 In the past years, we've seen a lot of talks about how to act devices that allow us to authorize access to a building. We've seen lockpicking, we've seen how to break into RFID doors, but we haven't seen how to break into intercom devices. And Sebastian here today will tell us more about that. He's a security researcher and he's really interested into radio. So give him a big round of applause. Thank you very much. And thank you for taking this presentation. So we talk about intercom hacking, but let's start about me. I'm working for the Sinective company. I'm interested in radio communication systems like Wi-Fi, RFID, GSM, PSE and so on. At Sinective, we're doing a radio test. A radio test includes spearfishing, remote and physical intrusion. And speaking about physical intrusion, why we introduce it into a building? It's to plug the malicious device or to dump computer memory, or also to let malicious USB keys into the building to be less suspicious. But the main problem when we want to enter to a building is we always need a way to enter to this building. So how to do that? We know lockpicking tricks, we know RF attacks, we know social engineering, can be also helpful. But what about how intercoms? Rating tests with these precedent tricks work sometimes, but sometimes we get spotted. Intercoms could be very interesting because if we want to not be spotted every time and want to enter to a building at night, what we want is to enter to a building like a ninja. So we can maybe hack this kind of system to enter to this building. Also, intercoms can be used to spy on conversation in the street. We see that we can make money out of it. It's a bit strange, but you see it's very firm. And also have a lot of fun with this kind of device. Also, I should warn you that this talk is applied on practical attacks on intercoms. It also includes other devices which use the same system, the same techniques as new intercoms use today. So intercoms today provides a lot of features. You have passcode, RF tag access, you can also call a resident to open the door. But nowadays we can see that a resident can be called on his mobile phone. And when he is called on his mobile phone, the intercom is using a mobile prefix to call the resident. That means that the intercom is using the mobile network to call the resident. So by curiosity, we were asking about would it be possible to play with this kind of device? So we tried to directly call the intercom, but nothing happened. After that, I thought about maybe we can dump and modify the flash, but just imagine that we have to do it in front of others in the street. It's not ninja things. Or we can use mobile attacks because the intercom is using the mobile network. And so I will present now the intercom. The intercom do for awesome to call it as you want. It's a voice communication device within a building. The term numeric refers to intercom that use the mobile network for our case. So they use a sim and a sim card. And it allows to call a resident to open the door. And different types of intercom exist. You have convolutional, simplified numeric. The main difference, just look at the right, is that the numeric don't need a wire for each resident. The main difference is that it only use two wires for power, two hours for the dual system. After that, no wires for each resident. That's why they are used because it avoids complicates and cables. And wires can be replaced by GSM 3G 4G or Wi-Fi. For our case, we will only focus on the GSM 3G and 4G. The simplified architecture of the numeric intercom. There are two. This is the first. The first, as you can see in this architecture, the intercom is connected to the mobile network through the BTS. And if a visitor want to open the door, he call the resident using the intercom. The intercom call the resident on his phone. After that, the resident answer to the call and open the door and the visitor can enter. Another architecture is quite similar to the precedent. The only difference is that if we want to manage the intercom, we use a centralized server. Because in the previous case, if the resident want to manage the intercom, he only use his phone, send a command and send a command to modify or add a resident to the intercom. But here, in that architecture, the one administrator can use a website, for example, to add or manage the intercom. So that's the main difference with the simple intercom and the intercom that use the M2M matching-to-matching architecture. In France, we have five brands that are very well known. It's like Comelit, Infratour, NoirC and Hermet Captive. They cost a lot of money. It begins with €2,000 and after that, more buttons you can ship, more it costs. For our first case, we choose the Lincoln IDP GSM, which is also commonly used in private residence in Paris. So we will focus just in the first time we will focus at Lincoln. But after that, during this presentation, we will also focus on the 3G intercom, which is used in a lot of buildings today. So, also, I talked about the numeric intercom, but how to recognize it? Maybe a spot in your nice LCD screen or new steel case, but sometimes you can