 about how to act devices that allow us to authorize access to a building. We've seen how we've seen lockpicking, we've seen how to break into RFID doors and but we haven't seen how to break into intercom devices. And Sebastian here today will tell us more about that. He's a security researcher and he's really interested into radio. So give him a big warm round of applause. Thank you very much and thank you for having this presentation. So we talk about we are going to start about I'm working for the I'm working for Sinectiv, that's a telecommunications company, they do WLAN and GSM and we're doing penetration testing, that's spearfishing and remote access and also physical input into the system, into the building. So to bring a device into your network and to connect and these orders are the keys into the building. But the biggest problem when we want to go into the building is that we don't always need a way, we sometimes need a way into the building. We know social engineering, we know a number of other technical attacks, but how is it with intercoms? They've never looked at us. With these famous tools, with lockpicking and so on. And intercoms are very interesting, because if you don't want to be recognized, every time when you try to enter a building at night, we want to enter a building in India. We want to hack this system to get into the building. Intercoms can also be used to cut communications on the street. It's a bit weird, but it's a lot of fun. And there's a lot of fun to have with such devices. In addition, this lecture is mainly about practical attacks on intercoms, but there are also other devices that use the same systems, use the same technologies for new intercoms. So intercoms nowadays have a lot of possibilities. We can enter a password, we can call an apartment to open the door, but nowadays we can also see that residents can be called on their phones. And if a mobile phone number is called on there, then it is used to call the residents. So, for sure, we asked ourselves, would it be possible to play with these intercoms? Can we use these devices directly? Can we do that? So we called the manufacturers and nothing happened, and then we looked, maybe we can read the flash, maybe with others on the street. So maybe we have to connect the doors, but that wouldn't be good. Or we could make mobile attacks, because the Internet uses a mobile phone network. And I will now introduce this intercom that we have asked ourselves. As you know, it's a voice communication device and one of the first intercoms that use the mobile phone network. And you can call a user to open the door. There are different intercoms. There are simple numbers, just look at the right, maybe on the right we can see that the number of residents, depending on each of them, has two cables for the electricity and two cables for the data, but no more for each individual organization. That's much easier, because you don't have that many cables. And the communication can also be set up via cell phones and cell phones. We only looked at 3G and 4G. The simplified architecture of the intercom, there are two, this is the first of these architectures. What we see here is that they are connected to a mobile phone network via a WTS. And if a visitor wants to open the door, he calls a resident through the intercom on his mobile phone. The resident can then take off the phone and open the door. The second is that in addition we want to manage the intercom with a centralized server. The first case, if the resident wants to use the intercom, then he can only use his phone to send the order and send the order to a resident to add to the intercom. But in this case, the administrator can use a website to configure the doorbell. This is an easy example and then the machine to machine architecture. In France, we have five brands that are relatively well known. It is Comédie, Intratone, Norsay and Omed Captiv. The cost is a lot of money. It starts at 2,000 euros and there are more residents and the cost is so much more. First of all, we have used the link-com. It is also used in private residences in Paris, in private apartments. For the first time we look at the link-com and later I also want to look at the second link-com, which is used in a lot of places, that are also used in many buildings. Also, I will talk about how to recognize the link-com. If you look at the picture, if you look at the infrastructure and sometimes you can see that there is a 3G module that is partially hung up outside the building and this 3G module has three LEDs that show the reception quality, so the mobile phone quality. And if we see this thing, then we suspect that the mobile phone network is used and that is probably good if you know that. Then you can maybe attack it. Also, why do I make this lecture? Because previous communicers don't have as many previous lectures as they do and we know that they use mobile phones to give the residents the opportunity to open the door. And that's why we use our 3G and 4G methods and the tools are also significantly cheaper or more famous. For example, Blade RF can be bought for €370 and the software is free. You can get BTS free and you can open your own base station. So, if we now use these tools and a base station, GSM and GPRS have problems, security problems and they are there, there is no secure communication between the mobile device and the network. That means, only