 people 15 more people connected it's insane it's it's really easy to do so let's let's spoof an MNC in an MCC so I mentioned the cell ID command so that shows you the MCC MNC location area code and cell ID I can then do cell ID quick question for the audience raise your hand if you'd like me to spoof t-mobile okay raise your hand if you'd like me to spoof AT&T should have seen that one coming okay so I'm just going to turn this around all I do is I type so ID and then I give it the mobile country code well we're in the States so our mobile country code here is three one zero and then we give it a mobile network code well att's mobile network code them oh they have several but the most common one that they use is four one zero so let's type that in and then I'm going to leave the the location area code and the cell ID the same so that's going to be six six six and ten that's it I'm now spoofing AT&T I could you know be a little more careful about it I can do config so here the thus led command here 3 104 106 6 6 10 that sets my my mobile country code and my mobile network code and then this command down here config GSM shortname 80 amps ante and as far as your cell phones are concerned I am now indistinguishable from AT&T so the question was how long does it take to handover that's kind of the point of the talk in all honesty from this point so at this point we have an NZ catcher I can I can sit here and over the next 20 minutes half an hour every AT&T cell phone in the room will gradually hand over to my network gradually start giving the audio traffic so from this point on the only question becomes how can we make phones handover more rapidly in practice it might sit here for an hour before you know any any significant number of phones can act so we want some some techniques to speed it up so at this point we do have a simple NZ catcher we're spoofing a cellular network clearly handsets in the audience are handing across to me does anyone actually try to make a call and hear the the recorded warning message err now one here another of the back another over here so yeah I mean clearly you guys are handing over you know you're connecting to my network I'm getting all of your traffic so how do we filter this down well firstly I now know you're NZ's so I can filter based on NZ if I know the NZ of the specific person that I want to target I can exclude everyone but that in Z likewise I can do the same with the IMEI which is the equipment serial number the equipment identifier I can say you know only allow Nokia's to connect or any allow our phones to connect I'm not sure you can quite get it down to that level of granularity but so you can say this particular IMEI is allowed to connect and nobody else's so I could restrict it down to a limited set by you know very different parameters as I mentioned it takes time for people to migrate across we can make it faster I'm going to talk about some techniques for that in a sec one major limitation that this current system has it only intersects outbound calls so when you're attached to my tower as far as t-mobile AT&T is concerned your phone is off it has no signal it's it's you know whatever it's just not there because you're not connected to one of their towers so when a call comes in it will just go straight to your voicemail we can we can get around there so I'll come back to that but for the moment we've got you know outbound calls getting recorded so how do we speed up handover you know we don't want to be sitting here all day watching everyone's phones handover so you know what techniques have we got to speed up that process well there's actually a few neighbor lists changing like band jamming received gain I'm going to talk about all of these individually some of them I'll demo some of them I won't but there's there's lots of different ways to do it the first one is GSM neighbors so each tower each gsm tower when a phone connects to it the phone will retrieve from it a list of neighbors and what that means is each gsm base station is on a specific channel obviously the the base station will say there are base stations nearby on these other channels and what your phone will do is it will take that list of neighbors and it will monitor all of those channels and it will keep watching you know the signal strength on all those those neighboring towers and when one of those neighboring towers becomes a stronger signal it will handover so how can we use this to our advantage well all we need to do is we know that the the cell phone is going to be monitoring these neighboring frequencies so if we do a survey of the local area and find out what neighbors are around we can then compare that to what frequencies the phone can actually see what towers it can connect to and whatever and eventually we can find a channel that is advertised as a neighbor but perhaps it's on the other side of the tower so you can actually see it from here so I can put up my tower on a frequency that I know your phones are listening to and that I know there isn't a tower there so that you know the moment that base station pops up your phones are all going okay we must have driven down the street and this tower is now closer so I'll just hand over to it so how do we do this it's actually pretty easy you get a Nokia DCT for phone I believe the 3310 does the the two European bands the 3390 does at least one of the u.s. bands what these do is they support a thing called network monitor mode and what network monitor does is effectively dumps a log of every GSM thing that the cell phone does every packet that it sends to the base station every every burst that it receives from the base station everything every single thing that that cell phone does gets locked doesn't allow you to interact with it doesn't allow you to control it other than you know beyond what you can do on the handset already but it does at least give you very very detailed insight into what your phone sees on the the GSM network so you get one of these phones you get need a special F bus M bus switching cable and a program called gamoo there's a gamoo is