Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[Plumbercon/Ninjacon] How to stay invisible (still using cellphones)

How to stay invisible (still using cellphones)

Kugg

Synopsis

It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.

GSM Phone Privacy

7 Attacks that everybody could perform against GSM

ETSI Lawful Interception

Standard private, but working draft can be found at http://eu.sabotage.org

Establishes a form for Lawful Interception requests. The 4 main pieces of information that can be requested are :

  • IMSI (Unique SIM identifier)
  • IMEI (Mobile Phone manufacturer, model, and unique identifier)
  • MSISDN
  • Time

ICCID is made up of 5 parts: System code, MCC, MNC, Subscriber number, check digit

In some cases (such as the recent AT&T hack) it’s possible to transform the ICCID information into an IMSI number.

ETSI LI SMS Interception

Normally the agency performing the interception will receive copies of all SMS sent and received. This however isn’t always possible when the phone is roaming. Arrangements are not in place between countries to share this kind of LI information.

HLR (Home Location Register) Lookups

As presented at CCC in recent years, it’s possible to track a user using a number of online services. These services cost less than €10 to provide tracking services.

One possible service is http://routomessaging.com/

IMSI and IMEI Database

IMSI and IMEI information get associated and stored in a database. Switching SIMS isn’t enough, as once an IMSI and IMEI are linked, you can track the phone even when a new SIM is put into it. Changing the SIM and the Phone is one method of defeating this. Unless you can change the IMEI on a phone.

Nokia had a tool to change the IMEI and other settings on older phones (3310). This isn’t always legal however. Check your local laws.

Sim Card scanning/cloning

Older attack (used by Mitnick, way back).

Simcard cracking/ scanning is used to create a simcard clone

Simcard clones can be used in regular handsets

Operator settings are exposed (and can be modified in the clone)

Older Simcards are prone to this attack using tools like SIMeasy

You can crack the encryption and write the cloned simcard information to a wafercards (Phoenix or smartmouse).

If you clone a sim, the last person to register on the network gets incoming calls, the other is ignored.

Prepaid simcards

Some operators need to see ID (and photocopy the ID) before buying a sim. This ID can then be provided to any agency when requested.

50% of all simcards are pre-paid

Hacked Firmware

Nokia 3310 hacked firmware (Nokia 3310 spyphone).

When activated, the phone will accept any inbound call without notifying the user. This could be used to spy on people and record conversations. As the firmware is available on Rapidshare, it can be modified for other uses.

UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm

The UAE also rolled out a hacked Blackberry firmware that caused issues on people’s Blackberry phones.

Hijacking Mobile Data Connections

Changing the http proxy settings of a user. See http://www.mseclab.com/?p=146

Use IMSI to figure out the operator and correct settings

Possible methods of deployment

  • OTA – Over The Air provisioning
  • iPhone .mobileconfig
  • Possible on Android also

Protecting yourself – Solutions

Make your own rules

  • Who are you giving your number to?
    • They can track you
  • When do you change your IMSI/IMEI?
    • You need to change them at the same time to avoid a trail
  • What number do you give to your mother?
    • Easy to find a link between your family and you using simple checks

Giving out your number is giving out your location

Acceptance of updates may lead to data eavesdropping

Pre-paid cards from abroad make things more complex for legal interception

Links :

eport: Cyber Attacks Caused Power Outages in Brazil

  • Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/50
  • UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
  • ETSI Lawful Interception –> http://eu.sabotage.org
  • Hacking Mobile Data Connections –> http://www.mseclab.com/?p=146
  • HLR Lookups –> http://routomessaging.com/
  • http://routomessaging.com/SMS-services/sms-hlrlookup.pmx
  • Advertisements
    %d bloggers like this: