SlideShare ist ein Scribd-Unternehmen logo

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

‱
‱
Luca Bongiorni
Luca Bongiorni

The goal is the research and development of Intrusion Detection System related with Cell Networks. Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).

TechnologieBusiness
1 von 22
Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
3
“
 police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. 
 Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. 
 it’s possible that criminal gangs could be using them for extortion” ‱ What happens if competitors use it to take advantage of your company? ‱ What happens if someone intercept you and then extorts you money? Think about it
 4
In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
‱ Lack of Mutual Authentication o The MS auths the network, not viceversa ‱ Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) ‱ Encryption is NOT Compulsory o A5/0 No Encryption 6
Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
‱ Spoofing CallerID ‱ Eavesdropping Outgoing Calls & SMS ‱ Highjacking Emergency Calls 8
Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
10
11
12
“GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
14
How can we Mitigate the Problem? 15
A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
19
The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
21
22

Empfohlen

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM3G4G
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
e-SIM
e-SIMe-SIM
e-SIMRanjithkumarBalla
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
eSIM Deep Dive
eSIM Deep DiveeSIM Deep Dive
eSIM Deep DiveHossein Yavari
 
e-SIM Technology || Electronics || Hariharan K
e-SIM Technology || Electronics || Hariharan Ke-SIM Technology || Electronics || Hariharan K
e-SIM Technology || Electronics || Hariharan KHariharan Krishnan
 

Empfohlen

LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Beginners: UICC & SIM
Beginners: UICC & SIMBeginners: UICC & SIM
Beginners: UICC & SIM3G4G
 
SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.SS7: Locate. Track. Manipulate.
SS7: Locate. Track. Manipulate.3G4G
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
e-SIM
e-SIMe-SIM
e-SIMRanjithkumarBalla
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
eSIM Deep Dive
eSIM Deep DiveeSIM Deep Dive
eSIM Deep DiveHossein Yavari
 
e-SIM Technology || Electronics || Hariharan K
e-SIM Technology || Electronics || Hariharan Ke-SIM Technology || Electronics || Hariharan K
e-SIM Technology || Electronics || Hariharan KHariharan Krishnan
 
eSIM Overview
eSIM OvervieweSIM Overview
eSIM OverviewHossein Yavari
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 VulnerabilitiesPositiveTechnologies
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
eSIM
eSIMeSIM
eSIMBala Sakri
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIMNaveen Jakhar, I.T.S
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkEng. Mohammed Ahmed Siddiqui
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
SIM Card Overview
SIM Card OverviewSIM Card Overview
SIM Card OverviewCarlos Enrique Ortiz
 
4G to 5G Evolution
4G to 5G Evolution4G to 5G Evolution
4G to 5G EvolutionManoj Singh
 
e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)BearingPoint
 
Overview of Low Power Wide Area Networks
Overview of Low Power Wide Area NetworksOverview of Low Power Wide Area Networks
Overview of Low Power Wide Area NetworksMaarten Weyn
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM ConceptTempus Telcosys
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTUREAbhishek Shringi
 
Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)Julien SIMON
 
LTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical posterLTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical posterDavid Swift
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX networkAlexandre De Oliveira
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Hamidreza Bolhasani
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIMNaveen Jakhar, I.T.S
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Hamidreza Bolhasani
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networksPositiveTechnologies
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkEng. Mohammed Ahmed Siddiqui
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
4G to 5G Evolution
4G to 5G Evolution4G to 5G Evolution
4G to 5G EvolutionManoj Singh
 
e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)BearingPoint
 
Overview of Low Power Wide Area Networks
Overview of Low Power Wide Area NetworksOverview of Low Power Wide Area Networks
Overview of Low Power Wide Area NetworksMaarten Weyn
 
Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)Julien SIMON
 
LTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical posterLTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical posterDavid Swift
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 

