SlideShare a Scribd company logo

Catching IMSI Catchers

Download as PPTX, PDF
Security Innovation
Security Innovation

Read Geoffrey Vaughan's presentation of DSS ITSEC 2016 on how IMSI Catchers work, detection strategies, and how to avoid being caught up in one.

Technology
1 of 24
Catching IMSI Catchers Geoffrey Vaughan @mrvaughan Security Engineer
What you will learn today 1. What IMSI Catchers do and how they work 2. Detection Strategies 3. Hear an exciting tale of adventures in Vegas 4. Learn how to avoid being caught up in an IMSI Catcher
Whoami • Geoffrey Vaughan @MrVaughan • Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement • Travelled from Toronto to be here with you today
IMSI Catchers / Stingrays IMSI Catcher: Can be any rogue cellular device designed to capture cell phone data or traffic Often used by police/governments Stingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp IMSI: International mobile subscriber identity Your unique cell phone ID. Privacy constraints: Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
IMSI Catcher Specs • Can intercept 2G, 3G, 4G communication simultaneously as well as CMDA/GSM networks • Devices can launch attacks requesting devices connect over weaker channels (2G) • Operates in either passive or active mode • Passive mode – Simply captures all available traffic in the area • Active mode – Acts as a full duplex proxy forcing all traffic through the device then onward to a normal cellular tower
How they are used • Confirming presence of a device in a target’s home prior to a search thereof • Identifying an individual responsible for sending harassing text messages • Locating a stolen mobile device as a precursor to searching homes in the vicinity • Locating specific individuals by driving around a city until a known IMSI is found • Mounted on airplanes by the United States Marshall Service to sweep entire cities for a specific mobile device • To monitor all devices within range of a prison to determine whether prisoners are using cell phones • Reportedly at political protests to identify devices of individuals attending • To monitor activity in the offices of an independent Irish police oversight body Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report- Gone_Opaque.pdf
Where they are used • 1400+ cases confirmed use in Baltimore mapping show disproportionate use in predominately black neighborhoods' • http://www.citylab.com/crime/2016/10/racial-disparities-in-police- stingray-surveillance-mapped/502715/?utm_source=feed • Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused- of-illegal-mobile-spectrum-use-with-stingrays/
Manual Leak The Intercept acquired a device manual and published it: https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail- how-police-can-spy-on-phones/
Where to buy • Only sold to governments, police, and military • Alibaba: Good luck (mostly 2G only), Import laws, buyer assumes risk • But for ~1400USD you can build your own: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for- 4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love you https://julianoliver.com/output/stealth-cell-tower
How to find and detect an IMSI Catcher Current Detection Methods are entirely anomaly based 1. War walk your neighborhood and make note of all Cell Tower ID’s you find and their locations 2. Repeat this until you are sure you have all known devices cataloged 3. Constantly monitor your area to see if any new devices are added 4. Go find the new device
Tools to help you out OpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiers AISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes). • https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detection Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
Story Time
How hostile is it for your devices at Def Con? • Def Con = “Most hostile network on earth” ???? • Sure don’t use the hotel Wi Fi but how bad is it for your cell phones? • Personal experiment to see if I could find any IMSI Catchers
Setup • AIMSICD App • Burner Android Phone (rooted) • Next time: Pre-install opencellid.org data War Driving the Strip in style
Don’t Freak out! Pre Def Con War Walk Post Def Con Data
Lots of false positives • Devices on multiple floors? • Multiple redundant devices in same location • Potential issues with GPS accuracy
Still Unknown Devices Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
Caesar’s • 3 Nights in Caesar’s before Def Con • Lots of towers picked up • Suggest a sort of ‘drive by attack’ • Also observed a lot of LTE to GSM downgrade attacks, my device was hopping networks quite frequently
Caesar’s • At least 4 of these devices were previously not known to opencellid.org • There were a couple others that had only been seen once before
Defense • Depends on your personal threat model • Don’t use your device • Wi Fi calling with vpn? • Signal / OpenWhisper app for calling/SMS, although you would still be tracked • If all Wireless Carriers published the tower id’s you could at least know if an id did not match. • Device spoofing would still be possible • Pressure Wireless Carriers to implement mutual authentication between devices
Conclusions • The devices are very hard to detect, this is part of what makes them so dangerous • You rarely know when you are connected to these devices All data collected is available on my Github Page https://github.com/MrVaughan/Defcon2016GSMData
Shameless Plug • CMD+CTRL CTF Saturday Night • Accessible web app CTF for beginners and pros a like • Lots of challenges to keep you busy • Prizes
Thank you Geoffrey Vaughan @mrvaughan @SecurityInnovation

