WiFi-based IMSI Catcher - Piers O'Hanlon

okay morning everyone hard to see everyone with these shiny bright lights so I'm going to talk about something I came across some last year actually which enabled me to develop sounds a bit suspect but are basically a Wi-Fi based MT catcher so this is work that I primarily did at Ravi and also Oxford he helped our be on the M later stages so overview of the talk what's an MC I guess quite a few you probably know what an MC is I'll just just basically international mobile subscriber identity I'll go into a bit more detail about it then talk about conventional MC captures been knocking around for a long time things I stingrays and all that and then

details on technique that I developed to Center you develop a Wi-Fi based MT catcher and these tool all to little bombs problems with these two mechanisms are used over Wi-Fi now for most smartphones Wi-Fi network authentication basically when wife Mobile's connect to operator run Wi-Fi hotspots and Wi-Fi calling then looking at operator mitigations and user mitigations and actually well then I'm probably not going to demo sadly but unless is a big shout for it so what's an MC is this 15 digit number it's all breaks down you've got first three digits mobile country code and then the second one is the mobile network operator and then you've got the individual mobile identifier and it basically allows for a mutual

authentication of a device like your mobile phone to the network and so you've got the MC it's kind of like your user ID unique on the global telephone network and then the other crucial piece of information that is also required at something called the secret authentication key ki which is stored inside the SIM card and is also stored at the operator Salt subscriber server that's in 2g all you just need is just the MC and the ki but forum 3 and 4G they then introduced something called sequence number which is then shared between the sim card and the home subscriber server provides some additional security measures because basically 2g security kind of sucks really but it's still here anyway so

it's stored in two places it sits in the sim card which has sort of various ways of referring to it and the UICC and was actually the solve name for the actual card itself and then the UCM is actually what they refer to as an act that runs inside the runs on the sim and if you take a sim card out of your phone and you stick into one of these little them sort of $2 chinese shift USB things or you can pay 100 100 400 quid for a sim reader you can basically read out a bunch of information off of the SIM card including the MC without there's no sort protection there it's it's read-only and

fortunately things like the secret key and sequence number aren't directly readable so they're um you can carry out cryptographic operations on those by calling certain functions on the sim but you can't actually directly extract them from the sim so hence it's it's not easy to come clone assume they're tamper resistant packaging at the operator you've got the MC and the and the rest of them they're all stored in this HSS AUC depending on which sort of version of the 3gpp standards are talking about and it's also basically an identifier that sort of been well known for a room for its use in in tracking across the world but then there's a bunch of others as well that that's part

of your phone like the Wi-Fi Bluetooth NFC hardware addresses like the MAC address and then you've got the IMEI International Mobile Equipment identifier which uniquely identifies the actual phone hardware itself and then you've got what's casually named the IMS ISDN which is actually just another word for your phone number things like MAC addresses they're starting to see a bit of privacy stuff see some time to seem randomization of MAC addresses on Wi-Fi on the cutter for the later versions of mobile iOS is like iOS and in Android and you'll see on some versions of Linux depending on which dollar drivers and things you're running so conventional entity caches well they basically will track a device based on the MC and

possibly also the IMEI and now they can determine a location and they can also typically intercept call SMS data they operate on the mobile pound so so gsm 3g 4g so sort of 900 megahertz 1800 megahertz these are licensed spectrum so essentially how they work as they sort of pop up as a sort of fake base station and and of high power which then lose the mobile devices to attach to it you can have a sort of passive mode where you just have tracking devices but typically they're active where they they'll intercept calls and and track the devices they are relatively expensive but believe it or not you can buy them on Alibaba these days just do a

quick search and you'll find it for a couple of grand but it's also now possible to put yourself up one as well laptop with SDR software-defined radio things like the chiefest they won't won't actually get you an embassy capture but there's something called the RTL SDR that some of you may be familiar with which is 15 pounds little dongle is stiff in your machine that was supposed to be for watching telly but actually turns out it can be used for a wideband software-defined radio basically it will it'll tune into any frequency from about come up the exact range but it won't catch Wi-Fi but it does it does quite a lot it's about sort of 200 and car

number but it goes it goes to 900 it goes to about 2 gigahertz doesn't go to 2.4 gigahertz but you can you can look at quite a lot of things with it anyway they've been around for a long time and the sort of techniques you've got to G protocol flaws and you've got some 3G architecture issues as well we won't go into too much detail on those guys protection against empty caches there is some recent work as a project called sea glass project came out of University of Washington which basically is them what they've been doing driving around in cars and mapping out the frequency spectrum used by all the known kind of base stations and then watching for

