WiFi-Based IMSI Catcher

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
morning everyone this I'm Pierce O'Hanlon this is a Ravi Shankar Borgan ah and we've been working on something we've dubbed the the Wi-Fi based empty catcher and so we're going to take you through just a quick overview of what we're going to cover in the presentation so firstly just for those of you who aren't aware like what is an MC and then we're going to talk about conventional MC captures MC is basically just the identifier that's inside that identifies a subscriber the international mobile subscriber identifier and there are conventional devices have been around for a while one sort of trade names like stingray that sort of work in the mobile spectrum but our approach operates in Wi-Fi and it basically exploits some two issues to solve functionalities within [Music] the wave mobiles basically smart firms but can the other devices connect to automatically connect to Wi-Fi networks based on their I'm MC and also another technique that's based around when devices connect to the sort of operator services for Wi-Fi calling so then we're going to talk about mitigations for the operator vendor OS and user mitigations and then a demo so what is an MC is basically as I said international mobile subscriber identity typically a 15 digit number the first couple of digits indicate the the country code and then the next couple will the first three actually country code next two or three sometimes depending where you are indicate the mobile network provider in which this one's just to kind of made up one two three four is actually the the UK code and twelve is some kind of rail track one but it just happened to be two three four so I just don't put it in there because what I've done in the demo I've I've used that same MC is the kind of demo in seekers I don't want to be splashing wheel ones around then it basically allows for the authentication of a device to the network it's the identifier so you username in a way and then that keys that then allows the the phone and the operators databases to then index your secret key which is which they both have a copy of and then do this network authentication procedure and it's typically installed within in two places basically inside the SIM card in the phone and the MC can actually be read off of the off of the actual SIM card using like a SIM reader one of these little cheap those are things or you can spend a lot of money but basically it's pretty straightforward to read an MC off of assume if you actually got it in your hands but it's generally another story if se San a device and you want to try and find out what's the MC of like that sort of this mobile phone here like sitting on the desk that this is what we've them the technique we developed to do that they're also inside the the SIM card Azzam the secret key which is kept secret you can't access that you can't just source a and plug it into that reader and say give me like secret key it it doesn't happen it's kind of protected you can basically just provide you can send it a random number and it'll then carry out some algorithms to do the authentication challenge then it's also sword in the operator so they clearly need to have it to the verify that it's but it's a legit and subscriber so it's also an identifier that some can be used to tracking so it's a fairly unique identifier that basically is tied to the subscriber type to the sim and typically people don't change the sim Ralph and so it gives you a good idea of them who it is but there are also a bunch of other identifies associated most smartphones these days like Wi-Fi Bluetooth NFC addresses like the MAC address all those you maybe where they have been moved to make the Wi-Fi MAC address a bit more elusive iOS introduced a Mac randomisation on Wi-Fi probing I think in iOS 8 and then they've taken it slightly further forward Windows Mobile introduced it and Android is is bringing it in as well and then this other device identifies them more associated just purely with the mobile phone the IMEI the international mobile equipment identifier which is actually just tied to the actual hardware of the device it never changes in fact it's kind of illegal to go changing as that that that identifier but that can also be tracked with some of the sort of conventional NC caches do a downgrade attack and then you go into a 2g attack and then you can extract the the IMEI and then there's what sort of technically known as the MSISDN which is actually just like a phone number thanks potentially it can also be used for tracking but that's typically not that easy to get hold off although the wrong sort of subscription services out there that allow you to look up in MC and then find out what they potentially find out what the corresponding numbers are some of these are probably in a bit of a grey gray area so now going to hand over to a Revie who's been working in the conventional empty CAPTCHA world for a little while he's going to give you a overview of that yeah so if you mean some of you guys real last year in black a tree that was in Amsterdam so we had a talk on LTC caches we explained some porgy and she catches how to build an all those but now I'm not going to detail just to give introduction briefly about what with a conventional implicature what they basically use now the title says Wi-Fi way seems so you may have a question in mind whether you just crack the guy or whether you also intercepting his data communication or maybe or call for example right so basically all the duplicates it has a two purpose what they use the first is purely about the tracking so first they wanted to talk like the users so this could be either targeted attacks or maybe just just listening all the surrounding users and try clicking for fun guardian deity who belongs to whom so there are multiple ways of going to say targeted targeted attacks or maybe just a random attack the second is interception about okay now once you crack the guy you know is identity you fix you a target now