OTP Stealing via SS7 Hacking

hello everyone welcome to my presentation i'm gonna talk about otp stealing via ss7 hating uh actually i will steal your uh 15 or 20 minutes from your life but i promise it will be not more than 20 minutes also i will steal your all credentials all short messages or otps via this technique let's start it first of all it's my first time in b size actually oslo norway and i heard that i missed beautiful weather in norway and i was thinking i am unlucky person in the world but now i catch really amazing atmosphere in b sites and i'm thinking that i'm a lucky person in the world [Applause]

yeah let me introduce myself uh this is quildroom i'm i come from netherlands but i'm originally from turkey i'm ethical hacker also red teamer i'm computer engineer and student student of master science of cyber security i hope i will be graduated at the end end of this summer uh i have some severe codes first one is about remote code execution second one is about a local file in collision and last one is about a malicious file upload and multi malicious file upload and remote code execution connected to each other and i have a lot of search case most of them based on offensive security red team i have osc i have oscp i have oswp and

etc i gave a lot of training and courses before my career in my career you can see what are they and also you can follow me you can contact me you can reach me on linkedin you can send me mail also you can follow me on github and exploit tv let's talk about some technical things now first of all i need to explain my experiences i have some experiences before biasedness cyber security but it was not good for me that's why i didn't mention the names of company and i choose the start point is by business cyber security in my career i was working as a penetration tester then i changed my company to cyber security

in turkey also i was working penetration as a i was working as a penetration tester and red teamer and i was a security testing team lead in berkeley cyber security before the netherlands i'm working in somewhere in the netherlands right now but i cannot provide the name of company because it's confidential i couldn't ask to my manager that's why i cannot provide right now uh and i'm bug hunter it's in a great team actually you can understand easily from my t-shirt okay now let's talk some technical stuff what is the what is the topic of this presentation uh here the contents we will talk about two-factor authentication one-time password rf jamic attacks dumb great attacks also compare using

between 2g 3g 4g and 5g also ss7 hacking imsi hacking also some tricks of my technique also some resource of my techniques and that's all okay we will continue with two-factor authentication uh everybody knows what is the two-factor authentication but i i want to explain again what is the two-factor authentication uh two-factor authentication is an extra layer of security used to make sure that people trying to gain access to an online account it has actually basic methodology basic structure first of all a user will enter their username and correct password then instead of immediately gaining access they will be required to provide another piece of information

verify two-factor authentication has two steps for authentication this second factor could be uh come from the one of the following categories uh something you know something you have or something you are what could be some something you know this could be a personal identification number or a password or answer to secret questions or a specific key strokes pattern what could be something you have typically a user would have something in their possession like a credit card like a smartphone or otp also what could be something you are this category is a little more advanced and might include include biometric pattern biometric information such as fingerprints such as voice print etc yeah what is the big

big picture of two-factor authentication mechanism this is a big big picture for two-factor authentication as i mentioned before you need to enter you need to fill your username your password then you will gain a code by sms or anything then you will gain the access to your account

yeah we talk about otp everybody knows otp actually otp is a one-time password and a string of characters or numbers automatically generated to be used for one single login attempt one time passwords will minimize minimize the risk of fake login attempts for brute force and the risk of stolen data

yeah let's check it one time password as a sms message it's an example of otp generally otp is sending by sms nowadays it's changing because some producers some company is decided to change their structure for auto factory authentication by application by security code by fingerprint

and rf radio frequency radio frequency is the oscillation rate of an alternating electric current voltage or mechanical system in the frequency we can describe that easily

and jamming attacks you can see structure of jamming attacks at the picture uh it's basic structure for jamming attacks what is the jamming cat x a kind of denial of service attack which prevents other nodes from using the channel to communicate by occupying by the channel that they are communicating on and downgrade attacks here's the example for downgrade attacks a time downgrade attack is an attack that seek to carry their connection protocol or a cryptographic algorithm to drop to an older and less secure version this attacks aims to enable the exploitation of vulnerabilities that are associated with earlier versions

and gsm the global system for mobile communications network is the standard system used by most mobile phone networks around the world whether a system uses a cellular network based around broadcast stations or satellite satellite technology connected to signals from orbits both of types also can be part of the gsm network

yeah here's a comparison of between 2g 3g 4g and 5g we will focus on second generation 2g because uh look at this beautiful baby this is old and also it's based gsm and it's encrypt and unencrypted so article can sniff attacker can steal data from second generation uh that's why i will focus on second generation

