sitch
play

SITCH Inexpensive, coordinated GSM anomaly detection About Me - PowerPoint PPT Presentation

Nov 27, 2023 •515 likes •1.1k views

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started (I can get paid for this??) 2003: Started building with Linux Came to infosec through systems and network engineering, integration

  1. SITCH Inexpensive, coordinated GSM anomaly detection

  2. About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering, integration • Security tools and integration (SIEM, HIDS, etc…) • Current: R&D

  3. About You • Background in systems and network engineering • Interested in GSM threat detection • Tinfoil hat not required… but not unwelcome!

  4. “Thoughts and opinions expressed are my own. If you take anything away from this talk and act on it, I’m not responsible if you go to jail, become a pariah, or your dog stops liking you. Know the laws you’re subject to and operate accordingly.” –Ashmastaflash

  5. What We’re Covering Today • Why Care? • Current Threat and Detection Landscape • Project Goals • SITCH: MkI • SITCH: MkII • Service Architecture • Future Plans • Prior Art • Q&A

  6. Why Care? • Invasions of privacy are bad, even when they’re unnoticed. • Industrial espionage costs money and jobs.

  7. WTF Is Under All That??

  8. Is Anybody Home?

  9. Terminology • Software Defined Radio (SDR): Using software to perform signal processing in concert with an adjustable-frequency RF receiver • ARFCN: Absolute Radio Frequency Channel Number • BTS: Base Transceiver Station • CGI: Cell Global ID (MCC + MNC + LAC + CI) • MCC: Mobile Country Code • MNC: Mobile Network Code • LAC: Location Area Code • CI: Cell ID • IMSI: International Mobile Subscriber Identity

  10. GSM Addressing

  11. Threat and Detection Landscape • Malicious Devices • Indicators of Attack • Existing Detection Methods

  12. Hacked Femtocell Trusted part of provider’s network Your phone doesn’t know it’s evil

  13. Evil BTS Handset will automatically associate, unable to assert trustworthiness

  14. Indicators of Attack • ARFCN over threshold • ARFCN outside forecast • Unrecognized CGI • Gratuitous BTS re-association • BTS detected outside of range

  15. Detection Methods • Commercial Options: • Pwnie Express • Bastille Networks • Open Source: • Fake BTS • AIMSICD • Femto Catcher

  16. Project Goals • Inexpensive (what can I get for $100?) • Small footprint, low power requirements preferred • Functional Targets: Indicators of Attack (IOA) Coverage • Centrally managed software and configuration

  18. Raspberry Pi 2

  19. Raspberry Pi 2 logarithmic antenna

  20. Raspberry Pi 2 logarithmic antenna Odroids

  21. Raspberry Pi 2 logarithmic antenna XU4 C1+ Odroids

  22. Raspberry Pi 2 logarithmic antenna galaxy of XU4 C1+ Odroids

  23. Raspberry Pi 2 logarithmic antenna RED galaxy of XU4 C1+ Odroids

  24. Raspberry Pi 2 logarithmic antenna RED galaxy of BLUE XU4 C1+ Odroids

  25. Raspberry Pi 2 logarithmic antenna GREEN RED galaxy of BLUE XU4 C1+ Odroids

  26. Raspberry Pi 2 logarithmic antenna GREEN RED galaxy of ORANGE BLUE XU4 C1+ Odroids

  27. Raspberry Pi 2 logarithmic antenna GREEN RED galaxy of ORANGE BLUE XU4 C1+ Intel NUC Odroids

  28. Raspberry Pi 2 logarithmic antenna GREEN RED Intel Edison galaxy of ORANGE BLUE XU4 C1+ Intel NUC Odroids

  29. Raspberry Pi 2 logarithmic antenna GREEN RED Intel Edison GSM Modem galaxy of ORANGE BLUE XU4 C1+ Intel NUC Odroids

  30. Raspberry Pi 2 logarithmic antenna GREEN RTL-SDR RED Intel Edison GSM Modem galaxy of ORANGE BLUE XU4 C1+ Intel NUC Odroids

  31. Raspberry Pi 2 logarithmic antenna GREEN RTL-SDR RED Intel Edison GSM Modem galaxy of ORANGE BLUE XU4 C1+ I didn’t really *need* all of this… Intel NUC Odroids