so what you could do from that now you can ask him to attach to your MC catcher like a stingray device and then you try to intercept his call or sms now of course you need a back-end support to to let him feel that this is the right base station you are talking in here and he doesn't feel any interruption between the call if he feels something of course he gets alerted that something is bad which is happening here so there has to be a efficient connection to the back-end telco provider by any means so I'm not covering those mains but there has to be a enough connection there has to be a technical capability to connect to this MC catcher back in the telecom network so that if the normal guy is making a landline call it should she was able to make a landline caller mobile call for example right so the second part is about interception so same goes apply with SMS and as well a data connection now with the data connection there is a possibility I wake up can we come to the next slide with with with the 2g and 3G differences and with instigators of course operates on a licensed mobile grants of frequency bands and this could be gsm 3g and 4g in the market right now we have seen already GSM and 3G there are some actually if you Google buy sell use Google you know so find various communication product which also says that they operates on a 4G plan for GP quinces advantage but the problem is okay most of them claim they try to do downgrading so basically they just jam the frequency which is operate for 4G or 3G and they ask you to come back to pootie so as you may aware that to here lady has a lot of lots of problems there is no mutual authentication and easy you can we stop using a2g calls and it's way easy then 3g and 4g so all the bands available but it just it's a matter of whether somebody is downloading you are not done reading it and by definition of course what this thing is a device columns together means somebody just bring some kind of device which is acts like a base station nowadays the base station size is not like a big mix you see in the building so basically the smallest size in the market or you may guys have some actually if you live in UK right now you can also buy this small like a DSL modem boxes which is like this station basically and you can also like small device you can buy the buy the device on and convert into him she catches five is getting really long what it does basically just try to connect all in surrounding mobile phones which has a limited range like a 50 meter until depending on the RF capability of your device and then you can ask the devices to connect you and they operate in a two mode which I somehow explained initially so first is passive mode passive means you are just acting as a bad guy and listening on that is doing nothing so you just looking at the broadcast packets what you can see any identity or any any parameters if unfortunately if there is no encryption there you may see some extra information like calls and SMS but depending on in there is encryption or not so the passive like can't really do anything but definitely he can try to infer the MC because again now we are not going details because next to appear will talk about the Wi-Fi but in mobile networks basically what happens if you're getting a call like incoming call or data connection what happens the base station sends you the hi message which which contains your identity so it could be the MC which Pierce already explained or it could be at MC or like another term with which we using posey called G UT ID so that may try to infer you this is you guys and this is what the passive is path instigator does it just monitors everything on the RF sign and try to infer your identity so there are different techniques which we explained in last year in active soil then somebody just try to bring the base station which tried to mimic as your operator for example you are using a Vodafone SIM card and the attacker will set up this base station of the Vodafone so your phone automatically sees there is a Vodafone base station which has max which has a nice signal strength and our phone is designed such a way that along and he sees a maximum powers plane from the near base station if you just try to connect the connector there instead of the base station which has a list of power so somebody can exploit that vulnerability so somebody just bring base station near to you so it will just automatically disconnect from the base station which is on the building and if you connect to the attackers which is nearby so this is like cream cheek acid and this can be used for intercepting your calls as well because this is this has some capability to support the call functionality or internet functionality and also to intercept your SMS because we need to give the feel that the SMS is being really delivered of course once you can have in mind like okay I can drink active base station and I will just intercept every calls and I will not deliver to the network but that's fine but the user may get alert that okay I'm sending I'm making a call everything under its being ringing but actually nobody is taking the call so he may feel something weird so it's about without detection so what is the cost on those boxes basically so commercial solutions are quite expensive if you wanted to buy like a special MC catcher but now again this statement is kind of bad if I stay like this now if you just do Google Alibaba you can just go on Alibaba or find any other commercial tools Russian and Chinese you may find that somebody's trying to sale for $3,000 or maybe until $50,000 and you can just buy this boxes we originally these box boxes are only allowed to buy or sell for the government agencies but now you maybe make it you can also buy those words or you can build yourself with a just laptop and there are lots of software defined radio platforms where you can install open-source software like much more calm open BTS even the 3G version we have open BTS UMTS plus the 4G sorry open LT and install so if we have a different