the network knows if the mobile phone is allowed or not, but the mobile phone can not check if the mobile phone network is the right one or a false base station. And that is often the endpoint for an attacker. The stronger the signal is with such a base station, the less likely it is that we can bring the mobile phone to our base station and choose it. So, for example, if the mobile phone checks all the time after the strongest signal, when it sees a signal, that a base station is a stronger signal than the other, then the other base station is often changed. And to summarize again, there is no opposite authentication, that means we can build up our own base station. The authentication is sometimes not connected and intercepting is possible, but 3G and 4G have much more security. They still have much better connections and identifiers. So, if we now have a GSM station and I, a 3G or 4G base station, want to install it, and use the base station 3G or 4G, then I have no chance. Because the mobile phone tries to identify with the network and recognizes that my false base station is just a false one. And we can now bring it to use an older version. We can try some protocol attacks, but that's relatively complex, because protocol attacks sometimes only look at a specific hardware and a specific version, it takes a long time until it has found it out. And generally, we have no idea which baseband is used, which communication hardware. Then we can often just do a jamming attack, because we know exactly which channels are used. On the other side, we see that a GSM channel is used. The mobile phone is too close to it, and after jamming, we see that this signal is no longer recognizable. That means the mobile phone does not see this channel and cannot use it anymore. And if this is, for example, a 3G channel and that's the only one, then the mobile phone is to be used again. So, a fallback attack. In intercoms, it's likely that mobile phones are used. We found public documentation, sorry. If the 3G network is not reachable, then the intercoms are usually used from 2G. That means if we upgrade from 3G to 2G, and then create a baseband with a very strong signal, then the probability is high that we get the target device in our network, in order to break down the channel. Then we can buy a jammer on the internet and find a lot of them on eBay and Alibaba. After that, we can switch out the 2G station to transmit signals to let our own base stations pass through, but not use any tricks. So, what I did is I collected the list of base stations close to the 2G station. After that, you translate these URFCNs into central frequencies and send Gaussian noise into these channels. If you want to enumerate Gaussian, for example, for IRFCN, use the OsmoCon BB, for example. Others, like OsmoCon, can only use GSM, because OsmoCon can only use GSM. And here there are a few methods. You can, for example, take a phone that has X-Gold baseband and can use a special communication interface and use this tool to capture all the messages that are sent to the receiver and the answers as well. And also which don't out indices are used. And because of that, you can jam these channels. Then this channel won't be seen anymore. If you have a Qualcomm baseband, then sometimes there are also such interfaces. But if you have a new one, like in Samsung Drive, then there is a standard method to get a list of these channels. For that, you can use a special code for Samsung Drive. And with that, you can see UFCNs with ADV. You can see that when you are in service mode and if you are connected to a operator, then you see all the channels that are trying to use mobile phones. So we get the list of the surrounding channels. And we know exactly which channels we have to interrupt. And to do that, we have a little demo here, for example, with a hackRF. Okay. I don't know if everybody can see, but I want to ask for an answer to the right at the beginning. You can see the 3G icon symbol. So I call over 3G. And there is my hackRF. And with this hackRF, I use this to send Gaussian noise. So the Gaussian is trying to send Gaussian random Gaussian noise to the targeted channels, 3G targeted channels. And you can see that the 3G icon disappeared. And that means that now when I'm calling, it's possible to do that. I can come with a rugby station with a stronger signal. And now I can come with a enemy station and take over the phone with my enemy station. So now let's set up our lab. Our lab consists of a lab. And what I want is to trap the intercom into that rugby station. And also, let's set up our intercom using the best documentation and all suggestions about security. And you can see that there are three ways to configure the intercom. So you can call the manager with a SIM card reader, or with SMS messages. So that means that maybe if we send the number to the contact, maybe it's possible to send commands to the other team. But after that, it's necessary that if we want the intercom with SMS, our first impression is that we have, if we want to send a command to the other team, or if we want to send commands to the other team, we can open the door with other messages, and if we send a good idea, if you send messages to the intercom, you get an answer. So if we want to send a new phone number for the first resident, then we get a message back and it says hey, it was all right, we were in the camp to add the new