anomalies and then be able to work out whether empty couches are being deployed there's not really much of a protection in terms of the actual phones themselves non-rooted one's special phones things that sort of black phone purportedly them can give you indication of potentially if you're being downgraded then there are certain apps for rooted phones like snoop stitch and - act that basically provide you some indication and can do some mapping stuff other options not not so handy turn off turn off right don't need a mobile phone anymore but then the Wi-Fi stuff well that's what we get into so Wi-Fi based aims you capture it basically you can track on MC and location but no interception so far

it what's in the is em industrial and scientific medical bands unlicensed basically so range few hundred meters but you could be extended with all kinds of sort of them pop cans and what-have-you and basically you can spin up a fake access point and perform some of these and attacks we're going to talk about essentially it's based upon two techniques that are specified in this 3gpp standard TS 33 to 34 which specifies the two max s techniques which I mentioned briefly the beginning Wi-Fi access network authentication which is not termed as WLAN direct IP acts which is basically operate a run Wi-Fi access points and then you've got the Wi-Fi calling known as WLAN 3gpp access which

can be used for other things but at the moment is used for that it's low cost you just run on on a PI there's this sort of stuff I'm talking about so it's give a brief overview of the mobile network architecture so we're already talking about these two little red and blue dotted lines the blue blue diode line is just the connection to the AP the which is the operator run Wi-Fi access points and then you've got the the red dotted line that goes to something called the edge packet data gateway which is which is connected to the mobile infrastructure and then here's the rest of the sort of mobile management entity and the home

subscriber server and then you've got the packet data gateway over there to the right takes you on to the internet so Wi-Fi network attachment that well basically you've just got unencrypted just connection to Wi-Fi access points maybe with a captive portal saw thrown in and then you've got normal sort of pre shared passwords credentials maybe appreciate keys or something and then you've got the auto connect encrypted Wi-Fi APs which is typically which is specified in this nato 2.1 x I Triple E standard and then the Wi-Fi key is negotiated without user intervention typically and it's based on credentials in the device in this case credentials that come from the SIM card and this is controlled by an operator provider

configuration that shifts on the phones so that comes in two forms automatic pre-installed and then sort of manual approach so we'll have a look at the automatic configuration so a number of Android and Windows phones automatically connect and based on the simile when you put the SIM card in they then select a pre-configured profile from an operator and set it up on them on the device same occurs on iOS it activates specific kind of mobile config and the types of things that it configures are you know in case of the stuff we're interested in here is operate a specific SSIDs so the device then starts to look is configured to look for those SS IDs and just and we

did an analysis of iOS 9 just jailbroken phone and found more than 60 profiles spanning 44 countries that provide for 802 dot 1x Wi-Fi and that contains 66 unique MSS IDs plus a bunch of other random convict in there as well but the sort of upshoot of this is that phones are continually trying silently to automatically authenticate to these SS IDs manual configuration will that sort of less of a concern but it's still basically with some of these Android phones and and I think some windows phones as well you basically have to do an initial step that's on the website and then you go through it and then after you've done that then it automatically connects Androids got some

carrier control mechanisms for potentially enabling some of this stuff as well so this automatic Wi-Fi authentication as I said it's I Triple E attitude 1x it uses another standard extensible authentication protocol which is known as EEP and it's specified in this RFC 37 40 a from the IETF and it's basically eat over land or in other words it's casually named a pole goes over Wi-Fi and then the two specific methods eat methods that we're interested in which are actually the methods that are used to do the authentication for these services are each sim which is based on GSM security which is currently the most widely used for the Wi-Fi access point of authentication and then you've got a

packer which is 3G based security and that is under deployment now the support for these protocols in pretty much most of the world sort of smartphone OS is so Android iOS Windows Mobile Blackberry so I'm I spoke to all of those guys and let them know sort of basically I started talking to Apple back in April last year about it and they weren't too concerned initially but didn't really hear very much but then a few months later they suddenly spun up and and realized that maybe this was a bit of an issue and they took it pretty seriously so I talked with them for some months about it and how one could address it really but it's it's it's

tricky because it's not just it's not just a bug fix and also spoke to some of the operators and the GSMA about about the issues it's deployed in many countries and option is growing at the moment so let's dig into the actual protocols themselves or what's going on so basically you have three basic identity types forum for this protocol you got the permanent identity which is the one that we are interested in the MC which is typically the permanent identity and this is used initially when the phone connects typically and after which a temporary ID is used which is actually this fast real authentic Asian identity the the sort of third one down which provides a lower overhead for

reattachment off the initial exchange and then the third identity called the pseudonym identity which can be a pseudonym for the MC has a limited lifespan and so when you send over the why not so descending the real MC but the behavior of the protocol is configured by this some more controlled by this what's called the peer policy and there are two there are two sort of two options there basically you've got a liberal peer which is the current default and it basically responds to any requests for permanent identity so basically you can ask the phone for it to do a full authentication which basically means semi or MC and there's no protection against that up until

