Thursday, April 6, 2017

Catching IMSI Catchers







 YOUTUBE Transcript

0:05
is my third talk today has anyone made
0:06
all three yeah it's not just too this is
0:10
the third you made all three this is
0:14
just like all right we'll see maybe that
0:15
I've got some after party tickets to
0:17
give away so maybe by the end I'll have
0:21
a worthy challenge for someone okay
0:29
what's on deck today hi I'm Jeff hi nice
0:37
it's my third talk today and pleasure to
0:41
be here with all of you and if somebody
0:43
could get a picture and tweet me with me
0:46
up here with from his backdrop that'd be
0:47
pretty pretty amazing d so what we're
0:51
gonna talk about today is MZ catcher's
0:53
and if you're not familiar with those
0:54
I'll go through it and how you might go
0:56
about detecting them you're going to
0:59
hear an exciting tale of my adventures
1:00
in Vegas looking for them and you're
1:04
going to learn how to avoid being caught
1:06
up in an mg catcher so hopefully this is
1:09
you're in the right talk and that's
1:10
where you want to be so I'm Jeff I'm a
1:14
security engineer with security
1:16
innovation we do app sack pen testing
1:18
and advisory to pretty much any area of
1:21
the sdlc we help people build secure
1:23
software that's really my goal I used to
1:27
be a high school prison teacher or high
1:29
school and/or prison teacher and
1:31
university teacher and I work a hundred
1:35
percent from home so it was a big
1:37
stretch to come all the way from Toronto
1:38
to here to be with you today so thank
1:42
you for joining me as well so I'm going
1:46
to go through some definitions and just
1:48
sort of explain the technologies a bit
1:49
i'm not going super deep on the
1:52
technical level but i'll just give you
1:54
an overview so you can understand what's
1:55
going on and then we'll get into some of
1:58
the work I've done so an indie catcher
2:01
when you hear mg catcher think any rogue
2:04
cellular device designed to capture
2:07
phone traffic often used by police or
2:11
government and the most popular brand
2:13
is sting ray which is sold to police and
2:17
governments by the Harris Corporation
2:18
and the MZ is your international mobile
2:24
subscriber identity it's unique to your
2:26
cell phone you actually have to you have
2:28
one for your cell phone and one for your
2:29
SIM card they can rotate but it's what
2:33
defines you on the cellular network then
2:36
the carriers will look that up to your
2:39
subscriber information to get your cell
2:43
phone number your address stuff like
2:44
that and one thing that's really
2:46
interesting around these is the vendors
2:49
impose very strict nda's around
2:53
disclosure of how their use or what
2:56
their capabilities are so you can't
2:58
actually even the police in government
3:00
since and in warrant cases where they're
3:04
submitting warrants to the courts can't
3:06
describe in too much detail what these
3:09
technologies do as part of the other
3:11
they'll be in breach of the NDA so they
3:13
keep them pretty tight-lipped in terms
3:16
of their capabilities plenty of room
3:19
down front so this is what they look
3:24
like the one on the top left there is
3:27
the the Harris stingray and they can
3:31
come in different forms you can see them
3:33
in big police vehicles with antennas
3:37
coming up though or you could I'm
3:38
convinced you could probably get them
3:41
down to the size of a cell phone with a
3:43
little bit of a work or you could just a
3:45
little work with your antenna drivers
3:48
and maybe a secondary antenna with your
3:51
cell phone and you might be able to just
3:52
build it into the cell phone in the
3:54
future the one in the top right I'll
3:57
talk a bit a little bit later but it's
3:58
basically a DIY kit that you can make
4:00
your own reasonably inexpensive this is
4:04
a specifications of them if you see in
4:07
the last image in the top left there
4:09
there's the for antenna jacks that's for
4:12
four different antennas that you can
4:15
hook up so they are capable of
4:16
intercepting and monitoring 2g 3G 4G or
4:20
LTE communication simultaneously in both
4:24
see
4:24
and gsm there's the different types of
4:26
networks that your cell phone might be
4:28
on depending on your carrier and that
4:30
the antennas in it the devices can
4:36
launch attacks requesting devices to
4:38
connect over weaker channels so they can
4:41
jam the 4g or 3g networks forcing you to
4:44
go into the 2g network which is of lower
4:46
security and no encryption which would
4:48
then mean they could intercept all of
4:51
your traffic and read your text messages
4:52
and stuff like that even with the 3g
4:55
it's reasonable to assume that they are
4:58
capable of doing that as well there's
5:01
two modes for an mg catcher active and
