SlideShare ist ein Scribd-Unternehmen logo

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

‱
‱
Luca Bongiorni
Luca Bongiorni

The goal is the research and development of Intrusion Detection System related with Cell Networks. Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).

TechnologieBusiness
1 von 22
Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
3
“
 police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. 
 Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. 
 it’s possible that criminal gangs could be using them for extortion” ‱ What happens if competitors use it to take advantage of your company? ‱ What happens if someone intercept you and then extorts you money? Think about it
 4
In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
‱ Lack of Mutual Authentication o The MS auths the network, not viceversa ‱ Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) ‱ Encryption is NOT Compulsory o A5/0 No Encryption 6
Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
‱ Spoofing CallerID ‱ Eavesdropping Outgoing Calls & SMS ‱ Highjacking Emergency Calls 8
Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
10
11
12
“GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
14
How can we Mitigate the Problem? 15
A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
19
The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
21
22

Empfohlen

An Introduction to Macrocells & Small Cells
An Introduction to Macrocells & Small CellsAn Introduction to Macrocells & Small Cells
An Introduction to Macrocells & Small Cells3G4G
 
LTE Attach Call Flow_Vi.pptx
LTE Attach Call Flow_Vi.pptxLTE Attach Call Flow_Vi.pptx
LTE Attach Call Flow_Vi.pptxGaganVerma62
 
Rtn
RtnRtn
RtnAhmed Hussien Ali Gomaa Bebars
 
Ericsson BTS commisioning
Ericsson BTS commisioningEricsson BTS commisioning
Ericsson BTS commisioningShahid Rasool
 
Cell-Free architectures for 5G
Cell-Free architectures for 5GCell-Free architectures for 5G
Cell-Free architectures for 5GStefano Buzzi
 
RET configuration .ppt
RET configuration .pptRET configuration .ppt
RET configuration .pptRakeshPanda48
 
Zxmw nr8250 v1.00 commissioning guide ž±±Ÿ
Zxmw nr8250 v1.00 commissioning guide ž±±ŸZxmw nr8250 v1.00 commissioning guide ž±±Ÿ
Zxmw nr8250 v1.00 commissioning guide ž±±ŸGratien Niyitegeka
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 

Empfohlen

An Introduction to Macrocells & Small Cells
An Introduction to Macrocells & Small CellsAn Introduction to Macrocells & Small Cells
An Introduction to Macrocells & Small Cells3G4G
 
LTE Attach Call Flow_Vi.pptx
LTE Attach Call Flow_Vi.pptxLTE Attach Call Flow_Vi.pptx
LTE Attach Call Flow_Vi.pptxGaganVerma62
 
Rtn
RtnRtn
RtnAhmed Hussien Ali Gomaa Bebars
 
Ericsson BTS commisioning
Ericsson BTS commisioningEricsson BTS commisioning
Ericsson BTS commisioningShahid Rasool
 
Cell-Free architectures for 5G
Cell-Free architectures for 5GCell-Free architectures for 5G
Cell-Free architectures for 5GStefano Buzzi
 
RET configuration .ppt
RET configuration .pptRET configuration .ppt
RET configuration .pptRakeshPanda48
 
Zxmw nr8250 v1.00 commissioning guide ž±±Ÿ
Zxmw nr8250 v1.00 commissioning guide ž±±ŸZxmw nr8250 v1.00 commissioning guide ž±±Ÿ
Zxmw nr8250 v1.00 commissioning guide ž±±ŸGratien Niyitegeka
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUESRF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term EvolutionArief Gunawan
 
240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-training240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-trainingShelton Siziba
 
IBS
IBSIBS
IBSMd Joynal Abaden
 
The Huawei Node B Evolution
The Huawei Node B EvolutionThe Huawei Node B Evolution
The Huawei Node B EvolutionAtif Mahmood
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
VoWiFi testing challenges
VoWiFi testing challengesVoWiFi testing challenges
VoWiFi testing challengesDave Crossley
 
Antenna Installation Engineering.
Antenna Installation Engineering.Antenna Installation Engineering.
Antenna Installation Engineering.HáșŁi Nguyễn Hồ BĂĄ
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSCisco Canada
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flowsamakRF
 
Lte interview questions
Lte interview questionsLte interview questions
Lte interview questionsGangaprasadT
 
Basics Of Minilink Microwave Networks
Basics Of Minilink Microwave NetworksBasics Of Minilink Microwave Networks
Basics Of Minilink Microwave NetworksAtif Mahmood
 
GSM fundamentals (Huawei)
GSM fundamentals (Huawei)GSM fundamentals (Huawei)
GSM fundamentals (Huawei)Shopnomoy Prantor
 
F01 beam forming_srs
F01 beam forming_srsF01 beam forming_srs
F01 beam forming_srsLuciano Motta
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Huawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware StructureHuawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware Structureibrahimnabil17
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 
Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 

Weitere Àhnliche Inhalte

Was ist angesagt?

RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUESRF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term EvolutionArief Gunawan
 
240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-training240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-trainingShelton Siziba
 
The Huawei Node B Evolution
The Huawei Node B EvolutionThe Huawei Node B Evolution
The Huawei Node B EvolutionAtif Mahmood
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedurestharinduwije
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupPrashant Sengar
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkP1Security
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guideMorg
 
VoWiFi testing challenges
VoWiFi testing challengesVoWiFi testing challenges
VoWiFi testing challengesDave Crossley
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSCisco Canada
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flowsamakRF
 
Lte interview questions
Lte interview questionsLte interview questions
Lte interview questionsGangaprasadT
 
Basics Of Minilink Microwave Networks
Basics Of Minilink Microwave NetworksBasics Of Minilink Microwave Networks
Basics Of Minilink Microwave NetworksAtif Mahmood
 
GSM fundamentals (Huawei)
GSM fundamentals (Huawei)GSM fundamentals (Huawei)
GSM fundamentals (Huawei)Shopnomoy Prantor
 
F01 beam forming_srs
F01 beam forming_srsF01 beam forming_srs
F01 beam forming_srsLuciano Motta
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...EC-Council
 
Huawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware StructureHuawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware Structureibrahimnabil17
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guideKlajdi Husi
 

Was ist angesagt? (20)

RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUESRF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
RF measurement and optimization Engineer EMERSON EDUARDO RODRIGUES
 
LTE - Long Term Evolution
LTE - Long Term EvolutionLTE - Long Term Evolution
LTE - Long Term Evolution
 
240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-training240243228 huawei-bts-3900-training
240243228 huawei-bts-3900-training
 
IBS
IBSIBS
IBS
 
The Huawei Node B Evolution
The Huawei Node B EvolutionThe Huawei Node B Evolution
The Huawei Node B Evolution
 
Lte system signaling procedures
Lte system signaling proceduresLte system signaling procedures
Lte system signaling procedures
 
S1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setupS1ap lte-attach-eps-bearer-setup
S1ap lte-attach-eps-bearer-setup
 
Worldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN networkWorldwide attacks on SS7/SIGTRAN network
Worldwide attacks on SS7/SIGTRAN network
 
Best practices-lte-call-flow-guide
Best practices-lte-call-flow-guideBest practices-lte-call-flow-guide
Best practices-lte-call-flow-guide
 
VoWiFi testing challenges
VoWiFi testing challengesVoWiFi testing challenges
VoWiFi testing challenges
 
Antenna Installation Engineering.
Antenna Installation Engineering.Antenna Installation Engineering.
Antenna Installation Engineering.
 
Mobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLSMobile Transport Evolution with Unified MPLS
Mobile Transport Evolution with Unified MPLS
 
190937694 csfb-call-flows
190937694 csfb-call-flows190937694 csfb-call-flows
190937694 csfb-call-flows
 
Lte interview questions
Lte interview questionsLte interview questions
Lte interview questions
 
Basics Of Minilink Microwave Networks
Basics Of Minilink Microwave NetworksBasics Of Minilink Microwave Networks
Basics Of Minilink Microwave Networks
 
GSM fundamentals (Huawei)
GSM fundamentals (Huawei)GSM fundamentals (Huawei)
GSM fundamentals (Huawei)
 
F01 beam forming_srs
F01 beam forming_srsF01 beam forming_srs
F01 beam forming_srs
 
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
LTE protocol exploits – IMSI catchers, blocking devices and location leaks - ...
 
Huawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware StructureHuawei BTS 3900 Hardware Structure
Huawei BTS 3900 Hardware Structure
 
LTE Interference troubleshooting guide
LTE Interference troubleshooting guideLTE Interference troubleshooting guide
LTE Interference troubleshooting guide
 

Ähnlich wie iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking📡 Sebastien Dudek
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloningVIKASH MEWAL
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolutionTech and Law Center
 
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSPY24
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephonyJoseph Guindeba
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseDroidcon Berlin
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking📡 Sebastien Dudek
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2016
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxRohithKumarKishtam
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks📡 Sebastien Dudek
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptxManojMudhiraj3
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxMurulidharLM1
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloningAnkur Kumar
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Jyothsna Sridhar
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone CloningDevyani Vaidya
 

Ähnlich wie iParanoid: an IMSI Catcher - Stingray Intrusion Detection System (20)

Intercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT HackingIntercoms presentation OSSIR - IoT Hacking
Intercoms presentation OSSIR - IoT Hacking
 