get very lucky and see that there is a 3G module, which is sometimes outdoor or indoor. And this 3G module has like three or four LEDs indicating the quality of the reception of the mobile network. So with that thing, we can see that it's maybe using the mobile network and it's likely a good to know because maybe we can do some attacks on it. Also, why I'm doing this presentation? Because mainly publication about intercom are nearly non-existent, but as we know, they use the mobile network to communicate with the residents and to allow the residents to open the door. So that's why we can, for example, use the previous publication on the GSM 3G and 4G. And also, the tools that are very affordable today, for example, the Blade RF that costs only €370, and the software is free. You can get open BTS for free and start your own rock-based station, as you probably know. So with that tools, we are about to build our rock-based station, our GSM and GPRS rock-based station. And the interesting fact is that GSM and GPRS, you have a weakness. The weakness, as you probably know, is because there is no mutual classification between the mobile and the network, the mobile network. So only the network is aware about if the mobile phone is legit or not. But the mobile phone is not about to check if the mobile network is a legit one or a rock-based station. Also another good thing is the end-over for an attacker, because stronger the signal is with the rock-based station, and much likely we are able to trap the mobile, the intercom, into our base station. So for an example, if the mobile phone is always looking for the strongest signal, so if the mobile phone sees that one base station is sending a stronger signal than the older one, it goes directly to the new base station. So to summarize, there is no mutual classification in GSM and GPRS. We can also use a lot of attacks on FA1, etc. The signal in China is not encrypted, so interception is possible in GSM and GPRS. But to overcome that, 3G and 4G are more secure because they use mutual classification, they use signal activity, they use a better encryption. So if I'm doing a rock-based station in GPRS and GPRS, or if I want to run, sorry, a rock-based station in 3G or 4G, if the intercom is using the 3G or 4G, I'm screwed because the mobile phone will try to do the metro-artification and we'll see that my rock-based station is not a legit one. But to overcome to this program, we can use downgrade attacks. To do that, we can see if we can perform some protocol attacks, but it's very difficult because we have always to... The protocol attacks are sometimes only focused on one specific base bound and one specific version, and it takes a lot of time. So in general, if we don't know the base bound, the base bound version and so on, the better way is to do jamming attacks. And jamming attack is very simple because it's just a simple Gaussian noise in targeted channels. For example, at the left, we can see that there is a GSM channel, the beginning of a GSM channel that mobile phone is supposed to see. And after the jamming, we see that this channel is flooded by a random Gaussian noise. And that means that the mobile phone doesn't see any more the channel. That means that it cannot reach it. If, for example, this channel is a 3G channel and it's the only one, the mobile phone is supposed to fall back to 2G in a dog-grade attack. And in intercoms, it's likely to be like for mobile phones because we found in a public documentation that if the 3G network is not reachable, the intercom will use the 2G instead. So it's good for us because if we perform a dog-grade attack from 3G to 2G and emulate, create a rugby station with a very strong signal, we are likely to trap the targeted intercom. To jam a 2G channel, we can, for example, buy a jammer in internet. You have a lot of Chinese jammer you can find on eBay and Alibaba and so on. You can, after that, disable the 2G to allow your rugby station to transmit signal. Or you can use some tricks like I do, is to enumerate the list of URFCN close to the interceptor. After that, you translate these URFCN into centrifugal lenses and sends Gaussian noise into each detected channel. But if you want to enumerate URFCN, people in GSM, for example, for IFCN, use the Osmocon BB, for example. But Osmocon BB, for that case, because it's 3G, for example, cannot work because Osmocon BB only works for GSM. So to do that, you can use a solution. You can use, for example, another waveform that has X-Gold based on and use the provided jack interface, which is exposed. And use the X-Goldmon tool to, after that, capture all the messages and capture the RFC messages to get the URFCN, which means the download the URFCN, the index, which is used for downloading. In that way, if you use that URFCN and Fluid with Jam, this channel, the mobile phone will not see the channel anymore. For other basements, like Qualcomm, you have sometimes other interfaces. But if you have a very new device like Samsung, Samsung have an universal method to get a list of URFCN. And to do that, you use the service mode with a special code for Samsung, for your