fairly recently this conservative peer which is the second peer policy which is a future deployment option but it's actually it is under deployment although I've yet to see in action but I haven't been looking everywhere and it responds it only responds to requests for a permanent identity when no pseudonym is available this is a feature that is part of this protocol the EPP ceremony acha it was it was I mean these protocols are written like a decade ago believe it or not and and the conservative peer staff is actually being deployed into iOS 10 actually as a result of this work so the eat protocol is sadly is not encrypted but in some senses that's not

not a big problem because I mean you've got to have layers and layers you don't necessarily have to build encryption in at every layer but unfortunately in in the case of the Wi-Fi access point of indication eep-eep o is not encrypted and not as sent an encrypted channel so thus the MC is basically visible on initial connect and it's also visible on basically rather a simple attack the full authentication attack so that's the that's a sort of first couple of gotchas with those with that protocol well that the protocol is deployed for doing Wi-Fi access point authentication although you'll be happy to hear the actual Wi-Fi access keys are not compromised so the contents are still protected it's just

your MC there are encrypted tunnels that could be used to protect this transaction but currently they're not used we'll look at that a bit later whoops I think a double double dip dip that slide so and then we got the Wi-Fi calling connection so what happens here is the phone it can connect to Wi-Fi however it likes at home or through the work or porn operator run access point and and what happens is the voice calls re routed from typically say in iOS for example it's and you just flip it on and the preferences and in the normal telephone app you wouldn't know the difference unless you look at the top and it says Wi-Fi calling enabled and

they'll typically happen when you've got no coverage or fare like bad signal in fact you can kind of force it to come on by flipping into airport mode airplane mode and then turning on Wi-Fi if your phone's enabled for L then it will then fire up the Wi-Fi calling feature so it seems better with Wi-Fi calling and the connection to the edge packet data gateway uses IPSec and authenticates using ike ike v2 and it supported on iOS android and windows gain which i also mentioned to them about this this issue now the just have a little brief epic overview for those of you are familiar got the IPSec Internet Protocol security which is actually a suite of protocols

and provides confidentiality and data integrity access control and then actually within that source suite you have the authentication header aah and confidentiality encapsulating security payload ESP and then you've got key management which is what we're interested in here this ikely - there's been quite a few sort of versions of ike sort of started with something called oakley I think and then we had v1 and now want to be too that IP - it operates in two modes got tunnel mode and transport mode the tunnel mode is used for connection to the edge packet data gateway so the ike is fastened it connects in it in a couple of phases you got the the SI in

it phase where you negotiate the cryptographic algorithms and do a difficult exchange and then the diffie-hellman exchange allows you to then essentially sort of like build up a pair of share keys and then the I Corp stage then is encrypted using these diffie-hellman keys and this exchange the iCore exchange contains the MC it actually it performs the eat akka protocol in in the i call phase exchanging the DMC there but unfortunately the diffie-hellman exchange isn't actually protected by a certificate has not indicated so essentially it's open to the man in the middle attack so you can set up a malicious endpoint and just do a dns redirect with the edge packet data gateway and you then pretend to be the

edge packet data gateway and you get you catch the dmz again the second technique again the the actual core content is is still safe it's not corrupted at this beacon sorry compromised at this point so those are the two issues so what what can be done well the each seam is actually not not particularly great there are there are other issues and as you probably aware like 2g Security's not not not terrific and so it's it's it's a good move to move towards Ibaka for like everything for the Wi-Fi access point stuff and it's already mandated for the for the Wi-Fi calling so that is actually happening I have seen operators now basically only using Ibaka for the for

the authentication and then there's also deployment of this conservative peer mode with with the pseudonyms so that that should really be deployed as well so then that basically reduces the exposure to for the more for the devices facially to get get hold of their MC and now the next stage is really to provide like a certificate based approach where you we then run these authentication protocols in in tunnels now there's sort of already standards out there which allow for this so you've got something called ET TLS which and essentially is just using a tunneled TLS or SSL depending on what they want to work TLS is specifically a protocol so that can run over 802 dot 1x and there's a

possibility you can also run it within imp SEC it and you can so you can then tunnel this authentication again or there are other options within it exactly you've got multiple authentication exchanges but the the catch for some of these is that that they do they will increase the round-trip times and they'll be additional round-trip times for the security protocol exchange to happen which then has impacts on latency in terms of how fast your phone actually connects to the Wi-Fi or connects to the Wi-Fi calling services although you'd be forgiven for thinking that then recarey that much about it at the moment because if you look at how fast your your phones or reconnect say to the Wi-Fi on the