Recommended

Gsm architecture
Gsm architectureGsm architecture
Gsm architectureMustahid Ali
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)Advanced group of Institutions
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Precision (Indoor) Real Time Location Systems
Precision (Indoor) Real Time Location SystemsPrecision (Indoor) Real Time Location Systems
Precision (Indoor) Real Time Location SystemsPeter Batty
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
UTM (unified threat management)
UTM (unified threat management)UTM (unified threat management)
UTM (unified threat management)military
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 

Recommended

Gsm architecture
Gsm architectureGsm architecture
Gsm architectureMustahid Ali
 
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...
Mobile Network Security: a tale of tracking, spoofing and owning mobile phone...Luca Bongiorni
 
Full gsm overview (modified)
Full gsm overview (modified)Full gsm overview (modified)
Full gsm overview (modified)Advanced group of Institutions
 
Philippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityPhilippe Langlois - LTE Pwnage - P1security
Philippe Langlois - LTE Pwnage - P1securityP1Security
 
Precision (Indoor) Real Time Location Systems
Precision (Indoor) Real Time Location SystemsPrecision (Indoor) Real Time Location Systems
Precision (Indoor) Real Time Location SystemsPeter Batty
 
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisAttacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe Langlois
Attacking SS7 - P1 Security (Hackito Ergo Sum 2010) - Philippe LangloisP1Security
 
UTM (unified threat management)
UTM (unified threat management)UTM (unified threat management)
UTM (unified threat management)military
 
Attacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsAttacks you can't combat: vulnerabilities of most robust MNOs
Attacks you can't combat: vulnerabilities of most robust MNOsPositiveTechnologies
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
5G Network Architecture and Design
5G Network Architecture and Design5G Network Architecture and Design
5G Network Architecture and Design3G4G
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecturePrabhat gangwar
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)Andy Juan Sarango Veliz
 
Gsm fundamentals
Gsm fundamentalsGsm fundamentals
Gsm fundamentalsMohamed Sewailam
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIMNaveen Jakhar, I.T.S
 
Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).MANIRAFASHA Cedrick
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 networkAlexandre De Oliveira
 
Sim swapping
Sim swappingSim swapping
Sim swappinglalakis2001
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
Mobile Station
Mobile StationMobile Station
Mobile StationSokunth Che
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 
Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital Worldalxdvs
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensicDINESH KAMBLE
 

More Related Content

What's hot

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeP1Security
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsP1Security
 
5G Network Architecture and Design
5G Network Architecture and Design5G Network Architecture and Design
5G Network Architecture and Design3G4G
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security PresentationSimplex
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEntel
 
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)Andy Juan Sarango Veliz
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).MANIRAFASHA Cedrick
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondPositiveTechnologies
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Networkyusufd
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetPositive Hack Days
 

What's hot (20)

Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wireshark
 
Philippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elementsPhilippe Langlois - Hacking HLR HSS and MME core network elements
Philippe Langlois - Hacking HLR HSS and MME core network elements
 
5G Network Architecture and Design
5G Network Architecture and Design5G Network Architecture and Design
5G Network Architecture and Design
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecture
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Understanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTEUnderstanding Telecom SIM and USIM/ISIM for LTE
Understanding Telecom SIM and USIM/ISIM for LTE
 
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
Capitulo 3 - Core de Paquetes y Acceso a una Red (3G)
 
Gsm fundamentals
Gsm fundamentalsGsm fundamentals
Gsm fundamentals
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Introduction to SIM and USIM
Introduction to SIM and USIMIntroduction to SIM and USIM
Introduction to SIM and USIM
 
Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).Evolution of wireless communication systems (1 G to 5G).
Evolution of wireless communication systems (1 G to 5G).
 
Worldwide attacks on SS7 network
Worldwide attacks on SS7 networkWorldwide attacks on SS7 network
Worldwide attacks on SS7 network
 
Sim swapping
Sim swappingSim swapping
Sim swapping
 
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyondSS7: the bad neighbor you're stuck with during the 5G migration and far beyond
SS7: the bad neighbor you're stuck with during the 5G migration and far beyond
 
Mobile Station
Mobile StationMobile Station
Mobile Station
 
Introduction to Mobile Core Network
Introduction to Mobile Core NetworkIntroduction to Mobile Core Network
Introduction to Mobile Core Network
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
How to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the PlanetHow to Intercept a Conversation Held on the Other Side of the Planet
How to Intercept a Conversation Held on the Other Side of the Planet
 

Similar to Catching IMSI Catchers

Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital Worldalxdvs
 
Surveillance Society
Surveillance SocietySurveillance Society
Surveillance SocietyKaren Moxley
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and HackersFarwa Ansari
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youSheher Bano
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Qazi Anwar
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device securityCAS
 
