Baby, Don't Forget My Number. OSINT using your phone's address book

hello everyone thank you for joining this presentation welcome back to besides athens my name is leo and today we're going to talk about open source intelligence or austin first off some words about myself i've been around in the industry for a bit over six years i'm a security consultant and researcher in the past of also companies like f-secure which was once called mwr and it's now known as websecure and nso group which i'm pretty sure you all know at the moment however i'm serving my country in the hellenic army cyber defense department and you can find me on twitter github and all the things as ali ripping today i want to talk about an auction

trick which is one of my favorites it is a known one so don't expect any novel techniques or zero days and it's extremely easy and surprisingly effective for its purpose we'll refer to it as contact sync first we'll see what it is and why we need it then we'll go about the challenges of creating fake accounts or sock puppets specifically phone-backed ones which is a pain depending on where you live in then we look at operational security considerations or opsec and what automation capabilities we have or rather what are the limitations and we'll summarize with an evaluation of this technique it's pros and cons compared to other tricks okay imagine you walk up to your phone to

realize you've missed the call and the number doesn't look familiar so naturally you want to see if it's something important or not to maybe call it back maybe it's your boss maybe you've worn an all-exclusive trip to the greek islands it could happen right who knows this is a typical awesome scenario where we start with an unknown phone number and want to get more intel about it something you might also see mentioned as an enrichment process this problem can of course be tackled with many ways we can see some of them in this excellent diagram from intel techniques a great great source of such diagrams which essentially presents the awesome landscape for this scenario the path will follow is also covered and

it's the highlighted one it involves a mobile operating system a smartphone and your contacts your address book as we can see but we'll get to it in detail in the next slide so let's see what our solution looks like we'll start with a target number we'll need any smartphone to add this number to our contacts and then using social media and instant messaging applications we will upload this address book to find friends that might take restarting the app rebooting the device or just refreshing the main screen and boom we get some new data for the target typically a name in the picture sometimes also the last active status and not just from one application one

service as we refer to them the cool thing here is that you can do the same thing with multiple apps and get more data a different pick a new name or even different types of data altogether to slowly enrich your target awesome how do we start first you guessed it we need a smartphone but why not use a virtual machine or an emulator you might ask the challenge with with these is that to even install the apps of interest sometimes we'll need to hide the emulation environment or evade wood detection routines and this can get complicated with lots of custom mitigations employed by these apps to prevent abuse this whole topic is massive in bibliography and at the

end of the day yes the reverser always wins but overall it's pretty time consuming so it's best if we can avoid this trouble altogether and though the reason an emulator might not be the best idea is that it's trickier to simulate telco functionality the phone part of the smartphone for instance we cannot insert a sim we cannot accept sms messages for verification codes so it's just easier to use a smartphone then we'll need of course a sim card to create our soft puppet account which we'll be searching target numbers from in some countries this is fairly simple as you don't need to provide any id to activate sim cards in cyprus for instance you can just fetch a dozen

of sim cards from your local mini market and then you're good to go no questions asked in other countries though like greece you need to provide a whole lot of personal info to get yourself a number in the name of national security all right say we have no problem with that the first obvious place to get this new sim card is the local telco provider brands unfortunately this solution isn't really good because it's just too expensive i found out that for all prepaid plans you need to first top up this number that you're going to use which is at least 12 euros for the first charge and that's a hefty price to conduct any large scale

operations it just doesn't scale up so this solution was abandoned note however that you can also go shopping in dozier places and get your hands on dirty sim cards without really providing any details or paying anything so long as you know what you're doing and be prepared to get scams like i was as the sim cards that i obtained through this method were expired and very smartly restarted as brand new what about these promotional offers on subway stations these youngsters selling three numbers loaded with data plans no that doesn't work either as it turns out they're not really free and actually need the same pricey first charts like the install ones now someone might suggest using an

online service like twilio to set up uh to sign up get some phone numbers receive the registration otps in them and get cracking with the applications what's wrong with this uh first you bump into this chicken and egg problem as to verify yourself in twilio for instance you need to first provide another number your real number and the whole point is to just hide this real number right what's worse is that even if we decide to provide this real number we'll soon find out that we can't really use it to register on on applications as they somehow detect this is not the real number i've just used and the sms message for the registration just never comes in so that failed too

next i tried a foreign number kindly sponsored by a close friend but that also failed as apparently it's a pretty common requirement globally to frequently top up your balance or it's just deactivated all together so another thing to keep in mind for any awesome operations is that we'll need to actively maintain any stock puppets we create so finally uh disappointed as i was under the cfp time pressure i decided to get back to the shop but right before i gave up and paid for these hefty new sim cards a very helpful employee actually told me hey why don't you just sign up now and top them up later we'll activate this right now and i was surprised to hear

that this is actually an option so that actually worked i just obtained a new sim card without paying absolutely anything other than my personal data of course and the final step is to choose the applications we want to use to search the target number within and for this we can let's say categorize the target applications in three four main categories first on the top row we have the big social media applications on the second roll on the left we can see the biggest messaging apps like whatsapp viber and facebook's messenger on the right though we have the security and privacy focusing in messaging apps the telegram signal are good examples and finally on this last role