variant which are used for the research platforms but they can be also convert into MC catch and this technology of MC catches has been long time since 1990 and it has been fighting it first time pretended by the German company rohde & schwarz which was back in 1993 so there are also other patterns about the sims ii catcher which the way you track are the people around that look for the information so before we head to the main talks just to give a difference between this 2g and 3G and what we could do actually there and and what is the flaw because now when we talk about this next wireframes you get said you will also see there are some kind of the same similar kind of flaw we exploit basically this is about the design the way our mobile communication work or authentication in the sim card or the way users subscriber actually authenticated on a 2g we know that they exploit the protocol flaws when there is a no mutual authentication between the base station and mobile phone so this is like a existing floor this can't we fix for 2g communication unfortunately so it allows for tracking an interception somebody can just bring thick vegetation say hey I'm this guy and let's talk mobile phone can't do anything and the saddest part in our site is that mobile phone is always act as a dumb device in the protocol communication so whatever the base station tells do this it just access let's do this so this has been fixed in 3G and 4G the fake base station comes and hey talk to me in a plain text it will say no I'm not going to talk to plain text at least he'll integrity protection messages that he secretly use a key integrity key to talk to each other of course they can disable encryption but there is a integrity key whether you can trigger but this is only available in 3G and 4G but not into G so 2g is completely problematic if somebody brings a fake base station and the sizes on the sea on the picture with this one with a few GM 4G so again they exploit the same architecture issues like somebody can bring a big base station it can get the identity but they can't really have a key to talk to each other after the authentication so still find what somebody can easily track and difficult to intercept and that's what the claim because you see in media article ok somewhat equal to 4 GHz capture and they're trying to intercept node this is not possible because you're not going to get the key which is used to talk to the communication this key is only belonged to the operator and and until unless you have all the key material you can't really decrypt anybody's calls or communication even very good when you are using a 4 GMC catcher and commercial all the products in G capture they try to downgrade you or use of legitimate base station which is also possible like in 2012 blackhat we have to talk about using a femtocell which is like I said small base station of roads you can buy this this is like a small embedded Linux box which you can compromise this box you can act you can just root on the box you can try to circumvent ipv6 I saw the IPSec communication extract the key and basically you see everything in plain text and that's possible if you bring this kind of solutions for 4G interception acts as in C catcher that's possible on the picture you see this is like a small way station which is used for the emergency purpose so what this base station has this has a back-end satellite connection and if somebody brings this kind of solutions has a for DMZ catcher in the backpack output then actually can intercept every 4G call that's complete this is called a legitimate base station which has a back-end support of some operator and now you may question some shady operators may have some connection to do that but now okay what is the production on these MC caches and why we have to look in the white car right so there is no protection available for the phone which you carrying in your pocket now like you if you have a iPhone your Android phone your Windows Phone your blackberry there is no such app can work effectively to detect this kind of attacks like somebody is really tracking you are not tracking you okay there are some special tools there are some apps available but the special phones can only act as an I would say some limited options you have there so those those are the phones which support sent it could calls as well they cancel they can acted they can have a special tools as a firewall for the base band which can try to prevent those traits they can try to be take the silent SMS and all those nasty attacks but those are expensive the cost is really go until I don't know exactly exact price with lot and I remember from the price from the guys dimension of about 3500 used to load something around that and there are some apps which we also develop at self like we I have a talking Ida talking black a 2014 about app called their check we develop that app to detect MC catches but this was only works on Samsung phones samsung galaxy s3 which has an Intel based band and the later s our labs in Germany they also introduce the app called smoothly so you can install those apps and try to get acclaim she catches right so this also was what you need to route the for and not every normal user could do that but now again it comes to the back so what is the protection you can turn off your flight more you can go into flight mode and you can just use a Wi-Fi for your all the communication and you are still secure right and now this used to be commentator this is the best protection somebody could suggest so use like a Wi-Fi or use Multi hotspot technology like bring another phone and take this spoon as a hotspot Wi-Fi hotspot and then connect your phone to this middle phone then basically if somebody attacks they can try to attack this spoon which doesn't belong to your identity and then you can use this your phone attached as a Wi-Fi so basically we had a intermediate layer which to talk get total out there or you can just use a Wi-Fi but now Wi-Fi has a different things and that's what we're talking