  33. SITCH Situational Information from Telemetry and Correlated Heuristics

  34. SITCH Sensor MkI

  35. SITCH Sensor MkI

  36. MkI Results Targets MkI Coverage ARFCN over threshold YES ARFCN outside of forecast YES Unrecognized CGI NO Gratuitous BTS re-association NO BTS detected outside of range NO Price ~$100

  37. Releasing MkI? No.

  38. What’s wrong with MkI?

  39. Start Demo Here! • Confirm device registration • Image download starts

  40. Deployment Pipeline

  41. Service-Side Software Tool Purpose Inbound Information Processing Logstash Alert delivery Elasticsearch Scan document retention Time-series database Carbon/Graphite Statistical analysis of time-series data Kibana Browse scans Tessera Dashboard for Graphite Graphite Beacon Alert Generation Vault Secret management Resin Software Deployment Slack Notifications

  42. SITCH Service Architecture

  43. SITCH Intelligence Feed • OpenCellID Database: • MCC, MNC, Lat, Lon, Range • Twilio: • MCC, MNC, CarrierName

  44. SITCH Sensor MkII

  45. SITCH Sensor MkII

  46. SITCH Sensor MkII

  47. SITCH Sensor MkII

  48. SITCH Sensor MkII

  49. SITCH Sensor MkII

  50. Return to Demo! • Slack alerts • Tessera graphs • Kibana scan search • Resin logs

  51. MkI, MkII Summary Targets MkI Coverage MkII Coverage ARFCN over threshold YES YES ARFCN outside of forecast YES YES Unrecognized CGI NO YES Gratuitous BTS re- NO YES association BTS detected outside of NO YES range Price ~$100 ~$150

  52. Going Forward • Automatic device detection • Device and service heartbeats • Gnuradio = pure SDR: • GR-GSM • ADS-B • FPV drone • Dedicated radios: • Ubertooth One • YARD Stick One

  53. Prior Art • DIY Cellular IDS (Davidoff, Fretheim, Harrison, & Price, Defcon 21) • Traffic Interception and Remote Mobile Phone Cloning with a Compromised Femtocell (DePerry, Ritter, & Rahimi, Defcon 21) • Introduction to SDR and the Wireless Village (DaKahuna & Satanklawz, Defcon 23) • http://fakebts.com - Fake BTS Project (Cabrera, 2014) • How to Build Your Own Rogue GSM BTS for Fun and Profit (Simone Margaritelli) • Gnuradio (many) • Gr-gsm (Krysik, et al.) • Kalibrate (thre.at)

  54. THANKS! • John Menerick • Gillis Jones • Christian Wright • Dave Doolin • Silent Contributors…

  55. Q&A

  56. #OMW2 Scan Your GSM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

40 & 100Gb/s Submarine Systems Gaudette, J., Sitch, J., Hinds, M., Rivera Hartling, E.,

40 & 100Gb/s Submarine Systems Gaudette, J., Sitch, J., Hinds, M., Rivera Hartling, E.,

conference & convention enabling the next generation of networks & services 40 & 100Gb/s Submarine Systems Gaudette, J., Sitch, J., Hinds, M., Rivera Hartling, E., Rolle, P., Hadaway, R., Roberts, K., (Ciena), Smith, B., Veverka, D.

331 views • 13 slides
CalSERVES & COOL School Napa County Office of Education Sara Sitch Melissa Moore CalSERVES

CalSERVES & COOL School Napa County Office of Education Sara Sitch Melissa Moore CalSERVES

CalSERVES & COOL School Napa County Office of Education Sara Sitch Melissa Moore CalSERVES AmeriCorps Mentors: AmeriCorps Members, serve a year of national service for a modest monthly stipend and an education award. Serving at sites

583 views • 9 slides
H a C keR S Notes by Michael Madden & Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden & Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in

H a C keR S Notes by Michael Madden & Kevin Madden, CoderDojo Athenry, 2019 A HackerSpace in CoderDojo! What the Hackers Do Not About Law-Breaking! Hack things together Take apart to understand & improve Work on Projects

199 views • 19 slides
A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and

TUG 2016. A Telegram bot for Amartyo Banerjee and SK Venkatesan printing LaTeX files TNQ Books and Journals, India July 25. Toronto. Introduction I present a proof of concept of a Telegram bot, meant to run on the Raspberry Pi.

