gsm open source intelligence
play

GSM Open-source intelligence Kenneth van Rijsbergen 1 1MSc System - PowerPoint PPT Presentation

Aug 27, 2022 •164 likes •345 views

Introduction Background Results Conclusion GSM Open-source intelligence Kenneth van Rijsbergen 1 1MSc System and Network Engineering Faculty of Science University of Amsterdam 30 June 2016 Kenneth van Rijsbergen University of Amsterdam

  1. Introduction Background Results Conclusion GSM Open-source intelligence Kenneth van Rijsbergen 1 1MSc System and Network Engineering Faculty of Science University of Amsterdam 30 June 2016 Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 1 / 18

  2. Introduction Background Results Conclusion Table of Contents Introduction 1 Background 2 3 Results Conclusion 4 Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 2 / 18

  3. Introduction Background Results Conclusion Research question How may GSM be used for gathering OSINT by a red team ? How can a Software Defined Radio (SDR) be used to passively capture GSM traffic ? How can a Software Defined Radio (SDR) be used to actively capture GSM traffic ? What OSINT may be extracted from this GSM data ? Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 3 / 18

  4. Introduction Background Results Conclusion Software Defined Radio HackRF One 1 MHz to 6 GHz half-duplex transceiver $299.- BladeRF x40 300MHz to 3.8GHz full-duplex transceiver $420.- F IGURE – HackRF One F IGURE – BladeRF x40 Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 4 / 18

  5. Introduction Background Results Conclusion F IGURE – Waterfall (jamming test inside faraday cage) F IGURE – GSM sniffing with HackRF Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 5 / 18

  6. Introduction Background Results Conclusion Overview of mobile generations First generation (1G) 1980’s Analogue Voice only Technologies : AMPS, NMT, TACS, C-450, Radiocom 2000, RTMI, JTACS, TZ-801, TZ-802, and TZ-803 Second generation (2G) 1990’s Digital signalling, SMS, MMS, voice mail, call forwarding Encryption (A5/1 and A5/2) technologies : GSM , IS-95 (a.k.a. cdmaOne), PDC, iDEN and IS-136 (a.k.a. D-AMPS) 2.5G : GPRS 2.75G : EDGE Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 6 / 18

  7. Introduction Background Results Conclusion Overview of mobile generations Third generation (3G) 2000’s Improved crypto (A5/3) and two-way authentication between MS and BS. Faster data transfer Technologies : W-CDMA (UMTS), TD-SCDMA (only in China), HSPA, and HSPA+, CDMA2000, LTE Recently allowed to use the 900 and 1800 Mhz band (same as GSM). Fourth generation (4G) IP based, no more circuit-switched telephone Technologies : LTE Advanced and Mobile WiMAX Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 7 / 18

  8. Introduction Background Results Conclusion GSM Architecture + Lingo MS MS MS Mobile station BS BS BS BS Base Station BSC Base Station Controller BSC BSC BSC MSC Mobile Switching Center VLR Visitor Location Register MSC + VLR HLR Home Location Register AUC Authentication Center EIR Equipment Identity Register MSC + VLR HLR + AUC ISDN + PSTN MSC + VLR F IGURE – GSM Architecture Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 8 / 18

  9. Introduction Background Results Conclusion GSM authentication sequence F IGURE – GSM authentication sequence Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 9 / 18

  10. Introduction Background Results Conclusion IMSI catcher F IGURE – IMSI catcher Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 10 / 18

  11. Introduction Background Results Conclusion GSM Authentication A5 used to encrypt the data transmission between the MS and BS. A5/1 - Developed in 1987. Workings kept secret. - Reverse engineered in 1999 and published. - Can be cracked in seconds using rainbow tables. A5/2 - Extremely weak, developed for export markets - Can be cracked in real-time. - Discontinued by the GSM association since 2006. A5/3 - In use today. - Designed for 3G but also used for GSM. - Based on the MISTY block cypher which was later simplified into the KASUMI block cypher. - A faster than an exhaustive search attack has been found but nothing practical. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 11 / 18

  12. Introduction Background Results Conclusion IMSI catcher IMSI International Mobile Subscriber Identity Can be used to identify a mobile subscriber. The IMSI is send by GSM unencrypted over the air during authentication. This enables tracking. Full IMSI catchers (full MITM) Half IMSI catchers (outgoing only) Both require a spoofed basestation. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 12 / 18

  13. Introduction Background Results Conclusion IMSI catcher F IGURE – Stingray I (http://arstechnica.co.uk/) F IGURE – NSA GSM Tripwire (NSA’s ANT Division Catalog) F IGURE – IMSI catcher on planes (Brian McGill | The Wall Street Journal) Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 13 / 18