this that's what we try to introduce in this talk due to the convergence of all telecommuting technologies and everybody just want to use now Wi-Fi calling our Wi-Fi features and why this is just a technical terms about just before I handle it appears because mobile operators are running out of the so they try to introduce new techno technologies because you don't get the coverage inside the house or inside the office buildings right and at that time you can't use the normal mobile connection or signaling soap or you can't do either you introduce this small base station or now they are supporting to use Wi-Fi to use your normal mobile functions so you will be using Wi-Fi but basically you will use all your billing plan what we have on a SIM card and that's we definitely do some new traits which now pyramids try to introduce you with the Y prime sketcher okay thanks Ravi yeah so basically talking about the Wi-Fi based MC capture as Ravi mentioned some of the conventional MC captures provide forum additional services like interception that they have r1 provides for basically picking up detecting the MC and essentially working out the location potentially working out the location from that I mean typically if you can catch the MC whether it's a conventional one or or r1 you typically need to be co-located with the with the target and so you kind of know roughly where they are but so this our system allows you to basically extract the MC but not actually intercept the calls and it operates in the is M bans the industrial scientific medical bands which in which Wi-Fi operates typically in 2.4 gigahertz or five five gigahertz there's others as well so the range is Wi-Fi range although course that can be extended you see these kind of things people will stick in Pringles packets and and all that kind of stuff to extend the range I mean it can be can be done with more sophisticated approaches so you can get quite a bit more range out of Wi-Fi basically and it operates by well I'm going to go into the detail one one approaches of a fake access point and then other the other technique is about either sort of spoofing redirecting traffic to a operator data gateway and we're exploiting weaknesses in the protocol or configuration to achieve this so basically just said we've them the MC caches based upon two techniques the Wi-Fi network authentication which is one portion as if it's defined in this 3gpp the a mobile standards body basically in standard TS 33.2 34 who needs to know the details and these are this is how they refer to within in the spec they call it WLAN direct IP access and then Wi-Fi calling authentication is referred to as W and 3gpp IP access and we've discovered issues in these two technologies and the costs this is of course pretty low and basically virtually any Wi-Fi capable of computer so anything from a laptop kind of downwards Raspberry Pi that allows P PI 3 has a little inbuilt Wi-Fi these days and just quite handy so just looking briefly at some the Wi-Fi network attachment sort of when you win when a device when the phones or tries to connect to the network and what kind of networks are there out there will a sort of unencrypted Wi-Fi access points no password basically but then they often have something called a captive portal which is the sort of little sheet pops up when you try and connect to them and they'll ask you for some credentials potentially or just type in your email address or whatever it is massively based on something called whisper this protocol although it can be based on a bunch of weird hacks as well it's it's a bit of a messy area of course if they can just be completely open as well Google interests interestingly enough on Google's and fie service and relies upon open Wi-Fi access points it says and it then it sets up a little VPN which they use but it's not really available here so we've had a brief dig into it Bradbury and found anything particularly interesting so far normal encrypted Wi-Fi access points were the sort of pre shared password credentials which you use to then get you connected and then there's these auto connect Wi-Fi access points I mean there are some in sort of like companies run them in things but then the RISM there are different types of way the automatic Wi-Fi access points work but specifically we're looking at these access points that are essentially managed well not they're basically managed by the mobile operators and they allow a mobile phone to negotiate to basically connect to the Wi-Fi network automatically without any user intervention and and it does this by using the credentials in the sim card basically the MC and the key and this is controlled by operator provider configuration that gets loaded onto the phone so it can either be users have to configure it manually or there is there is some automatic type of configuration so it's a little closer look at those automatic configurations because those basically mean that nudists your phone kind of without you particularly I'm asking for it we'll just your operators configured the phones to automatically connect to certain Wi-Fi networks so a lot of big big brands have their sort of auto Wi-Fi networks you'll see that often sort of said Auto ATT or Auto EE or and then there are sort of more obscure ones Oh tunes and Wi-Fi extra and Vodafone Wi-Fi this there's a bunch of them I mean they're they're quite handy because basically they they allow the phone just connects to Wi-Fi and just you get to the fallback to Wi-Fi so you get faster data connection depending on where you are but this it works in actually automatic configuration is is is set up on on actually a number of Android and Windows phones because if you look at some of the web pages for some of these operator offerings they say that certain brands are phones and it includes Windows Android and iOS we've had a bit of a closer look at io s iOS also configures the phones based upon the inserted sim and actor activates an operator specific mobile config file and then that then configured the device depending