Emergency VPN: Analyzing Mobile Network Traffic To Detect Digital Threats

what i want to talk about today is our digital threat and our service which is called the emergency vpn i'll start with telling you something about myself and our project so [Music] right now i'm a full-time researcher at the czech technical university in prague i do anything infosec related um mostly network traffic analyst analysis um i'll actually start my masters in october in ai so the stuff that i'll talk about that's a effort of our team there which is called the civil sphere project it's led by veronica valeros and our goal is to help the civil society them protect themselves from digital threats and attacks so basically we try to provide tools and services for

journalists ngos and such to help them detect and prevent digital threats so [Music] simply what is the emergency vpn project um let's say someone contacts us uh someone who's not sure whether his phone has been compromised or whether everything is all right uh we tell them to use our vpn for some amount of time and based on the traffic that we see we then can say if something's wrong with the phone so first of all i'll ask you a couple of questions so questions that are important when we're talking about digital threats mainly mainly network security related so which one of you were target of a digital attack ever i'm sure i'm sure everyone probably has and that's really

important to realize that anyone using a mobile device anyone connecting and interacting will eventually be a target of some attack now another question which attached to this one is who might attack us and why so for us when we deal with the civil society usually the attacks would be target targeted once there is a person with valuable information and someone is trying to specifically attack them compromise their device get their location anything really but that's not always the case most of the attacks actually are not targeted to a person but it's just hackers trying to infect your device getting access to your mobile banking application or just spreading the malware so the last question obvious one

is how do you defend yourself well you can't really ever be sure that you're safe 100 when you're interacting and you're connecting to other devices using the internet you can never be sure i mean sure you can set up a firewall you might use an antivirus application which might help you but it might not so one thing that is important to know when you're trying to defend yourself from these threats is to know where does your network traffic flow so as you can see on the picture when you connect to a wi-fi right or okay let's say to any server to facebook so how it starts you're probably connected to the wi-fi so anyone here

who's also connected to the wi-fi can look at your traffic intercept it modify it then the traffic goes to probably several routers to the isp everyone that has access to that traffic can intercept it look at it modify it now obviously the traffic goes through other routers there's people who have access to those until it reaches the server [Music] now vpn might help it creates encrypted tunnel which makes sure that all of your traffic is encrypted but that is up to all the way up to the vpn provider as you can see the green line represents the encrypted tunnel or the encryption but after that there's still people that can access and look at the

traffic right [Music] so emergency vpn uh it is a vpn it is our free security service the goal is to detect digital threats and attacks we analyze the traffic manually there's some tools that do some automatic analysis but basically when we look at the traffic we should understand each packet that went through now as i already told you we we focus on people at risk which might be journalists lawyers anyone not from the business sector who doesn't have a dedicated security team doesn't have the budget but is still at a great risk and deals with valuable information so that's what we focus it on and usually the service we provided for three days so we

captured traffic for three days that's usually what we think the sufficient time to see all the traffic from the main applications and yeah so basically how does it work someone contacts us we tell him to connect to our vpn we provide the necessary the information and when a person wants to connect to besides liverpool first we connect to our server the czech technical university we capture the traffic there and then we make a copy of the traffic and we send it along

uh so behind the scenes how it works it's basic basically a python tool we use the twisted engine that's the that's the maze snake we use that uh to handle the networking events and the evpn manager interacts with the openv with a open vpn server and manages the profile creation expiration and all the all the stuff that's necessary it also in interacts with a mail server retrieves data from there and sends automated messages so the timeline will look like that a person asks us for an email emergency vpn profile we retrieve the email we use the domain keys identified main mail method to authenticate the person we create the profile the openvpn profile and then we start the traffic

capture we automatically send the profile to the person and this is where the three days start we capture the traffic for three days after that we revoke the profile and we let the user know and here is when oh the analysis comes in so we take the traffic it's usually a pcap and we use different tools for the analysis you might recognize some of them so the i that's a logo for zeke formerly known as bro it's a it's a tool that helps with network analysis there's also uh some of our uh own some of the tools that our friends that stratosphere project developed which the one in the middle that's called the stratosphere linux intrusion prevention

system basically uses machine learning techniques to find suspicious behavior and and such and then monati uh that's the second uh seekout logo that web-based tool to help us analyze some of the traffic make sense of for example the logs generated by bro and then circata the intrusion prevention engine and of course i'm sure a lot of you know wireshark for packet analysis who want to really go really deeply and see the details so all of the traffic that we see is generated by applications right it's either native applications uh or once externally installed now we so we usually see the some vulnerabilities there some issues and when we see that in the traffic we try to go a step further and