5:04
passive in passive mode it's simply just
5:07
grabbing information out of the air
5:09
whatever it sees in active mode it's
5:13
actively proxying your traffic and it's
5:15
doing its best to convince cellular
5:18
devices to connect to that rogue device
5:21
and then proxy it on to a legitimate
5:25
device but in the middle basically
5:26
doesn't Mamet ack and intercepts all of
5:28
the traffic these are some proven
5:33
stories of how they've been used these
5:36
some of these range from mundane to
5:39
quite scary this is all sourced and
5:41
there's additional information on all of
5:43
the sources by a report written by
5:45
Citizen lab at a Toronto when we think
5:47
about cyber warfare and nation state
5:52
actors and human rights the Citizen lab
5:55
is a research center focused on
5:57
protecting civil liberties so confirming
6:03
the presence of a device in a target's
6:04
home prior to the search thereof so
6:06
let's say you had a search warrant for a
6:08
house and you want to make and you knew
6:10
that a assailant or drug dealer or
6:12
whatever was using the cell phone for
6:15
their business and you want to make sure
6:17
the cell phone was in the house before
6:18
you search the house they have confirmed
6:21
cases of that identifying an individual
6:25
responsible for sending her accessing
6:26
text messages it's been used and
6:29
documented in that case as well so all
6:31
of these there are court documents that
6:33
support these in the report locating a
6:36
stolen mobile device as
6:38
precursor to searching a home in the
6:40
vicinity I don't know the whole
6:42
backstory on that but basically saying
6:44
hey there's a stolen device in there in
6:46
that house we're going to go search the
6:48
house now now locating specific
6:52
individuals by driving around a city
6:53
until that known m0 MZ number is found
6:56
so you could pretty much just drag net
6:59
and pick up every MZ number until you
7:02
see the one needle in the haystack you
7:03
find and there are cases of them doing
7:06
that they are mounted on airplanes by
7:08
the United States Marshal Service to
7:10
sweep entire cities for specific mobile
7:12
devices so now you can see where
7:15
everyone is all at once if you don't
7:17
already have access to the cellular
7:19
providers to monitor all devices within
7:23
range of a prison to determine whether
7:25
or not prisoners are using cell phones
7:27
that have smuggled in some of these you
7:30
know get very interesting at least
7:33
there's some i would say scary
7:34
reportedly they've been used at
7:38
political protests to identify everyone
7:40
participating in a protest that's so you
7:42
bring yourself onto a protest they're
7:44
going to know and they're going to
7:45
follow up with you later to monitor
7:47
activity in offices of an independent
7:50
irish police oversight body i don't know
7:52
the full back story on that but when
7:55
you're using it against other governing
7:56
bodies that's pretty interesting as well
7:59
so again all the sources are very
8:00
welcome to look it up these are two
8:04
other cases so we're talking about how
8:06
much are they used there were fourteen
8:08
hundred confirmed cases in baltimore
8:10
alone this came out in the last year and
8:14
actually just just last month by this
8:17
month and they were predominantly used
8:22
in black neighborhoods so they took that
8:24
1,400 those fourteen hundred cases and
8:26
heat map them around areas and then
8:30
geographically around demographic and
8:32
were able to find that those were in
8:33
predominantly black neighborhoods
8:36
suggesting they were over used against
8:38
various races and then thousands of
8:41
times in florida since 2007 for crimes
8:44
as small as someone hanging up on a 911
8:46
operator dialing 911
8:48
and they would go around with the sims
8:50
ii catcher so they are widely used in
8:52
use there it's hard to find
8:55
documentation about it because they come
8:57
out years later in court documents and
8:59
through Freedom of Information requests
9:00
so you don't always know a lot I know
9:03
that the RCMP and Canada are using them
9:06
as well as other European nations but I
9:09
haven't seen any you probably you've
9:10
probably heard more of specific cases
9:12
than I have in the EU the manual for how
9:16
to you how to use one of these things
9:18
was leaked this summer so that's an
9:21
interesting read if you want to have a
9:22
look at that I have you it talks it goes
9:26
into depth about the capabilities how
9:28
they're used there Rizzo what what
9:31
features and options are available in
9:33
different models and this is a
9:34
relatively old document but it only
9:37
finally came out now where to buy one
9:41
unfortunately they're only sold to
9:43