  14. Introduction Background Results Conclusion Passive Capturing Possible but all is encrypted Some IMSI’s may (in theory) be captured when in initial authentication. But nothing that can be practically used. F IGURE – GSM Decoding F IGURE – GSM data in Wireshark Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 14 / 18

  15. Introduction Background Results Conclusion Demo Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 15 / 18

  16. Introduction Background Results Conclusion Spoof limitation YateBTS only supports 2.5G GPRS OpenBTS-UMTS offers 3G UMTS but requires more expensive hardware (a recent USRP) The phone will always prefer a higher standard, even if the signal is weak 1 4G LTE-Advanced 2 3G UMTS 3 2.75G EDGE 4 2.5G GPRS <- YateBTS 5 2G GSM Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 16 / 18

  17. Introduction Background Results Conclusion Jamming The HackRF is not suitable for jamming Test was conducted inside a Faraday cage. Jamming a specific 900Mhz GSM channel was possible, but only for the old 2G Nokia. 3G HTC phone disconnects, then recovers when setting up a new call. Higher bands (like 1800) are too wide for the HackRF to cover. Transmitting at a higher frequency requires more power ; HackRF did not have enough to disrupt 2G 1800. 3G jamming is even more hopeless due to spread spectrum. Would be nice to test with a real 3G jammer. The hypothesis would be that the phone drops down to EDGE instead of GPRS. Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 17 / 18

  18. Introduction Background Results Conclusion Conclusion and Future work Conclusion Passive attacks are not effective due to encryption. Active attacks can only be effective versus 2G phones or when using jamming attacks (illegal). If, however a phone connects, everything outgoing can be intercepted (Internet, Voice, SMS). Future Work Full IMSI Catcher (still relies on a successful spoof) Selective jamming* (jam all but one channel) Kenneth van Rijsbergen University of Amsterdam GSM OSINT 30 June 2016 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter,

Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter,

Open Source Business Intelligence Open Source Business Intelligence Produkte, Anbieter, Geschftsmodelle Produkte, Anbieter, Geschftsmodelle Workshop Open Source Business Intelligence Prof. Dr. Peter Gluchowski 24. September 2009 -

581 views • 41 slides
Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source

Make Money With Open Source What is Open Source? Community Free software vs. open source Licenses: GPL vs. LGPL vs. MIT/Apache Foundations: Linux, Apache, Eclipse, Similar: Open Data, Open Hardware, Open Knowledge, ... Advantages of OS

508 views • 13 slides
Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT) Benjamin Brown Akamai

Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT) Benjamin Brown Akamai

Cognitive Bias and Critical Thinking in Open Source Intelligence (OSINT) Benjamin Brown Akamai Technologies Security Architecture * Law Enforcement Engagement * Systems Safety * Threat Intelligence * Security Research - Novel Attack

1.76k views • 140 slides
Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp;

Hector Open Source Security Intelligence Platform University of Pennsylvania School of Arts &amp; Sciences Ubani A Balogun &amp; Justin Klein Keane Security Intelligence HECTOR was developed out of a desire to leverage security

751 views • 25 slides
Building a Science of Open Source Analysis: Addressing the need for real tradecraft using open

Building a Science of Open Source Analysis: Addressing the need for real tradecraft using open

Building a Science of Open Source Analysis: Addressing the need for real tradecraft using open source analysis Current Context of Intelligence Analysis Customers and consumers demanding greater understanding of political and national

358 views • 18 slides
Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and

The State of Open Source Databases Peter Zaitsev, CEO Percona What a Year! Huge changes for Open Source and Open Source databases RedHat Acquired by IBM Image Source: https://techcrunch.com/story/ibm-acquires-red-hat/ Open Source

663 views • 29 slides
OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL

OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL

OSINT OPEN-SOURCE INTELLIGENCE OSINT Offensive OSINT * 1 Whoami Adam Nurudini CEH, ITIL V3, CCNA, CCNP, CASP, PCI-DSS, BSC-IT Lead Security Researcher @ Netwatch Technologies Project Consultant, Information Security Architects Ltd

454 views • 17 slides
NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics

NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics

NEST Kali Linux Tutorial: Maltego Maltego is an open source intelligence and forensics application. It will offer you timeous mining and gathering of information as well as the representation of this information in an easy to understand

477 views • 23 slides
Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab

Reinventing How America Votes Through Open Source Solutions Deborah Bryant OSU Open Source Lab Joseph Hall Center for Information Technology Policy, Princeton University Gregory Miller Open Source Digital Voting Foundation Visionaries on

942 views • 29 slides
Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years

Creating an Open Source Project Thiago Macieira Who am I? Open Source developer for 15 years Sofuware Architect at Intels Open Source Technology Center (OTC) and Tizen Platgorm Community Manager Maintainer of two modules in the Qt

649 views • 33 slides
1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

1 A Comparison of Open Source Search A Comparison of Open Source Search Engines Engines

Open Source Search Engines Why? Low cost: No licensing fees Source code available for customization Good for modest or even large data sizes Open-Source Search Engines and Challenges: Lucene/Solr Performance, Scalability

347 views • 13 slides
Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source

Automating Your Lights with Open Source Combining Open Source Hardware with Free and Open Source Software Leon Anavi Konsulko Group leon.anavi@konsulko.com leon@anavi.org FOSDEM 2018 Agenda Home automation and smart lightning Open

422 views • 30 slides
mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a

mITu Skillologies Open Source World http://mitu.co.in Existence of open source There is a vast increase in adoption of open source software solutions across the private enterprise, government associations and organizations, industries.