is open-source it connects to the the phone over this cable and just dumps out a trace in XML which you can open up in Wireshark I was going to demo it but my 33 90s has gone wandering so what I'm going to do instead is just show you what the traffic looks like so this is a capture that I recorded last night this was of a handset connecting to t-mobile and I actually called it only partway through the boot sequence so there's there's a bunch of traffic that was you know hanging off the top here but you can see you've got all of the the various GSM messages in here and if I click on the right packet let's try system information type to choose that one you can see Wireshark breaks it down nicely and within this packet it actually says here's my list of neighbors so literally you just take this phone you turn it on you connect the cable you run gamoo and then you look at the Wireshark trace and you've got a list of channels you then compare that you know just literally turn a radio receiver onto each of those channels and see if you get a signal on them it's it's not hard and using this you can find a an advertised neighbor that's not actually in use in the local area and speed off handoffs by taking advantage of that now I'm not actually going to demonstrate that today because that would require me to you know transmit on a Natt frequency and I don't want to do that certainly an attacker would have no such compulsion and could easily take advantage of this to his benefit so we can find GSM neighbors and we can take advantage of that another way to speed up handoffs is the location area code the idea of the the l AC is it groups together a bunch of cells so you'll have you know a whole bunch of cells in one specific area that advertise the same l AC and in general those will go to you know the same higher-level controllers as well but what happens is when the phone is you know monitoring all of these neighbors and you know if it just sees another our although whatever reason it is to look at that secondary towel that it's seen it'll see that if that tower is is advertising a different location area code that means that the cellphone is moved at least as far as the cell phone is concerned and if the cell phone is moved and it's moved into a new area then they should really do a handoff so from open BTS here I have complete control over the LHC so I can just change the LHC and everyone's phone will go away Ellie sees change we must have driven 50 miles down the road let's handoff to the new tower so the more you change the lack you can you can keep rolling the lac every every few minutes just to entice more handsets it's it's not particularly difficult to do I'll give you a quick demo of it first up let's let's see how many handsets so before we we started spoofing AT&T we had our 30 handsets connected now that I've got ATT's network name MMC and MCC let's see how many handsets we have connected now 24 don't quite know how that went down Tim Z's do time out so another command that I can try is load and this is telling me now this is telling me that there's 24 Tim Z's in use as well so not too sure what's going on there but we've certainly got a bunch of handsets connected and then we can use the cell ID command again to roll the location area code I'm going to turn this around a second so I can actually see so my location area code was 666 I guess I should change that to 3 1 3 3 7 and I keep the cell ID at 10 in fact I'll change the cell ID as well just so that the handsets know it's a new tower and it's that hard that's how to roll the lac not a complex operation at all and then like I say that will encourage handsets to you know believe that they've changed location and that should entice more handsets to camp across to the new network well we'll come back to that when when we when we do the next age and we'll see how successful that was so what happens when the handset turns on how does that the handset first find its very first tower when it obviously when it boots up it knows nothing it knows it doesn't know where it is it doesn't know what frequency it's on doesn't have any neighbors to look for doesn't know the current lack nothing like that so it does a very long scan over the entire band and whatever towers it finds the checks the MNC and the NCC tries to make sure that you know those are allowed networks based on you know what the SIM card will actually connect to and then the signal strength as well a little just you know connect to the strongest tower once it starts finding some towers it limits the size of that scan it performs a much smaller scan much more rapidly because it has some information about you know what bands are in use what towers are in use what channels to look for all this kind of stuff so an attacker can actually use this - it - is an advantage because if you do s the cell phone system in order to make people lose signal when those handsets connect back up again they're going to perform this long scan they're going to perform this much wider band scan and have a much higher chance of connecting to the attackers Tower so how can we do this well first off we're only talking about second-generation GSM 2g 3G has much better security much more much better security so if we Jam the GSM band then when we turn the jammer off your handsets going to perform a wider search it's going to perform a slightly slower search a bit more chance of finding the tower however if you're on 3G there's really nothing I can do the 3G protocols are much much stronger than GSM and it's a lot harder to intercept a 3G phone call so we really don't want people using 3G if if we're trying to intercept phone calls so what we have to do is is Jam the 3G bands if we Jam the 3G band your phones lose the ability to connect to a 3G tower and they quite happily drop down a 2g so all you have to do literally is broadcast noise and block the ability to talk to 3G which point everyone drops down to 2g in plain text it's like saying well if you if you can't connect to port 22 then did I just fail over to port 23 seriously you can you can think of 