government police military with those
9:46
strict NDA's and high level service
9:48
contracts I can only imagine how much
9:50
they're paying for them but for fourteen
9:51
hundred dollars you can build your own
9:52
there's the link I'm not telling you to
9:55
go build your own you're probably
9:56
illegal in most areas because you don't
9:59
have the rights to broadcast at that
10:01
frequency I don't know where the gray
10:04
areas are around just observing my
10:07
frequency that might be a different case
10:09
so in terms of strategies to find one of
10:15
these devices there aren't really any
10:17
good detection methods they're entirely
10:21
anomaly based and what that means is you
10:25
have to basically walk your entire
10:26
neighborhood and make note of all cell
10:28
phone towers and ids and find you find
10:31
and their location so you walk around
10:33
and you identify everyone you can and
10:35
you continue to do this for a while
10:37
until you're sure you found all of them
10:38
and then you have to continuously
10:42
monitor your area to see if any new ones
10:44
pop up and when those new one pops up
10:46
you suspect it's an MC device so you go
10:50
and find it then you can go and tell you
10:52
found it what do you win I don't know so
10:58
there's some tools to help you out
11:00
there's open cell ID which is
11:02
interesting as a database of mostly user
11:04
reported cellular Tate it cellular data
11:07
their devices and the location
11:10
identifier 'he's problem with this is if
11:12
i was a large government and wanted to
11:14
publish wanted to place an mg catcher in
11:18
a particular location permanently i
11:19
would just send that data to open cell
11:21
ID as well and that it becomes part of
11:24
the set so you have no there's no real
11:25
verification on this a is it's so
11:29
Android NZ catcher detector app is the
11:33
tool that I used in this work and it's
11:36
basically every tower device you connect
11:39
to it logs it and then you can map it
11:41
and analyze it and you can compare it
11:44
against the open cell ID data which is
11:45
what I did it does require a rooted
11:47
device so you probably wouldn't use it
11:49
on your regular everyday device which
11:50
makes it harder for you to detect them
11:53
because you'd always have to carry two
11:55
phones with you and then at the same
11:58
time when I was in Vegas this summer at
12:00
Def Con I was walking around looking for
12:02
NZ catcher's Eric Escobar was presenting
12:06
on a on a device he built for fifty
12:08
dollars where you can better triangulate
12:10
devices and he presented this year the
12:12
white papers there and I haven't seen
12:13
the video yet but it's available to you
12:15
as well we're sorry yes so that's for
12:22
fifty dollars my guess is his is
12:23
probably much better at finding the
12:24
exact location than a mobile device so I
12:27
I'm still to build a couple of those all
12:30
right so it's story time just by show of
12:35
hands anybody not familiar with blackout
12:37
or Def Con Vegas it's okay if you want
12:39
to wanna admit it anybody been was
12:44
anybody there this year okay so I'm
12:46
gonna go on to do something that you
12:47
don't have you know first-hand
12:48
experience about the conference or
12:50
anything like that so first thing you
12:53
need to know is that before you go to
12:54
DEFCON or black hat everyone warns you
12:57
about how dangerous the networks are in
12:59
in Las Vegas during black or Def Con now
13:03
accounts range depending on who you talk
13:06
to from a hostile network to the most
13:10
hostile network on earth now
13:14
I'm a hacker and when I hear the most
13:17
hostile network on earth I think hmm can
13:20
I think of any more hostile networks so
13:23
I tried to think about some and I
13:26
thought well I'm sure there's some
13:27
countries where tweeting views in
13:31
opposition to the ruling regime is
13:33
probably pretty dangerous it might get
13:35
you a visit or interrogation or any sort
13:40
of prison or anything like that so that
13:42
seems like it would be a pretty hostile
13:43
environment to tweet in or anything like
13:45
that and then I remembered the Arab
13:47
Spring where people were holding up
13:50
their phones and getting shot at by
13:52
snipers while trying to take pictures of
13:53
police brutality so those seem like
13:55
pretty hostile networks to me how does
13:59
Def Con compared to those during the
14:02
week in Vegas that's what I wanted to
14:05
find out so instead of taking a broad
14:11
approach i decided to narrow solely on
14:14
wireless I didn't want to focus on
14:17
everybody everybody knows yeah you don't
14:19
you sure you don't use the hotel
14:20
wireless but what about cellular
14:23
networks or what about other networks so