we can see some applications that are critical for specific regions for instance vcontact is pretty big on russia wechat is the de facto chat application in china and line is also very very popular in japan all right now that we have everything set up let's see how this trick looks like we'll use telegram for demonstration first we can see that we've registered in telegram with our software account we don't have any contacts yet let's go ahead and create one we'll use a question mark for our target account we'll paste the number that we want to get more intel about save it and then get back to telegram where we can see that immediately we have someone that we can add as a friend

and we get some interesting info we get the username we get the picture of course and this bio field right this is manual effort how could we possibly automate this what if we want to script this there are multiple solutions as we discussed we can just load the application in an emulator and maybe script this using testing frameworks to launch the app do the lookup and then pass the results or if there is a web client available for our application we can just reverse engineer this and use devtools for instance to examine the flow and then scrape any ue elements alternatively and this is the most effective solution we can just reverse engineer the mobile clients for

our applications but again you might ask what about these services that promote social media information about target users services like syncme thatstam.com or people unfortunately they don't really work as they're based on something that's automated and easily accessible aka easily abused and this sort of functionality like fake books graph is eventually stopped okay so what can we do to defend ourselves from this trick how can we prevent users from getting our personal info through this through the apps we use the solution is to check our settings and mind the defaults unfortunately there is no solar bullet we need a per application solution this also takes some digging unfortunately in telegram for instance the right knob to

change is under phone number and we need to explicitly change it to this value to nobody and only then the latter radio option pops up allowing us to select my contacts and make our number uncompensable let's talk about opsec the first thing we need to keep in mind is that should we decide to use a sock puppet and reuse it all over the place then this account might start getting too much heat and interesting correlations might come up behind the scenes and the graphs that all services use to avoid this it's best to just create new accounts every now and then or use a different sock puppet per service similarly reusing the same device for

multiple operations might introduce some risk this time on our end ask the hot address book of this same smartphone should it be compromised or stolen could end up profiling our operations so the consideration here is to remember to clean the device periodically and finally the drainage you might know bubble popping up on the target sent revealing our account and operations this is the worst possible side effect of this complexing trick but fortunately it's pretty rare the solution is to just avoid repetition where possible as typically this correlation might take more than one search and the good thing with this trick that we're presenting here is that all you need is just one lookup only just one search

but let's just let's just focus on this scenario for a moment this is a serious risk and it would be interesting to see how possible it actually is for this to happen so i've had this idea for a while that maybe we could use the privacy tools offered to us by eu's gdpr the general data protection regulation to find out what exactly is held about our user a target user and specifically whether that includes any passive correlations with other users that may have fallen as contacts of our user so i decided to try it out in telegram specifically you can get all the data that's kept about you through a ddpr bot as we see

in the faq using this very simple to use port all we need is just two messages to slash commands to request our data download it from the desktop app and then finally export it in a human-friendly html format and browse it easily to find out there's actually no mention of our soft puppet the one we just used to search this target account and this is of course just an example telegram is a privacy oriented app expectedly it doesn't really hold any creepy data but let's just keep this tool in our heads for other applications we might not be so innocent okay with all that in mind let's now summarize what we know about this trick

it's gains and losses first it's ease of use us we need no crazy skills nor any specialized software or hardware to perform it secondly it's hard for applications to block and even harder to detect that it's that this feature is being abused let me dive deeper here for a second we shouldn't forget that this is based on a feature contact uploading is a ux functionality to help you get started with a given service and find friends and with regards to detection remember that address books are inherently large and most times this is implemented with a single request to the back end so if you've done eurovis engineering and you've successfully scripted a contact sync lookup all you

need to search multiple numbers at once is just one request also it boasts great performance again if you've reversed the api the lookup call is instant it takes milliseconds compare that to waiting for an emulator to boot the app to be launched and then ue buttons to be clicked and that's before results are actually fetched and then passed so the difference here is massive finally it offers solid result confidence effectively low to zero false positive hits compare that to the fuzzy results that for instance a search fixer would provide there are of course some downsides like for starters it's actually hard to automate this trick as we saw this takes some reverse engineering which usually takes both

time and skill even once the apis are reversed you also need to constantly monitor its results and keep an eye out for version updates or changes in the format this however is also true for other techniques like scraping web results open up's web clients also you need to typically have an active session to even perform these requests so factor in additional reverse engineering effort for the login process and some talking juggling after that and finally should we decide to use soft puppets and be reasonably powerful paranoid about our opsec we'll have to accommodate for the overhead of managing all these accounts and keeping them active before we go uh here's a list of good awesome references good sources for

awesome stuff first we have awesome curious the prolific that's awesome guy in twitter and of course the awesome ocean list on github but most importantly install techniques.com are great source of diagrams however unfortunately the juice is now hidden all these cool diagrams are not even available on the wayback machine so it might take some digging to actually find these uh nice paths and that's all for today actually i'd like to thank you again uh thanks to cuba saxenos for their overall help with the slides and spot on qa advice i would like to thank my childhood friend nick for that foreign sim card that featured briefly and last but not least delta my partner in crime in the army's red team helping

out for helping me out in this race to find sim cards folders or puppets that's all folks hope you enjoyed it and if you haven't fallen asleep yet there's a neat little awesome challenge coming up so stay tuned for a chance to win a wii prize