+ All Categories
Home > Documents > SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started...

SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started...

Date post: 09-Oct-2020
Category:
Upload: others
View: 0 times
Download: 0 times
Share this document with a friend
56
SITCH Inexpensive, coordinated GSM anomaly detection
Transcript
Page 1: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCHInexpensive, coordinated GSM anomaly detection

Page 2: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

About Me• 2000: Technology career started (I can get paid for

this??)

• 2003: Started building with Linux

• Came to infosec through systems and network engineering, integration

• Security tools and integration (SIEM, HIDS, etc…)

• Current: R&D

Page 3: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

About You

• Background in systems and network engineering

• Interested in GSM threat detection

• Tinfoil hat not required… but not unwelcome!

Page 4: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

–Ashmastaflash

“Thoughts and opinions expressed are my

own. If you take anything away from this talk

and act on it, I’m not responsible if you go to

jail, become a pariah, or your dog stops liking

you. Know the laws you’re subject to and

operate accordingly.”

Page 5: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

What We’re Covering Today• Why Care?

• Current Threat and Detection Landscape

• Project Goals

• SITCH: MkI

• SITCH: MkII

• Service Architecture

• Future Plans

• Prior Art

• Q&A

Page 6: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Why Care?

• Invasions of privacy are bad, even when they’re unnoticed.

• Industrial espionage costs money and jobs.

Page 7: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

WTF Is Under All That??

Page 8: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Is Anybody Home?

Page 9: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Terminology• Software Defined Radio (SDR): Using software to perform signal

processing in concert with an adjustable-frequency RF receiver

• ARFCN: Absolute Radio Frequency Channel Number

• BTS: Base Transceiver Station

• CGI: Cell Global ID (MCC + MNC + LAC + CI)

• MCC: Mobile Country Code

• MNC: Mobile Network Code

• LAC: Location Area Code

• CI: Cell ID

• IMSI: International Mobile Subscriber Identity

Page 10: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

GSM Addressing

Page 11: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Threat and Detection Landscape

• Malicious Devices

• Indicators of Attack

• Existing Detection Methods

Page 12: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Hacked Femtocell

Trusted part of provider’s network

Your phone doesn’t know it’s evil

Page 13: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Evil BTSHandset will automatically

associate, unable to assert trustworthiness

Page 14: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Indicators of Attack

• ARFCN over threshold

• ARFCN outside forecast

• Unrecognized CGI

• Gratuitous BTS re-association

• BTS detected outside of range

Page 15: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Detection Methods

• Commercial Options:

• Pwnie Express

• Bastille Networks

• Open Source:

• Fake BTS

• AIMSICD

• Femto Catcher

Page 16: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Project Goals

• Inexpensive (what can I get for $100?)

• Small footprint, low power requirements preferred

• Functional Targets: Indicators of Attack (IOA) Coverage

• Centrally managed software and configuration

Page 17: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,
Page 18: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2

Page 19: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Page 20: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

Page 21: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

Page 22: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

Page 23: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

Page 24: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

Page 25: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

Page 26: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Page 27: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Intel NUC

Page 28: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Intel NUC

Intel Edison

Page 29: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Intel NUC

Intel Edison

GSM Modem

Page 30: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Intel NUC

Intel Edison

GSM Modem

RTL-SDR

Page 31: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Raspberry Pi 2 logarithmic antenna

Odroids

C1+

XU4

galaxy of

RED

BLUE

GREEN

ORANGE

Intel NUC

Intel Edison

GSM Modem

RTL-SDR

I didn’t really *need* all of this…

Page 32: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,
Page 33: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCHSituational Information from Telemetry and Correlated Heuristics

Page 34: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkI

Page 35: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkI

Page 36: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

MkI ResultsTargets MkI Coverage

ARFCN over threshold YES

ARFCN outside of forecast YES

Unrecognized CGI NO

Gratuitous BTS re-association NO

BTS detected outside of range NO

Price ~$100

Page 37: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Releasing MkI?

No.

Page 38: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

What’s wrong with MkI?

Page 39: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Start Demo Here!

• Confirm device registration

• Image download starts

Page 40: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Deployment Pipeline

Page 41: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Service-Side SoftwareTool Purpose

Logstash Inbound Information Processing Alert delivery

Elasticsearch Scan document retention

Carbon/Graphite Time-series database Statistical analysis of time-series data

Kibana Browse scans

Tessera Dashboard for Graphite

Graphite Beacon Alert Generation

Vault Secret management

Resin Software Deployment

Slack Notifications

Page 42: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Service Architecture

Page 43: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Intelligence Feed

• OpenCellID Database:

• MCC, MNC, Lat, Lon, Range

• Twilio:

• MCC, MNC, CarrierName

Page 44: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 45: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 46: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 47: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 48: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 49: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

SITCH Sensor MkII

Page 50: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Return to Demo!

• Slack alerts

• Tessera graphs

• Kibana scan search

• Resin logs

Page 51: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

MkI, MkII Summary

Targets MkI Coverage MkII Coverage

ARFCN over threshold YES YES

ARFCN outside of forecast YES YES

Unrecognized CGI NO YES

Gratuitous BTS re-association NO YES

BTS detected outside of range NO YES

Price ~$100 ~$150

Page 52: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Going Forward• Automatic device detection

• Device and service heartbeats

• Gnuradio = pure SDR:

• GR-GSM

• ADS-B

• FPV drone

• Dedicated radios:

• Ubertooth One

• YARD Stick One

Page 53: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Prior Art• DIY Cellular IDS (Davidoff, Fretheim, Harrison, & Price,

Defcon 21)

• Traffic Interception and Remote Mobile Phone Cloning with a Compromised Femtocell (DePerry, Ritter, & Rahimi, Defcon 21)

• Introduction to SDR and the Wireless Village (DaKahuna & Satanklawz, Defcon 23)

• http://fakebts.com - Fake BTS Project (Cabrera, 2014)

• How to Build Your Own Rogue GSM BTS for Fun and Profit (Simone Margaritelli)

• Gnuradio (many)

• Gr-gsm (Krysik, et al.)

• Kalibrate (thre.at)

Page 54: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

THANKS!

• John Menerick

• Gillis Jones

• Christian Wright

• Dave Doolin

• Silent Contributors…

Page 55: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

Q&A

Page 56: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,

#OMW2 Scan Your GSM


Recommended