14:25
I decided to focus on the GSM cellular
14:27
network because that's the type of phone
14:29
I had was a GSM cell phone so before I
14:33
get too deep into the work I did I need
14:35
to go on a bit of a rant bear with me
14:37
please personally I pride myself on
14:41
someone who cares deeply about the
14:43
security and privacy of regular people
14:45
one of my core values is to help people
14:49
be safe online and in their daily
14:51
activities and one of my talks earlier
14:53
today was actually on the same subject
14:55
so I feel that as a hacker or security
14:59
professional it is my job or duty to
15:02
educate and share our knowledge with the
15:04
broader public all that said what are we
15:08
doing to help the people who just happen
15:11
to come to Vegas during black hat or
15:12
DEFCON are they to be unknowingly swept
15:15
up in the mass dragnet
15:17
of surveillance and exploitation that it
15:20
occurs at this conference many of us
15:23
like personally I took measures to
15:25
protect myself but people who are just
15:28
on their vacation probably didn't take
15:30
those same measures and that and I just
15:34
I think of the couple who just goes on
15:37
the vacation to get away from their kids
15:38
for a week and they know they do things
15:41
like use the ATM or connect to the hotel
15:44
wire wireless to book a show ticket or
15:47
something like that should there like
15:49
entire bank account be compromised
15:50
because of that I usually I feel pretty
15:54
bad about that and whether or not that
15:59
is the case is debatable but I often
16:02
found myself striking up conversations
16:03
with people around the casino and bars
16:05
or elevators who were in town but not
16:07
for the conference you know we talked
16:09
and I'm a pretty friendly guy who talked
16:11
to most people so the conversation would
16:14
lead to things like why they were in
16:16
Vegas and why I was in Vegas and I'd
16:18
have to tell them why I was in Vegas and
16:20
that I was a hacker and that would
16:21
usually elicit some sort of response
16:23
around fear and oh my god am i safe I
16:26
was like well I probably wouldn't use I
16:28
would probably say something to the
16:29
extent of a maybe wouldn't recommend
16:31
using the hotel wireless this week
16:33
because there's 40,000 of us in town and
16:35
it's probably probably not the safest
16:38
thing just because people like to hack
16:40
stuff and then I'd maybe give them
16:42
advice on how to better secure their
16:44
devices things like two factor
16:46
authentication and maybe use the
16:48
cellular networks or LTE while they're
16:51
here but it still made me feel pretty
16:54
crappy like I didn't feel good about it
16:56
I witness other people do the same thing
16:58
maybe with a little less finesse than me
17:00
it was more of a fear mongering I don't
17:02
really like that so I think as an
17:05
industry we need to think about the
17:08
rhetoric or message we're sending I
17:10
would much rather go to a conference and
17:12
be able to tell people yeah it's great
17:15
uh you you could while you're in Vegas
17:20
use the hacker net because it's the
17:21
safest one in the world and your data
17:24
will be safe i I realized I might not
17:26
get to that point but I wish that was
17:30
be the case or we could aspire to less
17:32
than most hostile network on earth that
17:36
would be a good first step I think okay
17:39
so end of rant and let's move on with
17:41
the show so before a DEFCON I had this
17:47
vision in my mind and of how this work
17:51
would go I had this idea that I would
17:54
take my cell phone I'd walk around Las
17:56
Vegas until I identified this rogue
17:59
cellular device is this MZ catcher I was
18:02
like haha I'm gonna find you and then I
18:04
would in my mind the conversation would
18:07
go I'd approach the person or individual
18:09
I'd say hey can I see what's in that
18:12
backpack I'm kind of curious or I'd walk
18:14
up to a hotel room and I figure it out
18:17
I'd narrow it down I'd knock on the door
18:18
and what would happen next would either
18:20
be hey that's really cool let's see this
18:23
here yeah I'm happy to show you all what
18:25
I'm doing or it could it could go
18:30
completely the other way it might be the
18:31
best version of a game called spot the
18:34
Fed at Def Con if you're not familiar
18:36
with it you have to consider that with
18:39
that many hackers in the area one time
18:43
it creates a target-rich environment for
18:46
federal authorities to buy people drinks
18:48
to get them to slip and talk about all
18:50
the illegal activity they're doing so a
18:52
lot of federal authorities do attend and
18:54
plain clothes and you know some of them
18:56
just come because they think it's cool
18:57