basically see how secure the application is not only looking at a profile or some cut out of a traffic from a user so the question always arises with all of the applications that the person uses that are generated generating the traffic how secure are they to use right now the main issue that we usually deal with is not uh and infected phone right someone that would have a spyware or malware installed we can clearly see it in the traffic we tell the person what to do it's usually data leaking data literally all over the place from applications that are do not have a malicious intent so it's usually due to the lack of encryption or

bad tls implementation tls handling for example no certificate validation or such so imagine a gps location leaking in real time if there's a person with let's say a journalist with important data right valuable data and there's someone targeting the person trying to find him one packet with a gps location might be the difference between life and death for the person and that doesn't stop there um from the applications that we tested we found out that there were emails passwords leaking um unique identifiers and just from the applications that we tested uh we know that there are millions of users affected by these issues [Music] so the process uh when we look at these applications always want to see how

secure the application is and we do it by looking at the network traffic it's obviously not an analysis of the of the of every security aspect of the application we look mainly at the at network traffic and so we look at the traffic we see the vulnerabilities and optionally we try to attack them as uh an attacker would in a real world environment the methodology we route the traffic through our computer from a phone usually we select the application and we use it as a normal user would then we identify the issues and vulnerabilities if there are some there usually are because we already kind of have suspicion from our from our previous analysis so when we see these issues we exploit

them using the middle attacks injection techniques different different methods and after that we always document all the findings and we communicate with the developers try to make them be aware of that of those issues and hopefully sometimes we even collaborate in fixing those issues those vulnerabilities now i have a live demo for you uh it's uh example uh from uh an application this is uh i would say the most popular transport application in czech republic so pretty much yeah everyone knows about it and so well what i have here um i'll have two phones here one uh where i'll show you how it works normally how the application should work and another one with the victim's phone

which i'll intercept the traffic and try attack the user so let me let me set it up

so this is how the application looks like now imagine [Music] leonardo dicaprio is coming into prague he he's on his film tour trying to promote his film and continues to the next largest city in czech republic which is brno from prague to berlin so me the attacker i don't want lorado to go to brno i know that he's using this application and i'll try to get him to go to my hometown to promote his film there so i can meet him there so how it works a person selects where he is so just prague and the destination which would be but so the user searches for best options this is what it looks like there's a

train from prague to verno you can click and see the details of the connection so you can see the map too so right here is prague here is brno

and here is the city is my hometown where i'm trying to get leonardo right so let's let's see the attack [Music] okay my another device is [Music] not working exactly at the right time so let me try to attack this phone so

um

okay

[Music]

so let's see if it works i don't know so right now uh i'm leonardo trying to get from prague okay um sorry for that trying to get from prague to but no now i'll try to see the best options uh okay the that's the problem with live demos uh uh oh yeah okay so [Music] i actually will have to show you a video because so we work with the developers and the application that i had here is actually the one that it has not been fixed and the other ones fixed uh fortunately but uh yeah so

[Music] so yeah this is how it works

see uh so here leonardo choose from his location to bernard right

and i as an attacker i intercepted the traffic and changed the the destination so the person gets different results so you can see here that uh the destination is my hometown but i added that uh you know the user shouldn't worry that it's a part of brno so now leonardo uh might be suspicious so he looks at the details of the connection or the map so here as an attacker i intercepted the traffic again and i returned the original map or the original route so now when leonardo looks where he's going from and where he's go where he's going to it would be prague and brno again so yeah you can see that it goes from prague to

brno and if leonardo wants to look at the best options because budget is running out and the the best price is usually what he'll take so here is where i intercepted the traffic again and i changed the price so it says that it's for free you know czech people are so nice so yeah so how was i able to do that what was the issue [Music] the first there were two vulnerabilities i exploited the first one there was no certificate validation for an important host who handled most of the important connections in the application so i was able to perform the man in the middle attack i exchanged the certificates the application didn't check if the certificate is actually

coming from crws and i eventually got the key was able to decrypt the traffic and encrypt it decrypt modify and encrypt back again a second vulnerability is there was a lack of encryption for some options in the applications which i'll show you later this is how it looked in detail you can see that the request uh is https it's encrypted but uh you could still see uh see everything that's happening here so this uh would be when a person logs into the application there is an email and a password the response to that would have a unique id for the user and the name and the surname of the user this is how this is what the attacker was changing

so here is the current location of the user and i changed the destination so the server gives me a different result the response which could which was altered too i changed the price there but you can see the options that are displayed to the user and this is the second vulnerability that's the unencrypted just http connection which reveals again the name and the email of the user so that was uh the vulnerability in this one specific application right but as we tested more of them we realized that it's actually a widespread problem it's not just one application for example ba como sego argentinian application developed or yeah developed by basically the government of buenos aires