3G as you know equivalent to SSH and GSM is equivalent to telnet in this situation so yeah it would be an accurate analogy to say that you know if you can't connect to the SSH port just drop down to telnet that's effectively how how cellphones work in this situation so the question is how hard is it to Jam a cellular band really not very all you need to do really is transmit noise and when I say noise I mean a very specific thing I don't just mean you know randomness I mean completely flat spectral noise such that there is you know equal amounts of power in each octave and you know it's it's a nice flat spectrum and it makes sure to cover the entire band cover every channel effectively what we're doing is instead of you know moving the tower completely we're just removing the ability to see the tower we're masking that with with noise noise generators really aren't very expensive I have one over here little little thing if I can do this without wishing my ninja budge again now it's all good so this is a this is a noise generator this was $450 on eBay and if I connect this to a power amplifier and I have a power amplifier upstairs and then connect the power amplifier into an antenna and I have antennas clearly if I turn that on that's rather a large disruption to cell phone service I can I can I mean that the noise generator itself was as I say as it says 450 bucks on eBay the power amp was 400 bucks on eBay not non eBay on the internet at least that's 100 watts 100 watts of wideband noise is a huge huge huge disruption this is what it looks like the this particular noise generator has two modes it has one for the the 900 megahertz bands and one for the 1900 megahertz bands so what you're looking at here is the trace from a spectrum analyzer the lowest frequency on the left is about 500 megahertz and the highest frequency on the right is 2.5 gigahertz and then as the line goes up there's there's obviously more power at whatever frequency that corresponds to so you can see on the Left we've got a really big fat block around 900 megahertz but that is effectively this thing transmitting on every possible frequency in every possible you know channel between about 850 and 950 megahertz turn that thing on and 850 and 950 just stops working likewise in 1900 mode you can see again the major peak is a little further over it's pretty clear that this does what we need it to do so what happens when you Jam a cellular band what happens when you know I turn this thing on and you know broadcast 100 watts of noise of course I haven't done it I'm not stupid if you were to do this if I was to plug this thing into my hundred watt power amplifier and I was to connect it to an antenna and turn the whole thing on it would probably knock out gsm cdma 3g Verizon you know pretty much every cell phone service there is for most of Las Vegas if not further so yeah I am not turning this thing on the main reason that I have this is because it's a fabulously useful piece of test equipment if you're trying to classify filters you put white band noise into a filter and as long as it's nice and smooth you can compare what comes out and very very accurately characterize your filter that's what I use this for not for for do s and the thing about band jamming is that there is no way to defend it's impossible cannot be done short of swamp in it with with more and more power you do any need a short burst few seconds but it's the way way way too offensive for what I'm doing here so as I said 100 word of amplifier and a reasonable antenna would probably knock out Las Vegas cellphone systems so another technique that we can use to make handsets handover there's a command that the BTS can send the handset that basically says treat my signal as if it was stronger than it actually is meaning that if if I just let's let's say you know on a scale of you know plus 50 to minus 100 let's let's anyone who knows RF will will understand why I'm choosing that range but plus 50 to minus 100 let's say my signals coming in at minus 80 really really low I can say to your handsets just just add a hundred to that would you and I'll go okay you've got a you know 20 DBM signal that's fine you're the strongest tower around now I'll connect to you it's it's ridiculous and it's it's again it's another great example of some of the instructions that a BTS can send a handset so you know I don't even necessarily need to be the strongest signal I just need to have a signal that you can pick up and be telling you that I'm the strongest signal it's it's ridiculous and the handset will comply it has to comply because that's how GSM works when the handset gets an instruction from the tower it complies with it of course the attacker can make use of this you know of course it means that he has to use less RF power to win the strength competition with the local towers open BTS doesn't actually support it yet so I won't demonstrate it here this is actually the essence of the Rhoden Schwarz patterns on MZ caches there was a case in the UK where someone was selling MZ caches rohde schwarz sued it effectively came down to this one technique spoofing MNCs MCCS network names it's it's all trivial but you know this this one technique is the the one that's patented so I mentioned earlier that we we don't see inbound calls we only see outbound calls effectively the MZ capture is a completely isolated cellular network as far as your carrier's concern your phone is off it has no signal it's just it's not there so of course they're going to send calls inbound to your voicemail where else are they going to send it your phone's off so the attacker doesn't see the the inbound calls so the way that we get around this is obviously if you're connected to my my tower my tower has to authenticate you therefore it will ask for your MZ and your phone will quite happily supply it so I know you're in Z what I can then do is I can you know go to AT&T and say hey here's my MZ I'm spoofing this guy over here but you don't need to know that this is my MZ and I know that this guy is not on the network because he's on my network therefore