updates. So the first problem is, which hypothesis can we assume? We don't know who the mobile operator is, we don't know their number, we know, but the command commands can be found somewhere in public communication or if we analyze the command commands back. So first of all, we have to find out which operator is on which channels that is and then we have to find out how we can open the door. In France there are four MMCs, that takes about five minutes and when you press the button on the intercom and see that the call was intercepted, then we were successful. If we use the gsm application, the Yata BTS, then we see the message in the wireshark and we see when the button was pressed, that's the call set up message and in this call set up message you see the number of the residents. So after that I should say, this is the number two with this number and after that you are able to open the door. What's next? If we have the administrator number, for example, you can send a command to this number or maybe do some social engineering method. If you can find out who this administrator is and who they are, then you can send a lot of commands. And some commands are very interesting. The other command is call 80 and why it's called 80? Call 80 interacts directly with the baseband. We can, for example, receive SMS messages and send it with the linkon. I only received one SMS and after that the intercom was completely broken, so a bit weird. But it works sometimes. You can also do a conversation, sending a communication door. If you send an ATS 0, then the car answer will be set up. For example, if you set up the feature, if you call the intercom, then the intercom will ring exactly once and then I can immediately listen to the conversation of people in front of the door. I know exactly what happened near the door communication point. Okay, let's do a demo after we have pulled the intercom into our network. Okay, as you can see, here is my GSM lab. If we have the intercom and here we have the phone, the driver and here is the blade RF. I'm dropping the intercom up here and now I'm able to intercept all the communication. I'm pushing the button of the first one. And now the first customer was pressed for the first customer. I'm just reaching for the call set up message and that's the phone number that I want to use. And now I'm going to use my SIM card, instead of the SIM card, the person who actually heard that exchange. That's a false script that communicates with the telnet, with the YBTS, YBTS and there the information changes and then if I press a new one, the intercom will not try to communicate with the real customer, but with our own phone. The phone is the attack. And since we just have one number, I suspect that the number of the administrator is ... then we can send all kinds of orders. If I now have a administration number and they represent it, then I can find out many things about it. Now let's do some attacks with intercoms, the M to M, machine to machine interface. These machines also use chips, similar to SIM cards, that are more than ten years subscription. So the mobile network, for example, the mobile or orange or manufacturer provides a virtual network to use these intercoms. That means there are these intercoms that are all connected together in a virtual network. And also this intercom is UMTS. So we know that this intercom is a central server. This intercom is connected to a central server. That means we have more attack vectors. We have seen the 3G downgrade, but we can also use security gaps that are used because of SIM cards. But we can also use other services, such as web services. Now the website security gaps. Website security on the server is not only for one intercom, but for several that are connected to this network. And because this is a website, there are also the known security gaps. We can just brute force them or we can use SQL injection and all the other normal attacks. And we have now tried this with a very common product in Paris, which is a 3G intercom. It has a M2M SIM card and we are now just calling it product A. I don't know if everything is fixed now. But the first problem is the identification. The notification. The product AHA website doesn't have a password to use the website. If you don't know the intercom, you can change it with this website. But we need a good number to know. But we can just try it out. With a very bad script, we were able to eliminate 90 numbers within 3 hours with a specific prefix to find out. And with that, we were able to not just find one, but several intercoms to find out. And that can lead to more money than a single one. That means we can change the resident numbers to extra costs, telephone numbers, and with that, we can become rich. But we can also open the door, but we need the place and the place to find out. Maybe it's complex, maybe less, depends on whether people have the number first or in the list. And with this number, you can find a reverse lookup to find out the address. Then you can go to the address and open the door. And then you can do what you want. We have solved that now and I am talking about a virtual network as a second address sector. If we now use this SIM card, we can reach the virtual network that is set up by the operator. And with product A, we use SIM cards that are protected by pin codes. But if you have a SIM trace, then you can use the SIM trace as a proxy