Was ist angesagt? (20)

eSIM Overview
eSIM OvervieweSIM Overview
eSIM Overview
 
SS7 Vulnerabilities
SS7 VulnerabilitiesSS7 Vulnerabilities
SS7 Vulnerabilities
 
Assaulting diameter IPX network
Assaulting diameter IPX networkAssaulting diameter IPX network
Assaulting diameter IPX network
 
Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)Mobile Networks Architecture and Security (2G to 5G)
Mobile Networks Architecture and Security (2G to 5G)
 
eSIM
eSIMeSIM
eSIM
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIM
 
Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)Mobile Networks Overview (2G / 3G / 4G-LTE)
Mobile Networks Overview (2G / 3G / 4G-LTE)
 
Positive approach to security of Core networks
Positive approach to security of Core networksPositive approach to security of Core networks
Positive approach to security of Core networks
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTE
 
Introduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for networkIntroduction to Intrusion detection and prevention system for network
Introduction to Intrusion detection and prevention system for network
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
 
SIM Card Overview
SIM Card OverviewSIM Card Overview
SIM Card Overview
 
4G to 5G Evolution
4G to 5G Evolution4G to 5G Evolution
4G to 5G Evolution
 
e-Sim Sharing (extract)
e-Sim Sharing (extract)e-Sim Sharing (extract)
e-Sim Sharing (extract)
 
Overview of Low Power Wide Area Networks
Overview of Low Power Wide Area NetworksOverview of Low Power Wide Area Networks
Overview of Low Power Wide Area Networks
 
Total GSM Concept
Total GSM ConceptTotal GSM Concept
Total GSM Concept
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
 
Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)Java Card 2.x FAQ (2001)
Java Card 2.x FAQ (2001)
 
LTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical posterLTE network: How it all comes together architecture technical poster
LTE network: How it all comes together architecture technical poster
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
 

Ähnlich wie iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolutionTech and Law Center
 
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSPY24
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephonyJoseph Guindeba
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseDroidcon Berlin
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking📡 Sebastien Dudek
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxRohithKumarKishtam
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks📡 Sebastien Dudek
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptxManojMudhiraj3
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxMurulidharLM1
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Jyothsna Sridhar
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone CloningDevyani Vaidya
 

Ähnlich wie iParanoid: an IMSI Catcher - Stingray Intrusion Detection System (20)

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
 
Beerump 2018 - Modmobmap
Beerump 2018 - ModmobmapBeerump 2018 - Modmobmap
Beerump 2018 - Modmobmap
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephony
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
 
Mobile threat
Mobile threatMobile threat
Mobile threat
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
Gsm
Gsm Gsm
Gsm
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things
 
Test
TestTest
Test
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
 
Report
ReportReport
Report
 

Mehr von Luca Bongiorni

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...Luca Bongiorni
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetLuca Bongiorni
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyLuca Bongiorni
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1Luca Bongiorni
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Luca Bongiorni
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Luca Bongiorni
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
 

Mehr von Luca Bongiorni (9)

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playset
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 

KĂŒrzlich hochgeladen

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

KĂŒrzlich hochgeladen (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

  • 1. Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
  • 2. The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
  • 3. 3
  • 4. “
 police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. 
 Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. 
 it’s possible that criminal gangs could be using them for extortion” ‱ What happens if competitors use it to take advantage of your company? ‱ What happens if someone intercept you and then extorts you money? Think about it
 4
  • 5. In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
  • 6. ‱ Lack of Mutual Authentication o The MS auths the network, not viceversa ‱ Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) ‱ Encryption is NOT Compulsory o A5/0 No Encryption 6
  • 7. Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
  • 8. ‱ Spoofing CallerID ‱ Eavesdropping Outgoing Calls & SMS ‱ Highjacking Emergency Calls 8
  • 9. Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. “GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
  • 14. 14
  • 15. How can we Mitigate the Problem? 15
  • 16. A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
  • 17. iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
  • 18. The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
  • 19. 19
  • 20. The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
  • 21. 21
  • 22. 22