to and that's all right So Def Con has a
19:01
game that if you can spot the Fed and
19:03
you can prove that they're they're
19:05
working or trying to get information out
19:08
of you you win a t-shirt maybe a picture
19:10
and their their reward is they get to go
19:13
sweep sweep the parking lot so in my
19:16
mind that's that's what I was trying to
19:17
accomplish was just to identify and
19:20
tangibly say this is an in Z catcher I
19:23
wish they weren't using it tell me about
19:26
it so let's so that's the most hostile
19:32
stuff I was talking about it's my setup
19:35
I have the android NZ NZ catcher
19:40
detector app with my burner phone
19:42
next time it syncs with open cell ID but
19:45
before I left it wasn't quite working
19:46
properly for me so I I just analyzed the
19:51
data afterwards in future I would have
19:53
synced it better in advance my company
19:56
the for us at Def Con that's our big
19:59
everybody gets together we work all
20:01
across North America so it's our one
20:03
chance to get together as a team so we'd
20:05
go out in the limo and go to dinner and
20:06
everything like that while doing that I
20:08
was collecting data of all the towers I
20:10
was driving by so that's me war driving
20:13
the strip and style well that's Oyler
20:18
alert so some of the things i found that
20:24
real-time analysis and exact location
20:27
was pretty tough so i decided to just
20:31
collect the data and analyze it after as
20:33
i was walking around was like this isn't
20:34
making sense it's not quite working it's
20:36
not getting the right data so I'm just
20:38
going to collect and analyze after so
20:43
here's what I found so what I do is I
20:45
walked Vegas beforehand all the areas of
20:48
the conference collected all the tower
20:50
data and then after the conference I
20:53
looked at my data again from having
20:55
going around so here's what I found
20:57
please don't freak out so before the
21:01
conference and after the conference
21:02
there's a few more dots there don't
21:05
freak out yet so to the casual observer
21:09
this looks really bad and at first
21:11
glance i would agree i was concerned I
21:13
was like what the heck was there that
21:15
many mg catchers in Vegas while I was
21:17
there like this would confirm all of my
21:19
thoughts I knew that you know this this
21:23
isn't my main area of expertise I do a
21:26
lot of mobile app assessments and mobile
21:28
reverse engineering but not as much in
21:29
the in the cellular network areas so I
21:34
knew that I needed to do a little more
21:36
research and as I analyzed the data I
21:39
started comparing the results to open
21:40
cell ID which is a user again the user
21:43
database of discovered cellular devices
21:45
when I research the barest the sorry
21:49
there's bali's area of Las Vegas I found
21:51
that in many cases there were multiple
21:53
redundant device
21:54
is and this is to handle the load of a
21:56
lot of people in a very small area so
21:58
what you would see is that you could
22:00
have multiple devices might have three
22:03
antennas with three unique IDs and you
22:05
would have caught all of them just
22:07
depending on what time you walk through
22:08
so you'd really have to walk through
22:10
this dozens of times before you be sure
22:13
you caught every device and even still
22:16
there could have been someone multiple
22:17
floor so unless you're walking every
22:18
floor there's potential of you missing a
22:21
lot all right so what's the next one so
22:26
there could have been love it so I
22:27
acknowledge that there's probably lots
22:29
of false positives in that data there
22:31
could be multiple redundancy devices and
22:33
there could have been some GPS issues as
22:34
well the GPS accuracy on mobile devices
22:39
is something to be desired if I had
22:41
identified a road one I probably could
22:44
have got within 20 to 40 feet of it but
22:47
any closer I think would have been a
22:48
challenge for sure I would have been
22:50
just relying on if I could see any
22:52
suspicious characters which at Def Con
22:54
is everyone so I then excluded all
23:01
devices that were reported to open cell
23:03
ID and this is what's left sorry the red
23:06
dots are on there they're a little small
23:08
I didn't realize the TV was a small but
23:10
those red dots represent the devices
23:13
that I did not see in my preliminary
23:14
walk and we're not already known to open
23:17
cell ID there's about 12 of them so
23:21
those are 12 devices are they all mg
23:24
catchers I don't know still so one of
23:32
it's possible that one of these is a in
23:36
Z catcher but I'm not sure there was
23:38
reports that someone was arrested for
23:40
using an mg catcher while at Def Con
23:43
that did circle around whether it was