between the intercom and the SIM card and then you can find the pin. And with the SIM card, we have this number and then we can change the SIM card into our mobile phone. You can then find the right access point name. The rules are known. And if the operator is orange, then you can use the document which is provided to orange and the access point from orange. And then you have free internet connection. But if you want to find vulnerabilities in the virtual network for the intercoms, then you can just guess. Sometimes you use the manufacturer's name in your access point network. It's a bit easier, but if you use the GPS feature, then you can use your own access point and then you try to reach a special network. And you can also find out which access points are used. Then you can Google a little bit with the computer and then you can see what is on the network. You can scan the network, you can look for security links or unsecured devices, take these devices out and pick them up. In addition, we wanted to look at the SIM as an access point. We know that product A, mobile application, can make video calls. But we don't want to make calls about video. We don't want to pay for video calls, but we already paid for it. So we looked at the application, we found that there are a few very bad security checks, but the most interesting thing is that the SIM credentials are already written in the application. So if we take other services, we can maybe use it to call someone. So the first thing we registered to the SIM server was identified, but unfortunately it wasn't a good result because we could only use user or root, but we can't call outside or no internal calls. Maybe the numbers we wanted to call were used. Maybe we have to choose the better option, the more expensive version, to find out about this information. But I have a question for you and you can answer it later. Do you know if there is a valid extension without having to try everything out? It would be very interesting to find out because I'm trying to... If it's possible, please tell me. Okay, so now the parts of our recommendation. So we went to Mnetwork. M2M network with SIM cards. In the case of product A, it has a list of valid EMS. There is one... It makes a pen test against the individual devices. It blocks SIM cards. In this case, it wasn't done. It blocks SIM cards when they do strange things. And for me it's very, very nice, but it's a strange environment that makes one N-Mapskins. And with N-GSM we can open a door, call people on expensive numbers and just listen. There are many intercoms that have mobile phones, security risks, and many M2M intercoms have extra attack vectors that make it possible. There are many things that have to be done, and further information has to be collected, for example finding a solution for the zip vector. We have to attack intercom baseband, baseband of the intercoms, and we also have to reduce our laboratory with all the other devices that can be used. But at the moment, a lot of work has to be done. So, there are more questions. Thank you for your attention. We also thank you for your attention. You have heard a translation of the C3T team. We would like to share your feedback. Please use Twitter with the hashtag C3T or on hello at c3lingo.org or at c3lingo on Twitter. Your translators were Franz T. If you could just take your trash with you when you leave, or if you don't have trash, just pick the one that's next to you, please. Philipp. But now it goes on with the questions. Regarding the attack vector of downgrading against the intercoms, have you tried different radio attacks? Have you tried a very simple attack, for example, the intercom with a metal box or with nothing inside, like a sugar and metal cord? What we wanted to do is also to do the state of the art, to use modern things, to use modern attacks to do that, to use metal box to block the radio. It could be possible, but I don't know how to say it. It's possible, but I don't know how to say it. The material. How thick it is. The box has to be. I don't know how thick the box has to be. To isolate the intercom. To isolate the intercom from the network. Also, it's a further work. We have to leave quietly. I'm interested in the downgrade attacks against UMTS, because we thought that UMTS could not be jammed with just noise. There is no special magic. There is no special magic. I list all the canals and then I want to destroy them. What I did with the list, I'm following the list and destroy them. That's also, if the list of UFCN is large. If the list is very large, then I only have four canals to destroy them. But with the list it is possible, but if the list is very large, then I have to admit that it is very difficult to destroy it. I wanted to ask, was there a picture of an intercom that you had? Was it a picture of product A? Yes, it was the picture of product A. There is a question from the internet. Hello, thank you. The internet wants to know, when you did the ZIP attack on the... When you did the ZIP enumeration attack, did you consider using options already for other ZIP methods? No, I didn't. Do you need two SDRs in order to have one jamming and the other one acting as a... One BLDF is not enough because you don't need a road-based station enough to build the foreign stations. If you do the jamming attack, I use the BLDF to do that. And to destroy it, I need a second one. Okay. Thank you.