on what sims in there to have a bunch of pre-configured auto Wi-Fi lists in there and we do a brief analysis of iOS 9 and found more than 50 profiles nearly 60 odd profiles containing auto Wi-Fi type networks there's also a bunch of other configuration in there manual ones um so some and some Android devices require manual config so you basically have to follow the instructions on on an operator website and it's as pretty simple sort of stuff you just happen on network and then select in the drop-down like sort of seeing it said as the the authentication technique and then once you've done that once then it then connects to those to that Network then repeatedly and then Android also provides some additional carrier control mechanisms and in the Seoul newer versions of Android ISM the various sort of API is basically coming out that allow for configuring of the phone based upon carrier profiles so this automatic Wi-Fi authentication having a closer look at that that is sort of yet another standards body the I Triple E and 802 dot 1x and which is important at work access control which basically defines the use of a protocol called extensible authentication protocol or eat so for short which is defined by the IETF the internet Engineering Task Force and that basically specifies transporting of this eep protocol over over the land over over Wi-Fi or over like we thin out or whatever so it's called a pole EEP over there anyway so this is rather a lot of those sort of standards kind of being put together and in our case looking specifically at what's happening when the phone tries to connect to the one of these auto Wi-Fi networks it's based upon two particular methods one the first one EAP sim which is it's specified in in an internet Engineering Task Force standard and it is based upon Zoar GSM security model with some enhancements so there so it's actually slightly better than just the basic GSM approach but it and it does have some issues but it is currently the most widely used at the moment for phones to connect to the to the to the Wi-Fi networks the results are something called eat akka which it's based upon 3G and security and and that is designed to be deployed that provides a stronger connection but unfortunately both of these and have the issue that we discovered which we'll talk about them shortly the support for these protocols is is actually implemented in Android iOS Windows Mobile blackberries are basically mostly world smart phones and we we've been the good guys we we spoke to Apple and Microsoft and Blackberry and they'll they kind of got around to replying acknowledged there was an issue and an app Apple have been probably carrying a flag on it a bit they did take things forward and they actually deployed developed a new feature to go into iOS 10 as a result of them of our discussions with them something called conservative peer which I can explain in a moment it's basically due to the to the interactions we've had with them so we've been talking them for like over six months about this issue and we've also talked to the to the GSMA the GSM Association which is basically represents some kind of most of the world's operators gave a talk to them about the issue a couple of months back and just sort of raised awareness there that maybe because it's such a big issue no one's really thinks I was my fault so maybe a world made of all privacy bounty or something like that no one no one kind of quite feels that they can they can stop it so there's no there's no kind of bounties involved in this work but it's it's it's it's something that we're looking to try to get fixed but it's a feature that's useful for most people so it's being deployed in many countries and the adoption is growing so be good to sort it out so basically it comes down to they eat same and eat acha these two protocols I mentioned the identities that are exchanged in these protocols and there are three basic types of identity used in the authentication phase and well the one of them particular interest is what's called the permanent identity and which is in this case is the is the MC and typically the permanent identity is exchanged but the kind of initially basically when the phone first the trans to the network and tries to connect to the Wi-Fi and after that then then there's going to be these temporary IDs which are the next two there's what's called a pseudonym identity which is basically a kind of them it's what's a pseudonym for the for the MC so it's not the MC but it kind of fits like it and it has a it has a sort of a lifetime so then you can view your phone then will and send over the pseudonym so then if someone sees that so flying of the wired and they're not this is already going to say that's audits as that guy DMC but then the protocol needs to exchange these pseudonyms and renew them and so on so there are some issues around using pseudonyms then there's another one called the fast real indication identity which is an a sort of lower overhead identifier basically because the first interaction when you're using the M the MC to actually do proper check on it your phone so hands over MC and then that gets handed in to the network and then the net were then ultimately has to go to the kind of back-end system ins also like whereas this guy's MC and where's the key and let's do the proper cut the graphic exchange and so that's done on initial connection but then you think at this fast relent ocation ID which is then can then be used so it can just be used in the sort of the more the edge system so they can then just uncashed that fast rate of indication ID and then do a quick way authentication when you kind of come back so like for example on the London Underground it'll pop between stations and you'll reopen to gate every time so it speeds Duff up like that and walking down the street there be multiple access points you don't have to talk into the kind of deep end of the operator back systems so those are the three and then the actual behavior is is affected by and what about the peer