Mobile cloning
Mobile cloningMobile cloning
Mobile cloning
 
2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution2015.11.06. Luca Melette_Mobile threats evolution
2015.11.06. Luca Melette_Mobile threats evolution
 
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdfSS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
SS7: Locate -Track - Manipulate Attack - SPY24ℱ.pdf
 
Beerump 2018 - Modmobmap
Beerump 2018 - ModmobmapBeerump 2018 - Modmobmap
Beerump 2018 - Modmobmap
 
Introducing mobile telephony
Introducing mobile telephonyIntroducing mobile telephony
Introducing mobile telephony
 
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the EnterpriseJ.-P. Seifert; Security-Aware Android Applications for the Enterprise
J.-P. Seifert; Security-Aware Android Applications for the Enterprise
 
Mobile threat
Mobile threatMobile threat
Mobile threat
 
Hack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hackingHack.lu 2016 - 2G and 3G intercom hacking
Hack.lu 2016 - 2G and 3G intercom hacking
 
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltrefestival ICT 2013: Mobile Network Security: stato dell’arte e oltre
festival ICT 2013: Mobile Network Security: stato dell’arte e oltre
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks33c3 - 2G and 3G intercom attacks
33c3 - 2G and 3G intercom attacks
 
Troopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricksTroopers NGI 2019 - Modmobtools and tricks
Troopers NGI 2019 - Modmobtools and tricks
 
mobile jammer ppt.pptx
mobile jammer ppt.pptxmobile jammer ppt.pptx
mobile jammer ppt.pptx
 
mobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptxmobile-phone-cloning-8886-hNyjka1.pptx
mobile-phone-cloning-8886-hNyjka1.pptx
 
Mobile Phone and SIM card cloning
Mobile Phone and SIM card cloningMobile Phone and SIM card cloning
Mobile Phone and SIM card cloning
 
Gsm
Gsm Gsm
Gsm
 
Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things Vehicle anti theft tracking system based on internet of things
Vehicle anti theft tracking system based on internet of things
 
Test
TestTest
Test
 
Mobile Phone Cloning
Mobile Phone Cloning Mobile Phone Cloning
Mobile Phone Cloning
 

Mehr von Luca Bongiorni

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...Luca Bongiorni
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetLuca Bongiorni
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyLuca Bongiorni
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1Luca Bongiorni
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsLuca Bongiorni
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Luca Bongiorni
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Luca Bongiorni
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionLuca Bongiorni
 

Mehr von Luca Bongiorni (10)

HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...HandPwning Security pitfalls of biometric hand-geometry recognition access co...
HandPwning Security pitfalls of biometric hand-geometry recognition access co...
 
ANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playsetANP catalog: the adversarial ninja playset
ANP catalog: the adversarial ninja playset
 
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's JourneyManufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
Manufacturing Hardware Implants from Idea to Mass Production: A Hacker's Journey
 
How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1How to bring HID attacks to next level with WHID Injector & P4wnP1
How to bring HID attacks to next level with WHID Injector & P4wnP1
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Certificate Pinning in Mobile Applications
Certificate Pinning in Mobile ApplicationsCertificate Pinning in Mobile Applications
Certificate Pinning in Mobile Applications
 
Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013Lockpicking Baltic Cyber Security Forum 2013
Lockpicking Baltic Cyber Security Forum 2013
 
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
Mobile Network Security: Quanto sono sicure le reti cellulari? - Smau Milano ...
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
 
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil ProtectionOpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
OpenBTS: Emergency GSM Messaging & Monitoring System for Civil Protection
 

KĂŒrzlich hochgeladen

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

KĂŒrzlich hochgeladen (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

  • 1. Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
  • 2. The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
  • 3. 3
  • 4. “
 police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. 
 Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. 
 it’s possible that criminal gangs could be using them for extortion” ‱ What happens if competitors use it to take advantage of your company? ‱ What happens if someone intercept you and then extorts you money? Think about it
 4
  • 5. In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
  • 6. ‱ Lack of Mutual Authentication o The MS auths the network, not viceversa ‱ Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) ‱ Encryption is NOT Compulsory o A5/0 No Encryption 6
  • 7. Location Disclosure CallerID vittima Lista CittĂ  ed IMSI Local Area Catch-and-Relay 7
  • 8. ‱ Spoofing CallerID ‱ Eavesdropping Outgoing Calls & SMS ‱ Highjacking Emergency Calls 8
  • 9. Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
  • 10. 10
  • 11. 11
  • 12. 12
  • 13. “GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
  • 14. 14
  • 15. How can we Mitigate the Problem? 15
  • 16. A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
  • 17. iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
  • 18. The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
  • 19. 19
  • 20. The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
  • 21. 21
  • 22. 22