516 views • 17 slides
End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of

End to End Optimization Stack for Deep Learning Presenter: Tianqi Chen Paul G. Allen School of Computer Science & Engineering University of Washington Collaborators University of Washington AWS AI Team Ziheng Jiang Tianqi Chen Thierry

822 views • 46 slides
Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen

Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd Mathy Vanhoef and Eyal Ronen ANRW. Montreal, Canada, 22 July 2019. Background: Dragonfly in WPA3 = Password Authenticated Key Exchange (PAKE) Negotiate Provide mutual session

1.04k views • 45 slides
Raspberry and Pharo Pharo run on RaspberryPI ArmVM: http://files.pharo.org/vm/pharo-spur32/

Raspberry and Pharo Pharo run on RaspberryPI ArmVM: http://files.pharo.org/vm/pharo-spur32/

Raspberry and Pharo Pharo run on RaspberryPI ArmVM: http://files.pharo.org/vm/pharo-spur32/ linux/armv6/latest.zip JIT FFI OSProcess/OSSubprocess https://github.com/marianopeck/ OSSubprocess Low level GPIO libraries

718 views • 18 slides
Raspberry Pi HW/SW Application Development Make your own shield and control peripheral using RPi

Raspberry Pi HW/SW Application Development Make your own shield and control peripheral using RPi

Raspberry Pi HW/SW Application Development Make your own shield and control peripheral using RPi Walter Dal Mut & Francesco Ficili Intro to RPi Basically a Microcomputer on a Credit Card sized board Based on a Broadcom SoC

934 views • 37 slides
THE ACTOR MODEL APPLIED TO THE RASPBERRY PI AND THE EMBEDDED DOMAIN Omer Kilic || @OmerK

THE ACTOR MODEL APPLIED TO THE RASPBERRY PI AND THE EMBEDDED DOMAIN Omer Kilic || @OmerK

THE ACTOR MODEL APPLIED TO THE RASPBERRY PI AND THE EMBEDDED DOMAIN Omer Kilic || @OmerK Erlang Solutions Ltd. 1 Agenda Current state of Embedded Systems Overview of the Actor Model Erlang Embedded Project Modelling and

1.01k views • 61 slides
Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A

Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A

Tuning L Linux f for M MongoDB Tim V Vaillancourt Sr. T . Technical O Operations A Architect About M Me Joined Percona in January 2016 Sr Technical Operations Architect for MongoDB Previous: EA DICE (MySQL DBA) EA

681 views • 26 slides
DINOLIGHT Will Gowell, Zack Teasdale, Spencer Dennis 2 CUSTOMER NEEDS The System Must:

DINOLIGHT Will Gowell, Zack Teasdale, Spencer Dennis 2 CUSTOMER NEEDS The System Must:

1 DINOLIGHT Will Gowell, Zack Teasdale, Spencer Dennis 2 CUSTOMER NEEDS The System Must: mirror colors on screen using rear LEDs in real time accept and output HD digital video signal have a plug and play setup be controllable

757 views • 38 slides
AWE Aldermaston UK Scope: 2D and 3D numerical simulation (DNS or LES) of the non-linear growth

AWE Aldermaston UK Scope: 2D and 3D numerical simulation (DNS or LES) of the non-linear growth

REVIEW OF NUMERICAL SIMULATION OF MIXING DUE TO RAYLEIGH-TAYLOR AND RICHTMYER-MESHKOV INSTABILITIES David Youngs AWE Aldermaston UK Scope: 2D and 3D numerical simulation (DNS or LES) of the non-linear growth of Rayleigh-Taylor and

740 views • 61 slides
CS5625 Interactive Computer Graphics Steve Marschner Spring 2020 01 Introduction CD Projekt

CS5625 Interactive Computer Graphics Steve Marschner Spring 2020 01 Introduction CD Projekt

CS5625 Interactive Computer Graphics Steve Marschner Spring 2020 01 Introduction CD Projekt RED The Witcher 3 (2015) Naughty Dog The Last of Us (Remastered, 2014) Rockstar Games Red Dead Redemption 2 (2018) Valve Portal (2007)