policy so there's a sort of current default is called liberal peer which basically in this protocol you can solve say give me your best identifiers and typically your best one if you've got a fast real authentic ation one you'll send that one and and but you can also say give me your permanent identifiers and and with liberal peer phone ss-sure here's my is my MC so and it'll just hand it over but with conservative peer which is a sort of future deployment option and it's it's part of the it's in spec but it's not generally being implemented but it has now been implemented in iOS 10 I mean it may be in Android in some of the newer versions but I'm I've been in touch with Google but they haven't specifically mentioned it conservative peer only responds to requests for permanent identity as in your mg when there's no pseudonym I didn't available so it basically makes it a bit a bit harder to extract the the MC from from the device so how is this actual conversation that we've been discussing how does it since how does this EAP sim work like what happens of the packets and typically eep is a this is general there are lots of sort of methods and it's an authentication protocol if exchanges sort of them kind of basically some kind of credentials and it's not encrypted it's not encrypted sort of them interchange and currently eat sim ibaka when it's run a poll sort of over over land this 802 dot 1x the way that it's deployed at the moment is unfortunately unencrypted so thus the MC is visible to a passive attack when a permanent identity EMC is used for full authentication so an initial connection and then it's also it can be revealed if if there's an active attack basically by and requesting for authentication which the to solve uglies on this one so it means that they can that can be obtained and we have it's it's um we tested this out but I mean you'll be happy to hear that as we mentioned earlier the actual content is is feel protected so why one can get PMC you can't actually and you can observe the the whole interaction this authentication interaction but like with a few well most of them cryptography you can look at the sort of cryptographic interchange and you can't actually work out what's being not being said necessarily them and the key the key exchange process is designed so that the keys aren't actually transported in the clear they're there and negotiated at each endpoint and retained there so content is still protected now there are systems basically protocols that can allow for protection and basically encryption of the interchange like for example EAP TLS or TTL SV zeros is typically M as it's currently sort of defined and EAP TLS they are potential ways of protecting it but they do then require support in the mobile OS and the operator and all the vendor systems so that it can be deployed so that's that's that's the first approach sort of covered and I'll give a give a demo on that so basically the MC can be revealed in this in this some interaction when a mobile phone tries to and connect to a Wi-Fi network that has this which is configured to use this EAP sim or EAP akka in the current and current configuration so moving on to the next one the Wi-Fi calling connection so what happens here when a phone is using Wi-Fi to make a call this is this is the Wi-Fi calling stuff that's actually built into the OS typically so iOS has sort of had it for a while and believer Android has had it for a while and I think Windows have I've had it too but it's sort of starting to rise in terms of deployment and usage because it is rarely mentioned I mean this it provides it offload and in black spots and stuff like that you can you can use Wi-Fi if this is different from all sort of over-the-top apps like whatever whatsapp signal all the rest of them and this is actually working with the operator so what happens is the phone attempts to attach to what attempts to connect to something till the edge packet data gateway over Wi-Fi and it can make voice calls over this connection and the phone will attempt to connect to the to the edge packet data gateway when it's in areas of low signal or it will also connect when it goes into airplane mode and then you flip on the Wi-Fi interestingly enough and that's why I go show in the demo so the connection to the EPD G uses an eclipse ACK this IP security protocol which people were aware of and there's a there's an exchange at the I'm at the beginning of most if set connections and which is called to do the authentication and key setup and the particular protocol used air is called the M is called Ike internet key exchange protocol version 2 right now I'm version one was a few years back had some problems so there to cook up a new one so and this is as I said supported iOS Android and Windows and Wi-Fi calling available a bunch of countries and again we've we've mentioned this one to the to the OS guys and to the operators and it's of aware of the situation but it is a bit of a systemic kind of thing it will choirs a bit of work so anyway let's go into the details here it's a quick overview we it basically provides for authentication confidentiality and would these them to aah and ESP doing is actually encrypting the payloads encrypting the voice key management is then done by this something called Ike v2 and you've got two modes you've got what's called tunnel mode which is used connection to the Gateway so like any any packets from potentially different entities on our network we turn send through a tunnel you know transport mode which is just direct them point-to-point so what happens in this internet key exchange well there are two phases there's something called the I guess a in it which negotiates and cryptographic algorithms and exchanges and just stuff like nonces and everything and does something called diffie-hellman exchange which basically sets up a key pair to encrypt the the following exchange the iCore exchange at which point identities are exchanged in our case in using using a packer in this case and so the MC is being is being