How to stay invisible (still using cellphones)
Kugg
Synopsis
It is a well known fact that cell phones are the most common way of pinpointing identity, to position and set up a social diagram of an individual under investigation. In this talk, we will learn how to position cell phones using SMS-submit messages from an SMSC and how to position cell-IDs using a phone. These are known methods of positioning. Also, the audience will gain knowledge on how to stay anonymous and avoid getting your MSISDN (cell phone number) identified in the first place. ETSI standards of lawful interception tell half the story on how IMEI, IMSI and MSISDN are logged and tracked together with a position to find out your location. You will learn how to change an IMEI number on your phone as you change IMSI by switching between different low-cost prepaid SIM cards to be able to fly under the radar.
GSM Phone Privacy
7 Attacks that everybody could perform against GSM
ETSI Lawful Interception
Standard private, but working draft can be found at http://eu.sabotage.org
Establishes a form for Lawful Interception requests. The 4 main pieces of information that can be requested are :
- IMSI (Unique SIM identifier)
- IMEI (Mobile Phone manufacturer, model, and unique identifier)
- MSISDN
- Time
ICCID is made up of 5 parts: System code, MCC, MNC, Subscriber number, check digit
In some cases (such as the recent AT&T hack) it’s possible to transform the ICCID information into an IMSI number.
ETSI LI SMS Interception
Normally the agency performing the interception will receive copies of all SMS sent and received. This however isn’t always possible when the phone is roaming. Arrangements are not in place between countries to share this kind of LI information.
HLR (Home Location Register) Lookups
As presented at CCC in recent years, it’s possible to track a user using a number of online services. These services cost less than €10 to provide tracking services.
One possible service is http://routomessaging.com/
IMSI and IMEI Database
IMSI and IMEI information get associated and stored in a database. Switching SIMS isn’t enough, as once an IMSI and IMEI are linked, you can track the phone even when a new SIM is put into it. Changing the SIM and the Phone is one method of defeating this. Unless you can change the IMEI on a phone.
Nokia had a tool to change the IMEI and other settings on older phones (3310). This isn’t always legal however. Check your local laws.
Sim Card scanning/cloning
Older attack (used by Mitnick, way back).
Simcard cracking/ scanning is used to create a simcard clone
Simcard clones can be used in regular handsets
Operator settings are exposed (and can be modified in the clone)
Older Simcards are prone to this attack using tools like SIMeasy
You can crack the encryption and write the cloned simcard information to a wafercards (Phoenix or smartmouse).
If you clone a sim, the last person to register on the network gets incoming calls, the other is ignored.
Prepaid simcards
Some operators need to see ID (and photocopy the ID) before buying a sim. This ID can then be provided to any agency when requested.
50% of all simcards are pre-paid
Hacked Firmware
Nokia 3310 hacked firmware (Nokia 3310 spyphone).
When activated, the phone will accept any inbound call without notifying the user. This could be used to spy on people and record conversations. As the firmware is available on Rapidshare, it can be modified for other uses.
UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
The UAE also rolled out a hacked Blackberry firmware that caused issues on people’s Blackberry phones.
Hijacking Mobile Data Connections
Changing the http proxy settings of a user. See http://www.mseclab.com/?p=146
Use IMSI to figure out the operator and correct settings
Possible methods of deployment
- OTA – Over The Air provisioning
- iPhone .mobileconfig
- Possible on Android also
Protecting yourself – Solutions
Make your own rules
- Who are you giving your number to?
- When do you change your IMSI/IMEI?
- You need to change them at the same time to avoid a trail
- What number do you give to your mother?
- Easy to find a link between your family and you using simple checks
Giving out your number is giving out your location
Acceptance of updates may lead to data eavesdropping
Pre-paid cards from abroad make things more complex for legal interception
Links :
eport: Cyber Attacks Caused Power Outages in Brazil
Plumbercon/Ninjacon Synopsis -–> http://plumbercon.org/schedule/50
UEA LI Blackberry –> http://news.bbc.co.uk/2/hi/8161190.stm
ETSI Lawful Interception –> http://eu.sabotage.org
Hacking Mobile Data Connections –> http://www.mseclab.com/?p=146
HLR Lookups –> http://routomessaging.com/
http://routomessaging.com/SMS-services/sms-hlrlookup.pmx
Cатсн²² (in)sесuяitу / ChrisJohnRiley 