Samsung version. And with that, you can see in LogCats that the URFCN are present in LogCats, like typing with ADB, the common LogCats. You can see that when you are in the service mode and when you're trying to register to an operator, you'll see all the URFCN that the mobile phone tried to reach. And with that, you get the list of URFCN, and you are able, after that, to know which channel you want to jam exactly. And to do that, let's see a little demo with a simple hackereff. So, up. It's not that. Okay, so I don't know if anybody can see, but here I'm calling the answer machine. And at the top, on the right, you see a 3G icon, which means that I'm calling it 3G. And there is my hackereff. And with this hackereff, I used a new radio schema to send Gaussian noise. So the hackereff now is trying to send Gaussian, random Gaussian noise to some targeted channels, 3G targeted channels. And as you can see, the icon, the 3G icon disappeared. So that means that now, when I'm calling, I'm calling 2G. And as it's possible to do that, I can come with a rugby station with a stronger signal. And the mobile phone will end over to my rugby station. So, now let's set up our lab. Our lab consists of a bladeereff, yet BTS software. And what I want is to trap the intercom into that rugby station. And it only costs 400 Rio with all the antennas and so on. Also, let's set up our intercom using the best documentation and all suggestions about the security. And we can see that there are three ways to configure intercom. Like programming the interface with the manager, with the SIM card reader and programmer, or with SMS messages. So that means that maybe if we know the number to contact, maybe it's possible to send commands to edit, to modify, or add a resident number. But after that, in the documentation, it's precise that if we want to administrate the intercom with SMSes, the first admin one number has to be set up. So, our first impression is that if we want to send commands to the intercom, we have to impersonate the number or find a way to bypass it. Or after that, when we can impersonate the number, we can open the doors and command and so on. And a good indicator when you send commands to the intercom is that you have an acknowledgement. Like, for example, if you want to write or update the number of the resident one with the command write, and the number of the resident two to associate with, you get an acknowledgement like write, that means that the command was successful and you were able to modify or update, or add a number. So, our first hypothesis, let's do some hypothesis. We don't know the mobile operator. We don't know the intercom's number. The commands, for instance, can be found in public documentation or a documentation or performing a firmware analysis on it. So, as an attacker, our steps are to recognize the intercom operator to trap it, leak our guest number to impersonate, reduce our phone as the leak at the resident number, call ourselves and open the door. And to trap the intercom, we can brute-force the four, for example, in France, the four MCCMNC. It takes like five minutes each with a strong signal. And by pushing the button in the intercom, if we see that the call was intercepted, it is a success. So, when activating the GSM taping in YETBTS and seeing the message in Wireshark, we can see when pushing the button, when after trapping the intercom, that's a call setup message was sent. And in this call setup message, you see a field that contains the number of the resident. You were trained to call. So, after that, you can actually associate this resident number to you, IMSI, I mean your SIM card or your SIM card. And after that, you are able to open the door. What's next? If you are able to leak the admin number, you can, for example, if you can send a comment, but if you cannot, you can try to find other way, like trigger an alarm or maybe do some social engineering tricks. But if you are able to find the admin number and impersonate him, you can send comments like read, write, call 80. And two comments are very interesting because one is for updating. We already saw this comment, but the other comment is call 80. And why it's interesting? Because call 80 interacts directly with the basement. So we can, for example, try to retrieve SMS messages, but I try that with the link on the IDP. I get one SMS and after that the intercom was completely not working. So it was a little bit strange. But it works like a leader. You can also spy on building new conversation sending an ATS0-1 number, that means the auto-answer feature, which is used for, for example, if I'm enabling this feature, if I'm calling the intercom, I'm able to, the intercom will ring just once. And after that, I'm able to listen to the conversation of what happened around the intercom and so on. So there's plenty of fun features in 80. And let's do some demo right now after trapping the intercom. Okay, so as you can see, there is my GSM lab here. We will receive the intercom. We see also here the attacker's phone. And here's the Blade RF. So what I'm doing here, I'm trapping the intercom. After that, I'm able to intercept