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Phelipe Folgierini
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...FORnSECSolutions
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsFORnSECSolutions
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure ChannelViral Parmar
 
Android forensics
Android forensicsAndroid forensics
Android forensicsInfosys
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndy Lee
 

Similar to Catching IMSI Catchers (20)

Personal Data Security in a Digital World
Personal Data Security in a Digital WorldPersonal Data Security in a Digital World
Personal Data Security in a Digital World
 
Mobile forensic
Mobile forensicMobile forensic
Mobile forensic
 
Surveillance Society
Surveillance SocietySurveillance Society
Surveillance Society
 
Hacking and Hackers
Hacking and HackersHacking and Hackers
Hacking and Hackers
 
Mobile forensics
Mobile forensicsMobile forensics
Mobile forensics
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
How the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on youHow the camera on your cellphone can be captured and used to spy on you
How the camera on your cellphone can be captured and used to spy on you
 
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
Hacking,History Of Hacking,Types of Hacking,Types Of Hackers,Cyber Laws for ...
 
Smart phone and mobile device security
Smart phone and mobile device securitySmart phone and mobile device security
Smart phone and mobile device security
 
Unit-2 ICS.ppt
Unit-2 ICS.pptUnit-2 ICS.ppt
Unit-2 ICS.ppt
 
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Demystifying Secure Channel
Demystifying Secure ChannelDemystifying Secure Channel
Demystifying Secure Channel
 
Smartphone
SmartphoneSmartphone
Smartphone
 
Securitytips
SecuritytipsSecuritytips
Securitytips
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Android forensics
Android forensicsAndroid forensics
Android forensics
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
 

More from Security Innovation

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Security Innovation
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Security Innovation
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security ChampionsSecurity Innovation
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsSecurity Innovation
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureSecurity Innovation
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSecurity Innovation
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeSecurity Innovation
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT SystemsSecurity Innovation
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecuritySecurity Innovation
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionSecurity Innovation
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaSecurity Innovation
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingSecurity Innovation
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Security Innovation
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 

More from Security Innovation (20)

Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
Modernizing, Migrating & Mitigating - Moving to Modern Cloud & API Web Apps W...
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
5 Ways To Train Security Champions
5 Ways To Train Security Champions5 Ways To Train Security Champions
5 Ways To Train Security Champions
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
How to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection FlawsHow to Hijack a Pizza Delivery Robot with Injection Flaws
How to Hijack a Pizza Delivery Robot with Injection Flaws
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Opening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital FutureOpening the Talent Spigot to Securing our Digital Future
Opening the Talent Spigot to Securing our Digital Future
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Slashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do'sSlashing Your Cloud Risk: 3 Must-Do's
Slashing Your Cloud Risk: 3 Must-Do's
 
A Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber RangeA Fresh, New Look for CMD+CTRL Cyber Range
A Fresh, New Look for CMD+CTRL Cyber Range
 
Security Testing for IoT Systems
Security Testing for IoT SystemsSecurity Testing for IoT Systems
Security Testing for IoT Systems
 
Cyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to SecurityCyber Ranges: A New Approach to Security
Cyber Ranges: A New Approach to Security
 
Is Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar QuestionIs Blockchain Right for You? The Million Dollar Question
Is Blockchain Right for You? The Million Dollar Question
 
Privacy: The New Software Development Dilemma
Privacy: The New Software Development DilemmaPrivacy: The New Software Development Dilemma
Privacy: The New Software Development Dilemma
 
Privacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be TellingPrivacy Secrets Your Systems May Be Telling
Privacy Secrets Your Systems May Be Telling
 
Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?Secure DevOps - Evolution or Revolution?
Secure DevOps - Evolution or Revolution?
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to Vulnerabilities
 