854 views • 64 slides
INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB NOVEMBER 17, 2009 PROGRAMMING

INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB NOVEMBER 17, 2009 PROGRAMMING

INFORMATION ORGANIZATION LAB NOVEMBER 17, 2009 INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB NOVEMBER 17, 2009 PROGRAMMING PARADIGMS Imperative Declarative Functional Procedural Object-Oriented This is a breakdown given by

194 views • 17 slides
Animation & Cross-Media Drew Davidson Director Entertainment Technology Center

Animation & Cross-Media Drew Davidson Director Entertainment Technology Center

Animation & Cross-Media Drew Davidson Director Entertainment Technology Center Carnegie Mellon University Animation Across Media Trends Animation Across Across Media Media Trends Animation Across

904 views • 64 slides
A system for interactive display and rendering of BRDF models Adri Fors Herranz Advisors:

A system for interactive display and rendering of BRDF models Adri Fors Herranz Advisors:

A system for interactive display and rendering of BRDF models Adri Fors Herranz Advisors: Sumanta N. Pattanaik Carles Bosch Importance of materials Overview Analytic models General Measured Display representation data Simulated

973 views • 59 slides
IRONY: a contrast/difference of what happens and what is expected - typically for humor

IRONY: a contrast/difference of what happens and what is expected - typically for humor

(reading notes) IRONY: a contrast/difference of what happens and what is expected - typically for humor Examples: A dentist with crooked teeth and cavities. A fireman afraid of fire. Explain the irony..... Explain the irony..... Explain

736 views • 21 slides
Accessibility Designing for the full range of human capabilities. 1 CS349 -- Accessibility 3

Accessibility Designing for the full range of human capabilities. 1 CS349 -- Accessibility 3

Accessibility Designing for the full range of human capabilities. 1 CS349 -- Accessibility 3 CS349 -- Accessibility 4 CS349 -- Accessibility 5 CS349 -- Accessibility 6 CS349 -- Accessibility Abilities People vary in their physical and

571 views • 42 slides
Streaming Why should I care? Christian Trebing Blue Yonder GmbH @ctrebing 1 Agenda

Streaming Why should I care? Christian Trebing Blue Yonder GmbH @ctrebing 1 Agenda

Streaming Why should I care? Christian Trebing Blue Yonder GmbH @ctrebing 1 Agenda Motivation Streaming Intro Implementation Challenges 2 Data Processing - The Monolith Data Input Data Validation THE Database Machine Learning Data

1.16k views • 36 slides
Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Object-Oriented Software Engineering Outline Chapter 5, Object Modeling From use cases to class diagrams Model and reality Activities during object modeling Using UML, Patterns, and Java Object identification Object types !

365 views • 7 slides
Podcast: Ch05-04 Title : Some General Advice Description : general advice; who uses class

Podcast: Ch05-04 Title : Some General Advice Description : general advice; who uses class

Podcast: Ch05-04 Title : Some General Advice Description : general advice; who uses class diagrams; users & implementors Participants : Barry Kurtz (instructor) and Cheng Vue, Sara Hyde, Brandon Winters (students) Textbook :

368 views • 6 slides
1 What is a good model? Models of models of models Intuitively: A model is good if

1 What is a good model? Models of models of models Intuitively: A model is good if

What is modeling? Chair of Softw are Engineering Building an abstraction of reality Software Engineering Abstractions from things, people, and processes Spring Semester 2008 Relationships between these abstractions Abstractions are

389 views • 16 slides
Nonparametric Methods Marc H. Mehlman marcmehlman@yahoo.com University of New Haven

Nonparametric Methods Marc H. Mehlman marcmehlman@yahoo.com University of New Haven

Nonparametric Methods Marc H. Mehlman marcmehlman@yahoo.com University of New Haven Nonparametric Methods , or DistributionFree Methods is for testing from a population without knowing anything about the populations distribution. Marc

865 views • 44 slides
Decomposing the System System Design: Chapter 6 Design There are two ways of constructing a

Decomposing the System System Design: Chapter 6 Design There are two ways of constructing a

Object-Oriented Software Engineering Using UML, Patterns, and Java Decomposing the System System Design: Chapter 6 Design There are two ways of constructing a software design: One way is to make it so simple that there are obviously no

779 views • 56 slides

More recommend