581 views • 18 slides
What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open

What is open source? Computer sofuware where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the sofuware. Promotes collaboration Community of developers

439 views • 12 slides
What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open

What is open source? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

878 views • 16 slides
What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open

What is open source ? Computer software where the source code is distributed under an open source license that allows anyone to study, change, improve and distribute the software. Promotes collaboration Community of developers

462 views • 14 slides
SS7 Signalling System Number 7 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878

SS7 Signalling System Number 7 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878

SS7 Signalling System Number 7 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com SS7 A Brief Overview Defined by ITU-T in its

816 views • 35 slides
18-759: Wireless Networks L ecture 17: Cellular Peter Steenkiste Departments of Computer Science

18-759: Wireless Networks L ecture 17: Cellular Peter Steenkiste Departments of Computer Science

18-759: Wireless Networks L ecture 17: Cellular Peter Steenkiste Departments of Computer Science and Electrical and Computer Engineering Spring Semester 2010 http://www.cs.cmu.edu/~prs/wirelessS10/ 1 Peter A. Steenkiste, CMU Outline

402 views • 22 slides
networkMaryland TM Advisory Group Meeting April 16, 2013 Annapolis, MD Meeting Agenda Welcome

networkMaryland TM Advisory Group Meeting April 16, 2013 Annapolis, MD Meeting Agenda Welcome

networkMaryland TM Advisory Group Meeting April 16, 2013 Annapolis, MD Meeting Agenda Welcome &amp; Introductions l New Business l State of the Network l Status of Project l Other Business l 2 Welcome Introductions l Gregory Urban:

392 views • 21 slides
NPD Services A Paradigm Shift for NA PCB Fabricators Nilesh S Naik March 24 th , 2014

NPD Services A Paradigm Shift for NA PCB Fabricators Nilesh S Naik March 24 th , 2014

NPD Services A Paradigm Shift for NA PCB Fabricators Nilesh S Naik March 24 th , 2014 Continuing From Our Last Meeting Sales wont increase on their own You need managed CHANGE appropriate for you and your business. Without a

444 views • 20 slides
A Potentially Implementable FPGA for Quantum-Dot Cellular Automata Michael T. Niemier,

A Potentially Implementable FPGA for Quantum-Dot Cellular Automata Michael T. Niemier,

Non-Silicon Computing Workshop is Association with HPCA February 3, 2002 A Potentially Implementable FPGA for Quantum-Dot Cellular Automata Michael T. Niemier, University of Notre Dame Arun Rodrigues, University of Notre Dame Peter Kogge,

334 views • 10 slides
Core Switching and Routing Working Group Overview, Research Targets and Challenges Thierry E.

Core Switching and Routing Working Group Overview, Research Targets and Challenges Thierry E.

Core Switching and Routing Working Group Overview, Research Targets and Challenges Thierry E. Klein Chair, Core Switching and Routing Working Group GreenTouch Open Forum November 17 th , 2011 Overview Core Switching and Routing Working

371 views • 21 slides
Matrix NAVAN CNX200 Matrix NAVAN CNX200 Office-in-a-Box Solution NAVAN CNX200 All-in-one

Matrix NAVAN CNX200 Matrix NAVAN CNX200 Office-in-a-Box Solution NAVAN CNX200 All-in-one

Matrix NAVAN CNX200 Matrix NAVAN CNX200 Office-in-a-Box Solution NAVAN CNX200 All-in-one Solution for SOHOs and Branch Offices Challenges for Small Businesses Challenges for Small Businesses Challenges for Small Businesses Challenges for

592 views • 38 slides
Yuni Fatria Putrie (Ministry of Trade) OUTLINE Background Indonesia Commitment in T

Yuni Fatria Putrie (Ministry of Trade) OUTLINE Background Indonesia Commitment in T

TRADE IN SERVICES NEGOTIATIONS AND REFORMS REQUIRED FOR INDONESIA: TELECOMMUNICATION SERVICES Yuni Fatria Putrie (Ministry of Trade) OUTLINE Background Indonesia Commitment in T elecommunication Services Under the GATS Issues on T

495 views • 14 slides

More recommend