Sunday, January 19, 2014

Interception of mobile phones | Present and Future |

Theme interception of mobile phones is currently very topical, in Slovakia it is doubly true. Gorilla Reports, transcripts of calls and SMS messages, the planned purchase of new interception system ... In this article we focus on all common techniques + outline your future listening devices in view of the upcoming changes in mobile networks. GSM technology was developed after the war and currently known many vulnerability to which we get later. Standard encryption has been identified as A5 / 1, later mainly due to exports to third world countries has been derived from the cipher simpler version - A5 / 2, which can be decrypted in real time. In countries such as. Indium is used as encryption designated A5 / 0, that is, no encryption.
In the near future we expect deployment A5 / 3 full. According to our previous tests, T-Mobile, O2 and Orange used in the Slovak Republic in normal use encryption A5 / 1, without frequency hopping (frequency hopping). In normal operation, it is believed if the law does not visit our country (U.S.) president, when encryption is often off. To verify sufficient Nokia 3310th But as a whole it mysterious interception takes place?
The News of the World Phone Hacking Scandal
I start lightly, note the penetration of journalists to voice accounts that were in the media labeled as misfortune News of the World "phone hacking". In fact, it was obviously just a guess simple passwords to voicemail. No interception, no private interceptor.
Blackberry
In terms of safety is not a mobile phone as a mobile phone. Unlike most phones are BlackBerry data encrypted and routed overseas through RIM's network center in Canada. Desire (need) to eavesdrop in some countries is so high that it will not hesitate to block innovative company that understands and supports the efforts of their customers to have their data calls and coordinates safe. BlackBerry began to boycott Arab countries, the European Commission, the French Safety Agency, or British bank.
Apple - iOS 5
Little progress can be called a warning in iOS 5 to indicate to the user that the mobile network does not use encryption. Before the location and quality interceptor will not protect you, India will beep all the time, but it is at least a small step towards a more secure GSM communication. This warning comes logically to bypass deployment A5 / 2 which again allows interception.
Screenshot showing the warning:

Interception in practice
For standard police wiretaps has access to the MSC (Mobile Switching Centre) of the operator, where the simple search parameters determined by recording calls, SMS messages selected participant. Mobile phone is governed by simple logic and is identifiable on the network and on the map by a number of parameters - phone number, IMSI, IMEI ... If therefore the police legal ground interception and localization is realized in this way. Simple, comfortable, clean and legal ...
Silent SMS - positioning
Silent SMS hiden SMS, Broken SMS, or pinging is a method of determining the location of mobile phone based on the BTS. Every cell phone constantly communicates with the nearest BTS because GSM works. When delivery is silent SMS have no effect on the mobile device, with repeated PING operator can obtain a map of the area where the cell phone moved. Federal police used more than 440,000 silent SMS for 2010. This positioning method has been abused boulevard since the days of Princess Diana, which in the UK managed to buy the forms from the Metropolitan Police for $ 500 / pc.
FakeBTS
In this paragraph I mean FakeBTS simple way to use the USRP , otherwise referred to the IMSI catcher . Creating called. false BTS (Base Transceiver Station) is not a complicated matter. Reach BTS is somewhere on the border of 30 km, FakeBTS usually covers only a fraction of the space. As we have mentioned on this site H4F, it is a "copy" of legal cells, this method is referred to as active interception. If you are traveling in your car, your cell phone constantly checks the quality of the signal from nearby BTS and when it finds that the original BTS Uber different direction and another BTS you can make happy a better signal, simply switch to it, subject to certain minimum conditions.