all the communications so I'm pushing the button of the resident one exactly. And with Wayo Shack, I'm just reaching for the call setup message, which contains the resident number I want to leak. And with that, what I'm doing, I will associate my SIM card, the SIM card of the attacker's phone with that leakage number, with this small Python script. The Python script is communicating in Ternet with YET-BTS to also refresh YET-BTS configuration after the modification in the configuration. And after that, when I'm pushing the button, the intercom will try now not to join the legit resident, but the attacker's phone. And since we just have one number, let's suppose it's the admin number, I'm about to send commands, send call AT command and so on. But also, if I have an admin number, if I can impersonate a number, we can replace the number with a primary rate number like HelloPass, Optello and so on. So it could be an interesting thing if we want to earn money. Now, let's do some attacks with intercoms using the M2M. Intercom using M2M architecture are using CheapIt's SIM cards that are legit, that have more than 10-year subscription. So the mobile network, the mobile operator, for example, T-Mobile or Orange or so on, for the manufacturer provides a virtual network to manage the intercoms. That means that there's these intercoms connected all together in a virtual network. Also, this intercom uses the UMTS to be reachable. So we know that this intercom is managed by a server, so that means that it introduces new vectors of attack. We saw already the 3G downgrade and GSM interception, but it introduces also the vulnerability that can be found while using the SIM card to try that with the intercom, but also the vulnerabilities in services like web, Skype services and so on. So let's talk now about website vulnerabilities. In website vulnerability, we have to know that websites, the centralized server is used to manage not just one, but multiple intercoms that are connected in the network, in the virtual network. And because it's web, some vulnerabilities can be found. And we can find lots of Accum-Gasin plus brute force, authentication bypasses, SQL injections, LFI and so on. So we tried with one product, one very used product in Paris. It's a 3G intercom that is provided with an M2MC card. And let's call it also product A, because I don't know if all the things are fixed also. But the first vulnerability was the authentication, no, sorry, the identification. Because product A website doesn't enforce a password to manage the intercom. That means that if I know the number of the intercom, I can manage it with that website. But also we have to know a valid number. It's not a problem because if we try to do some animation with a very dirty script, we were able to animate 90 numbers in less than three hours on a specific prefix. And with that, we are able to manage not just one, but multiple intercom, and with that we can earn more money than a simple intercom, for example. So that means that we can change to premium rates, numbers for all intercom, and after that, get rich. Also, we can also open the door, but to open the door, we have to know the location. To know the location, it may be hard or easy, depends if in general, if people add their own number first or in the list. And with that number, you can use a reverse lookup directory and get the address and after that go to the address and open the door and after that do what you want, plug your major device and so on. Okay. We saw that. Now speak about the virtual network as a second attack vector. We said if we use the SIM card or use SIM card, we are able to to reach the virtual network which is provided by the operator. But in project A, use SIM card protected by pin codes. But pin codes, you know, if you have a SIM trace, it's not very good medication because you can use a SIM trace as a proxy between the SIM card and the intercom, and after that catch the pin which is typed by the intercom with thanks to the SIM trace. Get the pin code and after that use the SIM card into your phone. Optionally, change your IMAI. Set up the right APN. So APN also are documented for operators. If you use, for example, if the operator is orange, you can document yourself. Use the APN which is provided by orange and after that have a free internet connection. But if you want to find vulnerabilities in the virtual network which is provided for the intercom, you can also do some gassing and sometimes manufacturers use their name on the APN. So you can guess with that. It's a bit easy. But also if you enable the GPS feature and trap the intercom in your rugby station, you see that the intercom will try to join a specific APN at one time. So you can also do that tricks to have all the APN. After that, you tether the communication, use your computer, do some trust routes. After that you can see what is on the network, scan the virtual network, search for a vulnerable device, then exploit the device, hack the planet and so on. Also we were interesting about the SIP as an attack surface because we know that Project A has a mobile application to provide video calls. But video calls to use that application we have to pay. We don't want to pay because we already pay for the intercom. So we try to analyze this application and we found some very bad new SSL checks. That's cool. The most interesting thing is that the SIP credential are called in the application. So if we use, for example, this credential, maybe we can connect to the SIP server and maybe try to call someone over intercom. First thing, we register this credential, we register to the SIP server, but badly the results are not satisfying because we only are able to contact the simple user, like user or root, but it's impossible for us to reach an extension or an external extension or an internal extension. We don't know why, maybe because the number needs to be reached as a premium extension. It's a kind of mystery. Maybe we have to take the premium option to have some more information on that, but I have a question for you and you can answer after that. If someone knows if it's possible to find a valid extension without having to flute in SIP with invite request, it'd be very interesting for me because I'm trying to if it's possible I'd be very interested. Okay. So, now the part of our recommendation. So, with M2M network, enforce a pin code and SIM card, like product A, white list in my AIS, audit and pet test regularly, the management website and the restrict action and request on APNs, firewall the virtual network and do some segmentation, audit and test the virtual network against network attacks, monitor and also block using card that have suspicion behavior, which is not the case with product A because I was able to have a free internet access, I was able to scan to do some NMAP, so for me it's a little suspicious behavior because in this networks, we just have to call someone or maybe send commands to the intercom. So, as a conclusion with JCM intercom who can open a door, corporate number, spy on conversation, the intercom use the same flow as mobile phone have. Overdevice also are affected by this kind of attack, not only the mobile, that's why I was saying before. And M2M intercom introduced new attack of vector because they expose a lot of services. And also in this subject, there is a lot of things to do and we have also further works, like find a solution for the site vector problem. We have also to start attacking intercom basements because it's also interesting and interesting subject. And also reduce our lab to with a small device or another alternative. But for me at the moment, we have a lot of work also to do on that subject. So, thank you for your attention and if you have any question please ask. The English one. So, just line up in front of the microphones in the meantime for those of you who are leaving, there was a battle concert all over the talk. If you could just take your trash with you when you leave or if you don't have trash, just pick the one that's next to you please. In the meantime, please go. Regarding the attack vector of downgrading the connectivity of the intercom, you tried with the various radio attacks. Have you considered just using a plane attack like covering the intercom in the metal box to block all communications except your mobile? It's possible also to cover it with a metal, like a sugar metal cover. But what we wanted to do is also to use the state of the art attacks to do that with Jamie for example. But it is possible to use metal box to block the radio? It could be possible, but I don't know exactly how to say that sorry. The material? How thick it is? How thick the box has to be to isolate the intercom from the network. I don't know if it's possible to do stuff. Please leave quietly. I'm interested in the downgrade attack of UMTS because I was under the impression that the UMTS uses CDMA which should be pretty hard to jam with just using random noise. So my question is if you use any kind of special magic there? There's no special magic. If you're all the RFCN, with that list, I have the central frequency I want to jam. And what I did with the RQF is to, with that list, I jam like not rudently but following the list. And for some seconds on each RFCN. But also it's out if you have a large list of RFCN. In that case I had only 4 RFCN to jam. But with that list it's possible but if the list is very large, I admit that it would be very hard to jam. So I wanted to ask whether the picture of an intercom in one of the web management interests you had, was it a picture of a product A? Yeah. It was the picture of a product A. Thank you. There is one from the internet which is the guy over there. Hello? Okay. The internet wants to know if when you did sip attack or enumeration can you repeat? When you did the sip enumeration did you consider using options or register or other sip methods? No. Do you need two SDRs in order to have one jamming and the other one acting as a base station or would you be able to deal with say one blade RF? One blade RF is not enough because if you want a stable rugby station you don't want the blade RF to do that completely. So to do jamming attack I use the AKRF to do that. Cool. Okay. Thank you. Thank you very much.