Recently uploaded

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Catching IMSI Catchers

  • 2. What you will learn today 1. What IMSI Catchers do and how they work 2. Detection Strategies 3. Hear an exciting tale of adventures in Vegas 4. Learn how to avoid being caught up in an IMSI Catcher
  • 3. Whoami • Geoffrey Vaughan @MrVaughan • Security Engineer @SecurityInnovation • Appsec pentesting/advisory at all areas of SDLC • Former High School/Prison/University Teacher • Occasionally I’m let out of my basement • Travelled from Toronto to be here with you today
  • 4. IMSI Catchers / Stingrays IMSI Catcher: Can be any rogue cellular device designed to capture cell phone data or traffic Often used by police/governments Stingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp IMSI: International mobile subscriber identity Your unique cell phone ID. Privacy constraints: Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
  • 5.
  • 6. IMSI Catcher Specs • Can intercept 2G, 3G, 4G communication simultaneously as well as CMDA/GSM networks • Devices can launch attacks requesting devices connect over weaker channels (2G) • Operates in either passive or active mode • Passive mode – Simply captures all available traffic in the area • Active mode – Acts as a full duplex proxy forcing all traffic through the device then onward to a normal cellular tower
  • 7. How they are used • Confirming presence of a device in a target’s home prior to a search thereof • Identifying an individual responsible for sending harassing text messages • Locating a stolen mobile device as a precursor to searching homes in the vicinity • Locating specific individuals by driving around a city until a known IMSI is found • Mounted on airplanes by the United States Marshall Service to sweep entire cities for a specific mobile device • To monitor all devices within range of a prison to determine whether prisoners are using cell phones • Reportedly at political protests to identify devices of individuals attending • To monitor activity in the offices of an independent Irish police oversight body Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report- Gone_Opaque.pdf
  • 8. Where they are used • 1400+ cases confirmed use in Baltimore mapping show disproportionate use in predominately black neighborhoods' • http://www.citylab.com/crime/2016/10/racial-disparities-in-police- stingray-surveillance-mapped/502715/?utm_source=feed • Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused- of-illegal-mobile-spectrum-use-with-stingrays/
  • 9. Manual Leak The Intercept acquired a device manual and published it: https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail- how-police-can-spy-on-phones/
  • 10. Where to buy • Only sold to governments, police, and military • Alibaba: Good luck (mostly 2G only), Import laws, buyer assumes risk • But for ~1400USD you can build your own: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for- 4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love you https://julianoliver.com/output/stealth-cell-tower
  • 11. How to find and detect an IMSI Catcher Current Detection Methods are entirely anomaly based 1. War walk your neighborhood and make note of all Cell Tower ID’s you find and their locations 2. Repeat this until you are sure you have all known devices cataloged 3. Constantly monitor your area to see if any new devices are added 4. Go find the new device
  • 12. Tools to help you out OpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiers AISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes). • https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detection Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
  • 14. How hostile is it for your devices at Def Con? • Def Con = “Most hostile network on earth” ???? • Sure don’t use the hotel Wi Fi but how bad is it for your cell phones? • Personal experiment to see if I could find any IMSI Catchers
  • 15. Setup • AIMSICD App • Burner Android Phone (rooted) • Next time: Pre-install opencellid.org data War Driving the Strip in style
  • 16. Don’t Freak out! Pre Def Con War Walk Post Def Con Data
  • 17. Lots of false positives • Devices on multiple floors? • Multiple redundant devices in same location • Potential issues with GPS accuracy
  • 18. Still Unknown Devices Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
  • 19. Caesar’s • 3 Nights in Caesar’s before Def Con • Lots of towers picked up • Suggest a sort of ‘drive by attack’ • Also observed a lot of LTE to GSM downgrade attacks, my device was hopping networks quite frequently
  • 20. Caesar’s • At least 4 of these devices were previously not known to opencellid.org • There were a couple others that had only been seen once before
  • 21. Defense • Depends on your personal threat model • Don’t use your device • Wi Fi calling with vpn? • Signal / OpenWhisper app for calling/SMS, although you would still be tracked • If all Wireless Carriers published the tower id’s you could at least know if an id did not match. • Device spoofing would still be possible • Pressure Wireless Carriers to implement mutual authentication between devices
  • 22. Conclusions • The devices are very hard to detect, this is part of what makes them so dangerous • You rarely know when you are connected to these devices All data collected is available on my Github Page https://github.com/MrVaughan/Defcon2016GSMData
  • 23. Shameless Plug • CMD+CTRL CTF Saturday Night • Accessible web app CTF for beginners and pros a like • Lots of challenges to keep you busy • Prizes

Editor's Notes

  1. -Talk about 911 impact -Detecting presence -Can break some of the weaker crypto algorithms used in cellular networks
  2. About Citizen lab: Intersection of Information and Communication Technologies (ICTs), human rights, and global security ‘Cyberwar’ All of these are sourced in Citizen Labs paper
  3. They are used in Other EU Countries as well as Canada, It is tough getting confirmed uses as it often takes years for the information to trickle out of court cases and information requests Montreal Reporters
  4. I have it on my calendar to build one in January (first chance I’ll get)
  5. Looking at your phone right now you have no idea if it is connected to a real cell phone tower or an IMSI catcher
  6. There are a couple other similar presentations in the last year or 2. Can you trust the data in openCellId ? -If I were XXX -
  7. Multiple antenna’s