23:45
rumor I believe it to be true but I
23:48
haven't seen a confirmed police report
23:50
or anything so I don't know it's
23:53
possible so but the next one is a little
23:56
peculiar so before I was at
23:59
Paris where as we're staying for defcon
24:02
the few days before I had a nice
24:05
vacation at Caesars and attended black
24:08
hat a little bit so I spent three nights
24:12
in Caesars before Def Con and what was
24:15
weird was lots of towers were picked up
24:17
while I was sleeping and it suggests a
24:21
bit of a drive by attack or a flyover
24:25
but I wasn't sure so I was also seeing a
24:28
lot of things my my phone was jumping it
24:31
would alert me every time it change
24:32
networks and it was alerting me all
24:34
night that it was changing networks
24:36
between LTE + gsm or 3g or 2g and it was
24:40
picking up all these towers so that
24:43
looked pretty peculiar and when I
24:48
removed the open cell ID ones he left me
24:52
with four so at least four of these
24:55
devices were not previously not known to
24:58
open cell ID and I did exclude a couple
25:00
others but they were only had only been
25:03
seen once before once or twice before so
25:06
there were four that would definitely
25:07
never been seen before and this is where
25:11
with other devices other there might be
25:14
30 or 40 reported sightings of a
25:16
cellular device so did not have seen one
25:20
is just it could be new there could be
25:22
other explanations so that's awesome
25:27
it's possible it hits suggests given the
25:29
concentration that there was either
25:31
somebody driving down the road or flying
25:33
over the area while I was sleeping doing
25:35
that I can't confirm it which which
25:37
sucks so part of my research is hey I
25:42
couldn't I was actively looking for
25:44
these devices and I couldn't easily find
25:46
one if you looked at your device right
25:48
now you wouldn't know if you were
25:50
connected to one like if I have one of
25:53
my bag or anything I don't but you
25:56
wouldn't know and that sucks so well do
26:01
you care and that really that depends on
26:05
your personal threat model if you care
26:08
about a government knowing where you are
26:09
and we saw the reasons and how they're
26:11
used if they want if they check to know
26:13
if your home if they check to know where
26:15
you've been if you were in the
26:17
neighborhood of a protest while it was
26:18
going on right so solutions don't use
26:25
your device sorry you don't want to be
26:31
caught up in this don't use advice and
26:32
interesting i was talking to a reporter
26:34
about this issue and we were
26:35
brainstorming some ideas i'm getting
26:37
around it but i'm convinced that if you
26:39
did Wi-Fi calling over a VPN you
26:44
wouldn't be caught in nimsay catcher and
26:45
if you were in vegas using DEFCON
26:50
wireless then you know you'd run the
26:52
risk of being caught on the network but
26:54
if you're doing a VPN maybe you'd be a
26:56
little bit up better off so or if you
26:58
were just in a normal situation not at
27:00
DEFCON you could use the you could use
27:03
the VPN with Wi-Fi calling in be of a
27:05
reasonable assurance that you wouldn't
27:06
be caught by one if you're concerned SMS
27:09
is completely plain text messaging so I
27:11
would recommend signal which is made by
27:14
open whisper it's an app for end-to-end
27:15
encryption between people and they were
27:19
recently sued by the government and they
27:21
said sorry we don't have anything to
27:22
give you we don't keep any data so they
27:24
just pretty good evidence that they have
27:26
your back I think that if a wireless
27:29
carrier published the tower IDs you
27:32
could at least know if an ID matched or
27:35
not it takes some work on their part
27:37
keeping that up to date but then it
27:39
would also lead to device spoofing and
27:41
you you just you would increase then you
27:45
make all those stingrays obsolete but
27:47
then they'd have to go buy more because
27:49
they'd have to have a new feature with
27:50
the ability to detect or just spoof
27:54
devices and then I would argue we should
27:58
pressure wireless carriers to implement
27:59
mutual authentication between devices
28:01
currently you meant you authenticate the
28:05
tower authenticates the user is allowed
28:07
to connect to the network but not that
28:09
user is not authenticating that the
28:11
tower is valid so that would be a big
28:14
step forward in the protocols so I had
28:17
some conclusions i would say that
28:18
they're very hard to detect this is what
28:21
part makes them so dangerous and you
28:23
really know when you're connected
28:24
devices I wish I could be more helpful
28:26
to you it's pretty thank you it's been a
28:31
wonderful visit thank you for your
