Crash course of Mobile (SS7) privacy and security

Photo: Fotoagentur/Alamy

TELECOM / SECURITY

COVER

The Athens AffairHow some extremely smart hackers pulled off the most audacious cell-network break-in everBy VASSILIS PREVELAKIS, DIOMIDIS SPINELLIS / JULY 2007

On 9 March 2005, a 38-year-old Greek electrical engineer named CostasTsalikidis was found hanged in his Athens loft apartment, an apparentsuicide. It would prove to be merely the first public news of a scandal thatwould roil Greece for months.

The next day, the prime minister of Greece was told that his cellphone wasbeing bugged, as were those of the mayor of Athens and at least 100 otherhigh-ranking dignitaries, including an employee of the U.S. embassy [seesidebar "CEOs, MPs, & a PM."]

The victims were customers of Athens-based Vodafone-Panafon, generallyknown as Vodafone Greece, the country's largest cellular service provider;Tsalikidis was in charge of network planning at the company. A connectionseemed obvious. Given the list of people and their positions at the time ofthe tapping, we can only imagine the sensitive political and diplomaticdiscussions, high-stakes business deals, or even marital indiscretions thatmay have been routinely overheard and, quite possibly, recorded.

Even before Tsalikidis's death, investigators had found rogue softwareinstalled on the Vodafone Greece phone network by parties unknown.Some extraordinarily knowledgeable people either penetrated the network

from outside or subverted it from within, aided by an agent or mole. In either case, the software at the heart of thephone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen beforeor since.

A study of the Athens affair, surely the most bizarre and embarrassing scandal ever to engulf a major cellphoneservice provider, sheds considerable light on the measures networks can and should take to reduce their vulnerabilityto hackers and moles.

It's also a rare opportunity to get a glimpse of one of the most elusive of cybercrimes. Major network penetrations ofany kind are exceedingly uncommon. They are hard to pull off, and equally hard to investigate.

Even among major criminal infiltrations, the Athens affair stands out because it may have involved state secrets, and ittargeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly. The most notoriouspenetration to compromise state secrets was that of the ”Cuckoo's Egg,” a name bestowed by the wily networkadministrator who successfully pursued a German programmer in 1986. The programmer had been selling secretsabout the U.S. Strategic Defense Initiative (”Star Wars”) to the Soviet KGB.

But unlike the Cuckoo's Egg, the Athens affair targeted the conversations of specific, highly placed government andmilitary officials. Given the ease with which the conversations could have been recorded, it is generally believed thatthey were. But no one has found any recordings, and we don't know how many of the calls were recorded, or evenlistened to, by the perpetrators. Though the scope of the activity is to a large extent unknown, it's fair to say that noother computer crime on record has had the same potential for capturing information about affairs of state.

Crash course of Mobile (SS7) privacy and security

Monday, October 3, 2011

• Jacob Appelbaum

• The Tor Project

• I break bad software and build better alternatives

• Understanding censorship

$ whoarewe

• Arturo Filastò

• The Tor Project

• A Random GlobaLeaks Developer

• I hack on stuff for fun and profit!

@ioerror@hellais


Once upon a time...Monday, October 3, 2011

The 3 issues

• Interception

• Geolocation

• Denial of Service


Interception

• Can be lawful or unlawful

• Tactical vs Non-Tactical


“Lawful Intercept”


What technologies can be intercepted?

• GSM

• CDMA

• iDEN

• Thuraya

• BGAN/Inmarsat

• VSAT


Who?• Law enforcement

• National Secret Service

• Foreign Secret Service

• Large corporations

• Outsourced intelligence service providers

• Organized crime

• Military organizations


Targets of Interception

• A person

• A medium (think wire tap)

• A device (think rootkit)

• Parametric

• Keywords (sniffing for triggers)

• Perimeter (area sniffing)


Why?

• The architecture is designed for it

• To suppress uprisings

• To collect intelligence

• Monitor behavior


How is this possible?

• The security is outdated; take GSM...

• No effort has been made to fix it

• A5/1 is broken

• A5/2 is purposefully broken

• A5/3 is a bit better but not implemented(http://security.osmocom.org/trac/ticket/4)


http://security.osmocom.org/trac/ticket/4




IMSI catchers


Active IMSI catchers


More accessible

• This equipment used to be very expensive

• But with projects such as USRP and OsmocomBB this is no longer true


Passive GSM sniffers

+

=


Passive GSM sniffers

+

=

Interception for 50$Monday, October 3, 2011

Geolocation

• Where are you?

• Various technologies give various levels of accuracy

• SS7 (HLR, ATI)

• Stingray and AmberJack


Location Tracking


Walled Garden

• For accessing SS7 there used to be:

• High costs

• Strict peering agreements

• Not designed with security in mind


The GSM network

BSC

VLR

BTS MSC

HLR

MSC

BSC

VLR

OsmocommBB

OpenBSC

OpenBTS

APIs to HLR

SMSC

SMS Injection

subscriber


Macro Area Geolocation

• With network interrogations

• A feature to SMS sending

• The level of detail goes from 1km in cities to 200km in rural areas


More detail is possible

• Other privacy invading queries exists

• PSI, ATI

• Reach a level of detail of ~100m

• Require, more strict agreements with telcos

• If you know where to ask...

• ... you will get them

• (that means if you have the $$$)


Denial of Service

• You just want to stop that or those people communicating.


Jammers


Help!• Ok, so you have scared me. Now what should I do?

• be aware of patterns and realities

• use software on top of what is available

• Tor, RedPhone, TextSecure, PrivateGSM, etc

• Avoid bad software - eg: UltraSurf, SMS

• Resist giving your ID for a SIM card!

• If you are really worried or privacy and security don’t use mobile phones.

• Until we create a free telco, we’re doomed.


Thanks for listening!Any questions?


Crash course of Mobile (SS7) privacy and security

Technology

Transcript of Crash course of Mobile (SS7) privacy and security