yeah actually i wanted to prepare a live demo for this presentation but it's not possible because it's not legal in norway also it's not legal in the europe even it's not legal in the world that's why i will give some tricks i will give some steps of technique i will give a methodology of technique and if you have question i will explain a little bit more but [Music] yeah we will see i used two hecarim telescopic antenna and 5g antenna mobile phone of course and signed off and imsi catcher i use sigintos because it's a signal intelligence operating system yeah it's really helpful for this kind of attacks i use two hacker f because one is for

receiving and the other one is downgrade and jamming attacks i use telescopic antenna because of range because of distance it's more powerful than standard antennas also i used imsi catcher for this

i located my setup i know it's not seems so professional i'm not so successful for locating something but uh you can understand my demo setup there's a computer and a hecariff is connected to computer and also there is two antenna there are two antenna one is 5g antenna the other one is telescopic antenna also there is a mobile phone

let's talk about methodology there are only four steps can you imagine only four step first step is configurate the lab devices actually it's it's uh [Music] i can describe this the first point start point for all information technologies attacks all information technologies activity configuration of the device the second step performing jamming attack to 5g because i cannot or you cannot performing downgrade attack to 5g it's new generation it's not possible actually i know it's possible there there are some zero days for 5g but i don't have uh that's why i i needed to perform jimmy carter 5g then at the same time i i performed downgrade attack from 4g to second generation 2g because as i

mentioned before second genera generation has a lot of vulnerability you can steal data or you can sniff it that's why i choose the second generation and last step still ought to be with imsi catcher

i put some secret shots for steps first of all you need to search gsm datas where do you want this is a this is a screenshot for gsm searching by imsi catcher then this is a gaming part for 5g i performed jamming attack to 5g then it will be 4g and i will start to downgrade attack from 4g to second g then last of all i can still tell communication data i can still one time password i can steal your credential what do you want

last step i am say catcher i could get some information some data uh yeah i can't say it's from turkey because i'm not living in turkey right now i can say it's easily i could get some information i could get some clear text message with my setup

and this is a big picture of structure my technology i forgot to put 3g uh but you can understand i will block 3g 4g and 5g i can sim second gist 2g data from the mobile phone from the satellite from the broadcast

yeah here's here is uh some tricks of my methodology uh using telescopic antenna actually i explained before uh you you can use normal antenna but if you want to big range or if you want to more distance for this attack you need to use telescopic antenna also performing downgrade and jamming attacks together as i explained before you cannot downgrade attack you cannot perform downgrade attack to 5g that's why you need to perform downgrade and jamming attack together and limited area for successfully attack i mean i can steal any data from here but of course i cannot steal from the norway centrum yeah you need to limit your area you need to limit your zone also finding

correct attack frequency for target zone because every country has a different frequency for telecommunication that's why you need to search it you need to find the exactly correct frequency for your target zone and here some references for all methodology i cut some links for uh easy to find 5g jamming attacks downgrade attack jamming attack and imsa imsi catcher also some resources for as i mentioned before you need to find correct frequency for your target zone and this is a map of oslo especially you can see the second generation three generation or five generation telecommunication data [Music] where is the location of base station or any stations from this source uh it could be helpful for you

and also maybe you can use the open strip map i i put a photo for vulcan arena area we are here and this is the end of my presentation but first of all i want to say some things for my family my friends and also you uh i really want to say to thank you for my family my wife we who are supporting me in everywhere every stations every day and that's why that's why i needed to say thank you they are supporting me while i'm achieving the success steps also i want to say thank you [Music] by my heart to you because for your attendance and also lastly i want to say thank you for all besides

oslo team [Applause] thank you thank you thank you for you yeah and if you have questions about this there are some people who are saying uh you know that you can't uh do these attacks on the norwegian infrastructure yeah explain this guy after we got to get to the bottom of this everybody i will be at around you can find me you can ask all questions especially is it possible in norway or not i can ask for it it's possible because it's not based on norway or it's not based on turkey is based on second generation if you can change second generation technology yes it's not possible in the norway but if you cannot of course you cannot

that's why it's possible in the norway also can i ask you a question for participants can we can we take it after ask the question now and then the answer they will ponder until okay dinner what's the question okay who are the thinking it's really easy technique yeah there is someone who are the thinking it's impossible technique it's hard i think you made it look easy actually my first question for my first question you are wrong it's not easy technique you need huge budget you need a huge budget with special devices and some special configuration but yes it's easy not so hard because i did it and if you are thinking it's impossible it's hard

you are wrong just imagine you are a government or you are a intelligence agency yeah it's possible