If you own any Android is positioning and ID BTS quite simple. A stronger won, so if you fake BTS chooses the same MNC and MCC (the concepts explained in previous articles ) and telephone evaluated in terms of "satisfactory" with better cell signal, will do what must be ... The level of encryption is thus automatically converted from the original A5 / 1 to zero. Resolve routing calls to the recipient (SIP) and outgoing calls and SMS can be recorded. Terms of active attack, the device can thus be detected. Incorrect configuration can cause interference network. Basic hardware costs are somewhere at 1,500 U.S. dollars, in detail demonstrated by three security conferences in recent years. Is a popular and entertaining lecture from Defcon 18 - Practical Cellphone Spying explaining the nature of the IMSI Catcher using the Universal Software Radio Peripheral:
 
GSM Interceptor
Military intelligence, industrial espionage, monitoring government buildings and embassies agencies of other states, a solid detective agency, anyone who's serious about the interception to Get Interceptor. Interceptor = complex device for tapping mobile phones bands 850/900/1800/1900/3G. The dependent fashion model, these devices are divided into several parts. They differ in weight, price and of course functionality. From passive after semi passive, the price ranges € 50,000 and above. Easier Interceptor works by FakeBTS, but it comes to sophisticated and closed software. Covers on a strong GSM signal, filtered and enable logging only target mobile devices, reduce the level of encryption A5 / 0, and pass ...