28:33
audience well thank you and I've got to
28:42
say that this rank says the creepiest
28:46
presentation that I've heard here hey
28:50
you know there may have been less going
28:51
for there may have been others um are
28:55
there any questions turn off all your
28:57
devices and then ask um did anybody yeah
29:01
just a second though some more people
29:03
came in has anybody been to all three of
29:05
my talks today no the other two were
29:08
pretty full you've been to two all right
29:10
all right yes i will give you the Mike
29:12
because all of this is being streamed
29:14
and can you make a stingray replica
29:21
device by having a full duplex
29:23
separation of us are p board and so uh
29:26
if you'll have a full duplex separation
29:29
of us are p board like I'm 600 which has
29:33
a full duplex can you make a stingray
29:35
replica yeah the demo I showed you uses
29:39
you can buy your own for 1400 I think
29:44
you can probably it that down to 500
29:45
with the is it the hack RF or the blade
29:48
RF one's full duplex ones half duplex
29:50
just us our be bored the hell yeah any
29:53
full duplex RF generator will do it so
29:59
this one uses I think either the blade
30:01
or the hack RF or maybe I think you can
30:03
probably get it down to about five
30:05
hundred dollars I'm convinced with may
30:07
be very specific antennas and very
30:10
specific devices you can probably a
30:12
little cheaper so yes as your answer
30:15
that's that's how they did it with this
30:16
demo thank you okay well that was
30:21
slightly creepy question person there
30:24
but field one let me see
30:27
okay any more questions from the
30:30
audience no nobody is scared of this
30:36
nobody else is a journalist who might be
30:40
being followed by three or four of our
30:42
country's many security agencies who are
30:45
basically spent most of the time chasing
30:48
each other's tails but so I don't know I
31:00
even don't have a question I'm just know
31:03
now when not to go to Vegas so method I
31:05
go there very often but and I hope get
31:09
your your presentation and look and some
31:13
of these these links but these MC
31:17
devices are used mainly by by by
31:21
security forces of police and
31:23
intelligence agencies yeah it's
31:25
predominantly a government agency or
31:28
entity that's use and the ones that the
31:33
ones that are possibly engineer friend
31:36
there may be building out her garage is
31:39
that being said there's known
31:42
documentation of for instance mexican
31:46
drug lords deploying their own cellular
31:47
networks or other areas of the world
31:49
that people will deploy their own
31:51
networks because it's it's better or
31:53
more efficient or more secure than then
31:57
they want this what about privatized
32:01
private detectives who you know get
32:03
hired to find out you know somebody's
32:05
partner or spouse or something is up to
32:07
so the FCC in the States is challenging
32:10
this or the sorry the eff is challenging
32:14
this in the states with the FCC saying
32:16
we can't a petition Congress to say you
32:20
can't use these devices because it's not
32:22
getting anywhere but let's go through
32:24
the FCC and say you don't have the legal
32:26
right to broadcast on that bandwidth and
32:28
you don't have the licensing to
32:31
broadcast so you're violating the law in
32:33
that regard and they're trying to tackle
32:35
it from a frequency use perspective
32:37
these devices have to broadcast it
32:40
that just passed and I said there was
32:42
passive and active you know the active
32:45
ones are certainly more dangerous the
32:47
passive ones would pretty much just
32:48
collect your SMS over an insecure
32:51
Channel or break the crypto that they
32:54
look at you and they can locate you well
32:57
I mean that's where is a private private
32:59
detective they can catch your MZ value
33:01
which would allow you to look at them
33:02
for you would allow them to look you up
33:04
in terms of your phone number your
33:06
address and billing information so what
33:09
are the possible I mean you know you can
33:12
even look at the legality of security
33:14
agencies intelligence agencies following
33:16
you around in different ways but what
33:20
are the possible private and
33:22
unsanctioned or in illegal uses of these
33:24
these gadgets take your pick if you can
33:28
get in so just last week there was a
33:30
report that came out on somebody was
33:31
deploying their own base stations over
33:34
the LTE network and then they were
33:35
launching attacks over LTE to people who
33:37
connected to it or to the devices are
33:39
connected to it so then you're thinking
33:41
about how does your device your device
33:44
was certainly designed to handle text
33:47