transported now it is it is encrypted here but unfortunately this this initial exchange not actually protected by a certificate right now so you can set up a man-in-the-middle and basically pretend to be an EP D G the phone will connect to it and and then it'll basically say here's my MC so another right yeah and so sorry basically that is the second issue so the MC is then revealed in this situation as well so it's basically to two separate techniques to extract the NC from from smartphones the the actual core content again is still protected so it's it's just an identity attack so what kind of mitigations are there well I think one of the things that I think is is it'll be good sort out with move move off of the a PCM as default and move towards Acker because the a PCM is weaker because it uses some of the GSM [Music] cryptographic technology which isn't quite as strong as the EAP accra approach but there aren't any YB no and sort of attacks on it the other thing is to deploy this conservative peer mode of operation using world potentially with MEAP seen even but preferably with the AP akka and then looking at a certificate based approach which you would then require investing in putting certificates into the Triple A infrastructure and and then would then provide for protected tunnels for the EAP a couple Waveline access and forum and for the Wi-Fi tolling so basically using this product I talked about EAP sim EAP TTLs plus an EAP akka then the rather looking at other potential solutions like encrypting the AMC and then there are other source standards that have been mentioned as possible ways of protecting the MC so reads the source standards bodies to either take a take another look at this because there are kind of solutions in there they're just not really being deployed and they're more expensive to deploy I guess but then it depends on how much you um feel that should be protected and so mobile OS mitigations well we need to support some of these protocols that we're talking about so conservative [Music] conservative peer sudonym support and then you've got to support the actions to the good based approaches implement those in the OSS and then we have a thing that would be nice is to allow a bit more um user choice over automatic Wi-Fi network access which currently is a bit tricky preferably allowing allowing for editing all stored associations so we do use a mitigation well with iOS you can you can go and actually if you're near one of these automatic Wi-Fi networks you can actually tap on thing tap on the little either lympho thing and then say don't auto join and then as I mentioned the conservative peer in iOS Android we've got you can forget the other settings there and for the for the auto Wi-Fi again similarly and you can selectively turn off Wi-Fi calling if you want on the phone as well and Trust in environments probably not a bad idea to turn off Wi-Fi summary so we've got these two two points where we found weaknesses and most of the world's smartphones implement these protocols but it does rely these techniques rely upon the installed operator configurations so the phones are actually automatically trying to connect to these services they don't do that necessarily by default but major operators to provide that config so we've been working with these guys but it is a complicated issue so it take a while so we'd be doing this some going to look into more stuff we're doing this under this fight to ensure all European project and we're looking further into these things so I just I'm just going to give a quick demo and whoops see if we can slide our way out of here so so what we got here is whoops I'll turn that off for now now what I'm going to do is only the wife I call the entity catcher so what this is going to do is going to set up a little access point running in a virtual machine on the laptop so well I can run up Wi-Fi and then it'll it'll them you'll show a bunch of so now I'm going to kick kick off the Wi-Fi column to catch up and we'll see in a second that the the furnace and just go and give a full scan right so where are we there we are this little guy here Wi-Fi calling so I'm going to tap on that one I'm going to join my this one with centered to simulate an access point so we've gotta wait for the tick it obtains an address and then I'll bring up there we are some got the tick so we're connected to the tab it to the network cool and there straight off we see the DMC now I have sort of obfuscation that one so that's the one from the slides but it's basically a script where I'm just dumping it and it sits there trying to connect to the Wi-Fi calling server and I'm doing a man-in-the-middle attack on on the on the phone basically and running running a fake endpoint and then dumping the DMC there so then I'm going to do the Wi-Fi network catcher so now you'll see that the Wi-Fi calling whoops was trying to connect a purple them now let's kick this guy off now what we've got here is we click on creating a bogus access point which is going to be doing which is sort pertaining to be a sort of a network that is going to steal the creds for the Wi-Fi network authentication and we're running Wireshark here in the terminal to dump the traffic now this guy is and the by sec of anyone been waiting yeah currently this one is not been found sorry sorry say ok follow that yeah it's a very tricky one aspect here I think I can make it a little bit bigger but it appears to be unfortunately more cables this one is unfortunately not working sadly and I do have a demo of this one a little video and ok so far there we have got it right there we are see we now so I'm done I'm running a Wireshark for those of you familiar so you'll then again be able to see it is connecting well it's it's it's it doesn't always show you on the screen but what it does is automatically tries to connect to networks or than those so this one I've called this auto eat Wi-Fi so then you think tries to connect but then it fails but in in doing so it it's we're dumping the EEP interchange and you