Interceptor encrypts complex. When registering BTS and phone number of substantive exchange of information, but we are interested crowns. It is a 64 bit key generated by mobile phone, on which subsequently takes place encryption call. Interceptor simulates the active target BTS-ku, use high-performance computing (FPGA) is a question of breaking Kc seconds, respectively. real-time. Some sources say the so-called. Pocket KC-Graber, it is but the same principle. After-caught Kc is a passive attack, decoding takes place a call with a slight delay. That we got from the text to a comprehensive picture of this Interceptor will use advertising presentation:
A5.1 Realtime GSM Cell Phone Interceptor
Update: some specifications of one particular interceptor:
The very high-speed A5 / 1 Decipher, comprised of Accelerated Processing Board (APB), enabling an average of less than 5 seconds deciphering time, capable for live and real-time monitoring of A5 / 1 even calls for Networks poll which replace the Kc every call. The system includes 3 apbs. Each APB contains 27 FPGA chips divided for three groups of 9 chips. Heat sink with a fan on top are placed above each group of 9 chips in order to Maintain optimal condition for processing. The APB LAN cards are connected, through a switch to the Decipher software in the Management Server (Laptop). By Q1 2012, the APB will be replaced with ASIC APB Which will enable less than 0.5 sec average for Kc calculation.
WCDMA 3G CDMA TDMA
However somebody will try to convince you that their product can only eavesdrop on the network of this type, I would not take these claims too seriously. However, even if the band so congested. "Above zone", your mobile phone still uses GSM. Combine with expensive interceptor jammer and you have a solution for higher frequencies. Jammer is also an ideal solution if FakeBTS which the signal does not exceed the original landslide. It acts as a pulse.
Practical attacks on GSM, Present and Future
Vulnerability of GSM systems deals with a wide range of mathematicians and researchers in brief mention names like Alex Biryukov, Adi Shamir, David Wagner, Ian Goldberg, interest is the work of Mr Elad Barkhan, Eli Biham, Nathan Keller ... Academic research but with the position of mobile operators with respect to increase bezpčnosti move. Several PDF materials which very often lack the source code for the operators does not make the virtually useless. No real threat and public pressure for the operators of mobile position is unchanged since the days of theoretical breaking A5 / 1 If you watch the annual conference of the Chaos Computer Club (CCC) also guess your point. Over the past three years, Karsten Nohl demonstrated practical vulnerability of GSM networks and published (almost all) the tools needed for active and passive eavesdropping. Podľme thus gradually ...
26th Chaos Communication Congress - GSM: srsly?
The first presentation was closely associated with the use of USRP, GNU Radio, OpenBTS and practical by breaking A5 / 1 Capture range of programs Airprobe are available rainbow tables 2TB usable program Kraken. Later, tables optimized. Using the computing power of graphics cards is the speed of breaking Kc nieľkoľko tens of seconds. On our site we give this presentation in the article GSM Fail?
http://mirror.fem-net.de/CCC/26C3/mp4/26c3-3654-en-gsm_srsly.mp4
27th Chaos Communication Congress - Wideband GSM Sniffing
Interception and localization of mobile phones based on older phones and OsmocomBB. Referred to in Article OsmocomBB project & GSM sniffing . The presentation shows the location of a mobile phone, data capture and subsequent breaking encryption. Part of the code has not been disclosed.
http://ftp.ccc.de/congress/2010/mp4-h264-HQ/27c3-4208-en-wideband_gsm_sniffing.mp4
http://events.ccc.de/congress/2010/Fahrplan/attachments/1783_101228.27C3.GSM-Sniffing.Nohl_Munaut.pdf
28th Chaos Communication Congress - Defending mobile phones
Last konktrétne presentation proposes steps to be taken to better secure GSM. Additional methods of protection can shut Spoilers on time, but what is more important, the available instruments can detect their presence. It is called. IMSI catcher detector for OsmocomBB, that anyone who owns a supported mobile phone can check the security level of the optional GSM network operator and well identified Pinpointing or Man in the Middle attacks against mobile phone.
http://events.ccc.de/congress/2011/Fahrplan/attachments/1994_111217.SRLabs-28C3-Defending_mobile_phones.pdf
http://mirror.fem-net.de/CCC/28C3/mp4-h264-HQ/28c3-4736-en-defending_mobile_phones_h264.mp4
GSM security map
GSM security map is to display the results of cell logs divided into 3 categories, namely GSM network vulnerability under 3 main problems - getting information, interception and tracking. If you increase Motorola C123/C121/C118 (E88) or Motorola C155 (E99) join mapping. Interesting is the percentage of "The ratio of" between the Czech Republic and Slovak. According to available information, the Slovak "statistics" based on a single cell from one operator logo ... (Eurotel wtf?) Many of you experimenting with OsmocomBB sends its logs ... If you feel it and you mentioned mobile phones, please send them to us. An examination of the actual situation, so there may be pressure on mobile operátovov that the proposed security solutions implemented.
Finally digress a little from the GSM bands. As an added bonus was the Chaos Communication Camp 2011 presented GPRS vulnerability in a presentation entitled "GPRS Intercept: Wardriving phone networks." Karsten Nohl and Luca Melette highlighted the vulnerability GPRS. Quite surprising finding is that some commercial systems do not use encryption!
GPRS Intercept presentation:
http://events.ccc.de/camp/2011/Fahrplan/attachments/1868_110810.SRLabs-Camp-GRPS_Intercept.pdf
Satellite Phones
At the end of 2011 was introduced to the project Osmo-GMR therefore planned GMR-1 (Geostationary Earth Orbit Mobile Radio) sniffer focused on network Thuraya satellite phones. GMR is a derivative of GSM, using standard GMR-1 and GMR-second The project is gaining momentum and pass into the hands of his masters and research Benedikt Driessen and Ralf Hund febrári presented in 2012 entitled Do not Trust Satellite Phones describing the reverse analysis of DSP firmware update for Immarsat IsaPhonePro satellite phones and Thuraya SO-2510th Analyzed and broken encryption algorithms were both štandardov.Šifrovanie standard GMR-1 can be compared to the A5 / 2 for GSM networks. Hardware costs moving at comparable levels as FakeBTS, the time depends on the výpočtovného performance as conventional computer relates to the estimated time of breaking the stream cipher for about 30 minutes.
GMR-2 swallowed by Immarsat is complicated, very different, but equally vulnerable algorithm. Causes of vulnerability of satellite phones is clear. Again, as in the case of RFID and GSM, for classical principle KERCKHOFF - secrecy of the information on the system in place of zverejnienia and providing for the analysis and verification of security. Vulnerability stream cipher (GMR-1, Thuraya) has a rich history. Reports are known from the times of the war in Iraq when the U.S. military had accurate information and the position of the Iraqi government troops thanks to satellite phones. If we realize that Thuraya phones manufactured Boeing ... These assumptions were confirmed by Harald Welte told the golem.de guided missiles using GPS coordinates obtained from satellite phone is thus quite real.
-
Handset manufacturers and mobile operators in particular must depend on private users. The proposed modifications are extremely complicated nor difficult Finace. Some operators in Germany have already started their implementation. With a little luck and a willingness to be able to us a few years to tap only one who is a valid claim, not the one who has the finances.

No comments:

Post a Comment