it had similar issues as it does leaking the location of the user and a lot other information but they were not encrypting anything actually and the same goes to for the move it application which claims to have several hundred millions of users with similar issues a lack of encryption and other for example weather applications or a romanian application for taxi all of them leaking location and other important information about the user so the takeaways um the first obviously mobile applications are not as secure as you might think you can't really see if the con if the connections that are going out are encrypted or not and it's not just one stream it's different hosts different

ones for advertisement servers different ones for the vendor servers it is definitely uh not a good idea to underestimate these risks especially for people dealing with valuable data as i already told you one packet with the gps location might make a huge difference so looking at network traffic can tell you a lot about the security of the application so thank you for your time and now is the time if you have any questions [Applause] yes

so it's an ongoing project we already analyzed i'd say close to probably 100 profiles so 100 people approximately yeah around that number contacted as we analyze the traffic and yeah we work with that no that's completely free that's part of the project that we do all of the services uh that we do are for free and focused on people for focused on people at risk um you can actually find the source code and on github so anyone can provide a similar service no problem

so the vpn uh works with uh the openvpn server so how it's used is a person uses the openvpn app and we just send him the profile so the user imports the profile to the application and just starts the vpn so it works for three days and then the user receives an email the profile is not going to work anymore and he stops using it and after some time we send him the result we expire the profile

so in your phone you receive the profile that's valid for three days after that you're not going to be able to connect to the vpn so anyone can keep the profile but it's not going to work does that answer your question okay

well so how it works in the application you import the you can import several different profiles right and for that time yeah it is the default one but we kind of give instructions for the people to know that it's imported there for three days but after that it's no longer of any use

a hacker if the hacker had the profile of a different user um if the hacker had the profile of a different user would probably be able to connect to the vpn but he would not be able to decrypt the traffic so yeah right

so it it is the default one but it's no longer working so it's not really a vulnerability because the hacker can use it the user can use it i mean it's just there but it's yeah no one can exploit it and no one can use it so that that's the idea okay yeah yes if someone lives uh somewhere where this is blocked uh we we haven't [Music] uh we haven't had that problem yet so we would probably try to solve it at that time with some you know and with a different proxy or something but we haven't gotten into that problem so i don't really know

right um so ideally uh if you if you do a little bit of traffic analysis if you can look at the traffic yourself it might be fun to just you know create a hotspot from your computer connect with your phone there and then just start up a wireshark and i don't know for starters you can just look at uh all the hcp that's going through and just go through your applications play with them and you can get an idea i mean for example the apps the transport applications you just turn them on and you see a lot of data coming out immediately so that might be one thing second i mean a vpn might help but it

encrypts the traffic so like you're safe on public wi-fi should be safe so yeah i would recommend looking at your traffic probably

yeah i mean i ideally so the process for an application to get fixed is really like it really varies might be a couple days but uh for example for the app store there's some kind of a process before a new version can be deployed so that would take more time so yeah from my personal experience i just uninstalled the applications and when we actually do a proper analysis and a report we try to fix them but i don't i don't use them yes

okay yeah so that's uh that really varies it really depends on the individual company i mean i understand that if if it's just a small team of developers they don't really have anyone or the budget to take care of the security someone pen testing the application and such so uh it might be um like an added problem and some face it with uh like someone's basically say thank you can you help us uh fix it give us all all the issues basically do a pen test and we can fix it together some uh would probably more look at the marketing side of it so when we release our blogs or reports about these vulnerabilities they

basically care just about their name so they try to patch some of the vulnerabilities but they usually don't go do a good job so it's really about the about how the developers about their approach if it's more marketing wise it's highly probable that they'll patch some of the issues which will possibly come up back again in another version but there are generally some developers that really communicate with us and try to get a new version out as soon as possible so

yeah it's definitely about trust

um

[Music]

yeah i'm not sure if i understand completely but definitely the relationship between the users of the vpn and us is about trust that with that helps the fact that we're kind of like we're working under the czech technical university which has some name for itself i would say like people can trust the institution maybe and also the fact that we don't do it for money we do it as a part of our research so when it's not a business it's not uh as a interest for us to sell the vulnerabilities to anyone our goal is mainly to protect the people we work with so that's the idea and of course it's about trust and people

having to trust us that we're gonna deal with the data appropriately yeah

uh i'm sorry say that again please

[Music] okay so uh the question was uh with the users with the users that we deal with what were what were the vulnerabilities and the issues there mostly so i can say mostly from my own experience i don't really look at other analysis so from what i've experienced there's always data leakage i haven't really come across a user that would have a device that's completely safe there's no data leaking that's the number one issue that i come across second there were some adware that i came across i never really uh experienced a user with uh headphones or like a malware or stock wear or something like something like that so that's from my experience yeah

[Music] okay so thank you all very much and