can see this is just you know running as Ravi said in monitor mode so it's just capturing the traffic flowing over the network so there's no decryption being done here so we see again the MC revealed actually what what biggest rate here of what he mentioned horror just now we finish in this light like you have a iPhone right everybody has iPhone so actually need iPhone all these profiles like what you mentioned are the Wi-Fi calling are actually locally stored by default by the by the Apple actually so you can dump out the database and he can set up his laptop as an access point so all your iPhone which already have this profile automatically connect to this Wi-Fi without even asking as long as your Wi-Fi is on you don't need to click on connect and if you just have Wi-Fi on basically he can just take everybody to MC and can show you it here this is only badly affected with iPhones actually and this is the biggest folio for iPhone and this is I did notice this is also which matter you can take this on a bunch of Android and and Windows Phones yeah so it's basically a trade that people to look at that was happening in the background so you can't really control on that so might as you saw my phone automatically connected to that EAP SIM am access point I had it I had set it up previously to the demo and therefore ride it was sort of connected to another network but it tries to connect and you and we were doing the packet dumb and you could see you could see a connecting to to that network so yeah so there those are basically the two issues and we have been working with vendors and well mostly operators know s people to to try and move this forward but I think it comes a point we have sort of spread the word that bit further that's sort of a see that there is actually an issue here and it should be fixed but it's it's a complex issue so it's not like you can't just solve say go go patch that that little that little bug it's a question of getting the standards right and getting getting people to implement those and this item that it's actually worth while I mean I guess at some point it's this this actual sort of vulnerability if you like is written about understand that it's impossible they say it's a possible issue identity compromise is is is mentioned in this all security considerations but I think it's also about how technology's moved on and how easy it is to get all of these things now I guess there's some of these standards of getting on a bit the pap CMS from 2006 and so there's some well maybe then they thought it was just that bit more difficult for people to do that to the thing and it was I guess it would definitely the case with mobile spectrum and now you can buy kind of SDR kit for a few hundred dollars or less by the old party lsdm for 15 bucks to sort of passively sniff on and some of the mobile spectrum so it's all become a lot cheaper and more more easy to then consequently it's all security solutions need to sort of move up as well so I don't know if anyone has any more questions and top of the font size this is the way you'll be in jail there is no way oh forget the IMEI no no I mean yeah you can get the IMEI if you do like a well uh sort of 2g kind of conventional NC attack you can't you can't get it there I mean not not right now we haven't we haven't come up with a way / yeah I mean that that's the thing I mean you or you can potentially even link it's a sort of linking you can potentially link the MC with the MAC address which is something which is but then the MCM a problem yeah sorry the MC is actually there are other ways to interact to confirm your phone number you can't link the MAC address with your phone number that's a problem regimes you can link with the phone number n with a guy probably yeah public information yeah and you can then like so a SIM card might be moved from one device to another device so you can then you can then subtract it through that way yeah can you print occasionally yeah yeah no content there's no content no you can't have obtained content from from this technique no just the just the MC rolling one operation yeah it's yeah I mean it does start to get complicated I mean the thing is is with Wi-Fi calling you're actually you're typically connecting back to the edge packet dead it gave way run by your own operator so they'll have the certificate there you'll have it on your phone so you won't have necessarily an issue or just be you could just be traveling over the Internet but with the Wi-Fi network stuff you may have an issue but there are some solutions where potentially the authentication would be pushed back then you then may want to do develop some acceleration techniques for localized so a caching of creds and stuff but it's it's I think it's possible but it does I mean it does make it more complicated yeah the introduction of certificates and potentially I mean most difficult you spread around the more potential release for someone to go and steal the certificates and then they can then use one of those stolen certs then kind of like spoof another sort of supposedly legit endpoint but I guess it kind of raises the bar but it but it does reveal where if the bar in terms of cost as well so it's it's a tricky game and also you it's like what CAS do you rely upon like you're probably not going to want to rely upon the entire source stack of CAS it's in most sort of OS is today you might want to have a separate operator store or possibly in some more protected storage then it's updating certs if they become compromised or all those issues then you have with certificate based security yeah okay so I think we can take the question offline everybody he cuts off now anyway in the next talk yeah we can take offline well thank you thanks very much [Applause]
Info
Channel: Black Hat
Views: 6,033
Rating: 4.9252338 out of 5
Keywords: BlackHat, InfoSec, Information Security, Black Hat
Id: njttqrhIOwY
Channel Id: undefined
Length: 59min 24sec (3564 seconds)
Published: Wed Jan 08 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.