underground it's not exactly snappy it takes like seconds maybe tens a second sometimes to get around to reconnecting so latency doesn't seem to be top of that top of their list right now so it would seem that additional level of security could be good but it does mean that certificates have to be deployed within the the triple-a infrastructure within them within the mobile infrastructure and they also have to have support for it in the insistence the runner networks and running the phones and and the operators need to actually say let's let's deploy the stuff and then there's other potential solutions like you can encrypt the MC using some other techniques this work has been done as part of this European

research project that I'm Ankur 5g ensure and one of the partners has come up with a way of encrypting the MC which is which is another option and at least that can it can protect you but the problem is that then also requires some other deployments within the network so if it's not it's not for free then there are other older standards they've been around certificate based protection of MC this is another 3gpp it's not really a standard actually it's just a sort of proposition from quite some time ago so anyway it's probably a good point for standards bodies to sort of have a look at reevaluate some of the approaches in terms of their recommendations so mobile

OS mitigations so we need to support this conservative peer mode which is emerging in some and as I mentioned iOS 10 does have conservative peer which was developed as a result of us reporting these issues to to Apple and that will provide definitely a better measure of protection I think that that's the first step that the people are looking to the GSMA and so on and then the certificate based approach where you need to deploy them ETTL yes missing the Esther but and and in IP too and maybe there's some other approaches that potentially could solve this out but and then there's things like it'd be nice if if people were allowed to turn off some of this

automatic stuff that just gets preloaded into their phone there's a lot of things that get or done automatically for people and it's it's not possible to turn a lot of this off very easily so looking at user mitigation it's uh you got Wi-Fi network access control you can turn off the auto join stuff for auto Wi-Fi networks but only when the networks in range so you've gotta wait till one pops up and then quickly turn it off and in theory you've got conservative peer but then in Android you've got forget you can forget the network as well but this also depends on the version and again like whether it's in in network range and with Wi-Fi

calling there's not really much you can do apart from just switch it off or potentially switching off Wi-Fi in untrusted environments I guess some of you might be aware of some of the work from project zero out of Google to develop some attacks on on the actual embedded Wi-Fi stacks that basically the whole of the Wi-Fi stack is now being implemented on the Wi-Fi chips themselves and these guys at Google essentially used some some other work that it basically reverse engineered the firmware running on these Wi-Fi chips and realize both bugs in there that could be exploited by just sending particular packets crafted which would then grow a new route in the application processor by while doing an attack first

on the the Wi-Fi hardware and then you could then get some uncontrolled access to memory and drop dropping through that way that's that's nag with some of these and offloading there's a lot of these additional systems that are starting to appear within within say phones your memory controller then a separate memory controller chip but in so in this case Wi-Fi we're we're looking to try and make some better protection I mean essentially there aren't really great privacy mandates in the standards the the privacy stuff around protection of the MC is kind of optional and I think these need to be made stronger when these things put together and then widespread device configuration with no opt-out is start to become an issue when

it and when it compromises security and the other thing that seems to me is that there's a lot of there are phones out there security testing for them and but this was just just run Wireshark in monitor mode and have your phone connect to an operator run Wi-Fi access point and up pops the MC I mean there are certain identifiers that that you you would hope that manufacturers would just sort of do some sort based scan for to see whether they're just flying out the wire sort of unencrypted which doesn't really seem to it seem to happened just kind of disappointing hopefully they'll be taking the message home but yeah these these so the basic

these two techniques rely upon features that are implemented in most of the world smartphones right now and fixing it is is not just one patch it's you've got a you've got to work with the vendors the mobile OS manufacturers to basically implement the features and then have the opera's actually switch those features on and then going to see it a bit better protection in this space as I said I think Ibaka is is now starting to replace you Sam on some of the networks I've been I've been seeing that happening so that's a good thing but we'll have to see see how it goes on into the future I guess it's tricky with this and

talking about these things in public you know they're they're the guys who implement the stuff and don't want you to talk about it and there's never a probably a great time to talk about them I suppose until they've actually fixed them but with things like this they're not that easy to fix no one person can fix them so no one person's of some census takes the blame either so I guess getting the message out there that there is this problem and it's it's really not that hard to exploit hopefully get get things moving a little bit quicker so I think I've basically future work we're still looking at other uses of Eve a keeps in and then looking

at the use of use in credentials in other Wi-Fi based protocols and other protocols because it was a it was news to me actually when I first started looking at this that that the use same credentials were being communicated up into the OS level I'd assume there was all staying down to baseband but to know they've been used it at the OS level for a while now said this is part the five genes your project which is EU horizon 2020 project this thing here but at the actual original motivation for the for the work was with sort of personal I just I was just sitting on the phone on the on the tube one day and I looked at

my phone and I saw there's a Wi-Fi network my phone's connected to I didn't type that in I didn't type in a password what's going on and so basically I just dug dug down found the protocols and then realize there were some pretty serious issues with them so finished a little bit early but questions and thoughts [Applause] [Music] [Applause]