it's perfectly safe to do this without you seeing two phones so I am this MZ the problem with that is that we don't know the secret key in the SIM card we don't know ki and what's going to happen is the the when I claim that MZ 280 or t-mobile they're going to send me a random number a 32-bit number just a challenge and what normally happens is that challenge gets passed to your SIM card gets encrypted with your secret key and then split into two parts half gets returned to the tower is just kind of proof that you know the secret key and the other half is used as the ciphering key well what I can do to exploit this is I can just pass that random challenge along to your phone whereupon your phone will happily you know encrypt your secret key with it and all the rest of it and send the result back to me but the result doesn't come back to me as you know here's the here's the answer the the session response I do get just kind of here's the answer but the the secret key I have to crack and and here's the the great thing about MZ caches as opposed to you know kraken and air probe and those kind of things cracking an air probe how many folks saw that release our blackhat the the a 5-1 cracker so the the big limitation that that thing has is that it doesn't work on frequency hopping base stations which virtually every base station in the civilized world is so it kind of doesn't have real world applications well in this instance I'm the base station I set the hopping sequence so I can just say to you okay let's negotiate a 5-2 because I can break that really easily and then let's disable hopping so that you know I don't have to worry about that and then I can use these rainbow tables to crack your secret key whereupon I recover the session key I now know the session key and the the session response which was the authentication response and I can just reuse it all to the carrier and as far as the carrier is concerned okay it took a few seconds for me to you know establish a challenge to your handset and then crack it and all the rest of it but at the end of the day I provided the right response to the carrier so hey I must be you it's it's it's not implemented in this system yet but it's it's definitely possible to do it's the technique that commercial empty cottage m-z catchers use to catch inbound calls certainly yes I cannot do that in this system currently but it is absolutely possible with empty caches so just a little more on breaking that session key it is the only time when you're using an energy capture that any cryptography is needed at all the majority of the time I just configure my base station to just negotiate a 5 0 just disable encryption what do I care if I negotiate a 5 to a 5 to is very very easy to crack much easier than a 5 1 so you know that gives me a very quick way into your handset alternatively you may reject a v to regard a 5:1 well clearly a 5:1 is is still you know crackable and we can still do that but in either case any calls that originate from your phone come to me as plain text so that's the solution to all of this you know how do we how do we fix this and the reality of it is that there is no good solution not in the context of GSM GSM is broken it is the telnet of cellular systems in order to fix GSM you'd have to redesign GSM and if you're redesigning GSM you have to upgrade every handset you have to change every tower you have to change the networks that live behind them so why bother if you're going to that much effort to redesign everything why do you just move to 3G the solution here is 3g and later protocols 3g authentication is much better obviously three and a half g 3.9 g LTE all of the subsequent protocols build on that as well the primary solution here is turn off 2g unfortunately how many people have Android phones you see in the setting that says use only 2g networks yeah supposedly saves battery how many people have ever seen a setting on a phone that says use only 3G networks ok BlackBerry has one certainly Android doesn't iPhone doesn't so how can we be secure here certainly 3G is is it showing cracks it's not been broken broken the kosumi cipher has been somewhat broken but the 3G protocol hasn't so yeah just use 3G look for that icon on your screen with a little 3G if you see that then you're pretty good alternatively just treat it like a data network just you know layer another put another layer of crypto on top of it treat it like voice over IP just use it as a data network treat it like the internet encrypt everything that goes across it just just don't step and then in the long term that the big solution is to just turn off 2g which will happen eventually as you know three and a half G and 4G are deployed more widely hopefully you know now that you know I've demonstrated this there'll be little argument that you know it's totally possible to intercept 2g phone calls so hopefully we'll it'll spur some uptake of 3G and you know we'll see where it goes so one final demo let me just see how many Tim Z's we have connected here seventeen okay so people are actually handing back to the normal network that's unusual certainly there was a lot of handsets connected to start out with it's possible that I actually get a mistyped AT&T though I think there's some spaces in there so it's entirely possible that your handsets are connecting to me I go oh you're not spelling AT&T correctly I'm out and I'm out of here so either way certainly you know feel free to make some calls through it the only limitation is that you have to dial one in front of the number or you know whatever country code you want you're only limited by the twenty dollars of credit my sip account feel free if you've if you've not heard the recorded message then you know like I say connect to the network and you know have a play it's it's it's there for the next couple of minutes while I take some questions so yeah have fun you

Info

Channel: DEFCONConference

Views: 47,832

Rating: 4.948905 out of 5

Keywords: Presentations

Id: fQSu9cBaojc

Channel Id: undefined

Length: 52min 32sec (3152 seconds)

Published: Fri Nov 08 2013