messages and other types of data but
33:49
what happens if you start sending
33:50
malformed packets you start fuzzing it
33:52
then you look at areas where you could
33:53
potentially remotely exploit the devices
33:55
or send fake text messages or anything
33:58
like that send fishing links right to
34:00
anybody and the anybody walks by in the
34:01
area connects to that Network and you
34:03
send them fishing text messages right
34:06
get them to click and then further
34:07
exploit them from there okay um so you
34:11
can get your fourth bag here hey yeah it
34:15
gets me whenever there's there's a
34:16
question in the back I will bring you
34:18
the microphone so that you you will be
34:21
recorded and made I say I'm so somehow
34:25
missed it how can i detect by which
34:28
tower my phone is operated yep how to
34:31
find detecting two catchers like you
34:34
wouldn't know if your phone was
34:36
connected to it right now if you have an
34:38
app you could know what tower you were
34:39
connected so there's an app for that so
34:41
I can I can like know I've been operated
34:45
but our here or there yeah you would
34:48
there's there's a couple other apps in
34:50
this space as well the 1i use I
34:52
mentioned
34:52
it you can download this app and it'll
34:56
tell you which device you're connected
34:57
to if you don't trust that particular
35:00
tower you can blacklist it and then
35:03
you're choosing to blacklist that tower
35:04
and you'll connect to another tower
35:05
instead but I mean you you can't see the
35:08
where the location of the tower well you
35:11
have a general idea based on signal
35:12
strength and your GPS location yeah and
35:15
then if you wanted to walk around
35:16
further you could try latter ate it by
35:18
finding by going to different points
35:20
taking measurements and and that's
35:22
that's what you decided to you if you
35:23
see there's no tower so you you can go
35:26
and explore and see if there yeah so
35:28
when I say towers in you know rural
35:31
areas they're definitely towers but in
35:33
areas like this they're no bigger than a
35:35
home router yeah right with additional
35:38
antennas on it so you might see I didn't
35:40
check i could pull up my app we can see
35:42
how many we find in the building with
35:46
some reason i'm sure there's more than a
35:47
couple okay thank you just to clarify
35:52
would the app that allows you to detect
35:56
what tower you're on doesn't tell you
35:58
whether that's a good tower tower no it
36:01
doesn't so it doesn't so is there an app
36:03
to find the dark towers no the only way
36:06
is to have some sort of anomaly based
36:08
detection where you know all the good
36:11
ones in your area and then when a new
36:13
one pops up you get suspicious it's the
36:15
only way right now if it's not announced
36:17
by one of the operators the operators
36:18
here used too often you know celebrates
36:20
every every every tower out in the
36:23
middle of podunk nowhere Latvia you know
36:25
with a press release so okay any more
36:29
questions this is interesting this
36:31
affects all of us who have phones in our
36:33
pockets that are being followed by evil
36:36
forces so oh ok well you are at the back
36:41
ah right ok I'll have to give you the
36:44
Mike and I have two guys are grilling me
36:47
today
36:49
thanks for representation question about
36:54
the locating those stingers of false
36:56
towers actually you can put those towers
37:01
on the map only based on signal strength
37:03
from one device and your own coordinates
37:07
great so seeing distributed dots on the
37:13
map means that there were there was a
37:15
kind of several signals with several
37:20
strings yes so that's the other thing
37:24
that was questionable around the Caesars
37:27
Tower data I showed you is at night
37:30
Vegas goes to sleep eventually maybe by
37:34
four or five in the morning and the
37:36
usage of cellular towers goes down and
37:39
potentially like the the noise in the
37:42
area goes down which means you might see
37:44
a tower from further away that you
37:45
wouldn't see during the day so actually
37:48
developers of the application could
37:51
improve that to triangulate yes so you
37:55
could do it manually currently you could
37:58
improve on the app to better focus and
38:00
triangulate with it good things feature
38:03
request you're welcome to code it we
38:05
check with
38:10
ok any anyone else with a question you
38:17
can earn yourself I think he's been
38:18
given a pile of these after-party things
38:21
so you can earn yourself an after party
38:23
invitation if you well okay I think then
38:31
we'll we'll move on I'm supposed to give
38:34
you this even having one brought up here
38:36
because there is one in there yes

No comments:

Post a Comment