 Hi, my name is Petro Sam and I am the founder of PassageCon. I'm really happy to be speaking once again at the Crypto and Privacy Village here this time at the DEF CON Safe Mode 2020 edition. My talk is entitled Hacking like Paris Hilton 14 years later and still winning. And this is a talk that I've been in the making for quite a few years by me now. So I'm really, really happy to sort of tell the entire story on this one. First a very quick introduction by myself of myself. Here you have a tweet a couple of years ago when I said that I do have a certain interest in passwords and call Mike Hurley at Microsoft Research. He responds back saying that confirm I have a healthy curiosity while tourism is pathologically obsessed with passwords and well digital authentication. So that's basically me in a nutshell. Now I do say this because for this talk it's important for me to provide a bit of background and context to the stuff that I'm going to talk about. I'm going to talk about essentially two topics hijacking of mobile phones in different ways and also voicemail hacking, getting access to your or somebody else's voicemail with the provider in question that you are using. And why am I talking about this? Well my interest is in passwords and digital authentication and in some cases we have stuff like two authentication which is you know everybody is talking about now you should be using two authentication. I agree but in a lot of cases people are using their mobile phones to do exactly this. In fact you know you are using two authentication using text messages maybe email which more and more people are probably using on their phones or iPads anyway. There can be also voice based SMS two authentication. You have in-app push messages, you have TOTP authenticator apps, Google authenticator is probably the most common one and of course maybe you are using web auth and as well either through a hardware key or maybe you have it integrated in your operating system like Android has today. And if I want to hack into your account somewhere and you are using two authentication well it doesn't actually block me from hacking your account it makes it more difficult but the only thing that is certain in life are death and taxes and everything else can be hacked and probably will be sooner or later. So mobile hijacking something that came up to me many many years ago when we saw sort of like two authentication by SMS coming in as a thing that some were using and I got curious well you know how can I bypass this how can I hack it and so on. So seven years ago actually the Norwegian government agency for financial supervision and regulation they issued their annual report about you know the financial market in Norway with lots of interesting information to some nerds including losses due to like skimming, fiscal card skimming and also online banking attacks as an example. And they said and this is 2013 they did say that they were expecting a rapid increase in mobile hacking and they said that they were cautious and they were concerned about the fact that people were starting to have their entire digital life including banks including you know passport information you know your money and your digital life on your phone and you would be carrying your phone with you all the time and it was you know I'm sort of willing to say that you know they were basically ahead of the time at least for Norway where I live because did we see any you know sudden increase in mobile hacking in 2013? Not really and it also depends on what kind of mobile hacking I was talking about. Now here's a typical example that you have probably seen Now the message here is a text message received in Norwegian and the simple translation is you know we could not invoice your membership for this month try again or update your payment details in order to continue watching Netflix and there's a totally legit link down below that you're supposed to click. Now I was actually sitting on my couch in my living room and watching Netflix with a woman next to me uh on a Saturday evening and you know we had turned down the but I had turned down the lights and we had some we had some tips so we had some food and and we you know enjoying a good movie and then suddenly it says ping in her phone and apparently of course I stopped Netflix and I look away and she's typing and she's typing and she's typing even more on her phone and I'm well I'm sort of getting curious about you know what happened now and then she suddenly asks me is it common that Netflix asks for your social security number and that's the moment when I turn on the lights and turn off the tv and said hey love's gotta wait we do have a security problem at hand give me your phone and I got it and this is this is the text message that I saw on on on screen and I say well you have probably already given away your username and your password so now we have to change that for Netflix simple scam a lot of people lots of people fall victim to this one but it's the big thing well monetary wise I don't know is it a threat to society no not really but we have also had other and more should I say interesting cases in here in Norway as an example we had a minister in the government who actually went on on a holiday trip to Iran with his new Iranian girlfriend and when you are minister you know you should be sort of careful of that at least in the current political climate and he did travel and he did not tell the secret police he didn't tell any intelligence services or lifeguards he didn't tell the prime minister anyone else he just went for it and that's a big no no and when they came back back one of the statements that he issued was pretty amazing he said that you know he had been you know traveling before he knew his stuff when it comes to security so he said that his phone was secure because most of the time it was turned off and was just left in the hotel room in Iran now this and a lot more about you know this person and in this case led to the simple fact he was forced to resign from his position now for mobile hijacking I will be talking about port-out attacks which I have chosen to call them and to differentiate that a little bit from simswap attacks and I will also talk about spoofing the sort of the thing of you know what can you do when you are trying to pretend to be somebody else or if you actually succeed in becoming somebody else there's also traditional fraud involved in in mobile hijacking something as simple as having an insider issuing a sim card for you in the wrong name and so on I will not be talking about that port-out attacks are the simple process of transferring a phone number to another operator that is one of the things you can do in Norway you don't have to change your number you can transfer it freely to any operator you want to and when I started started working for my current employer three years ago I came to it to you know for my first workday on on August 1st and I have been a customer of one telecom provider teleno since basically the dawn of time more or less and my employer said you know just give give us your name and your phone number and you know we'll take care of porting it to the new provider that we are using where we will be paying for your phone subscription period and I was like you just need my name and my phone number yeah that's it so I said well it's Petr Jose and my phone number is da da da da da and by the way phone numbers are by default public available to anyone in Norway unless you specifically say I do not want my number listed or eventually also I want a secret phone number there's a difference there um and my employer just sent an email to their telco saying that we want to transfer the subscription for Per's phone current phone this is the name this is the phone number and we want to pour that out out and over to your service and we want it done as soon as possible by email and I got handed our new SIM card and envelope at work and then I was told that and this was on a Tuesday and I was told that the port out will happen on Friday and midday noon the porting actually happened on Thursday 1 24 hours before it was supposed to happen it happened at 12 o'clock so suddenly my phone stopped working and I had to take out the current SIM card and insert a new card from the new provider that I had been given at work and this means that there was a time window of approximately 48 hours maybe even less where I would have to sort of detect that something is wrong understand what is actually happening right now and then act before it would be too late and not only that but I've also been told without being told the exact time frames I have been told that you can ask these telecom operators as well to do a very quick port of your number and then it will probably happen in a few hours and not only you know was this process going faster than expected it happened in 48 hours or less but for me to be able to understand you know if if somebody initiated that without asking me or telling me at all these are the two text messages that I would have to understand and react upon before it was too late the first text message came from my current provider which was Telenoog in Norwegian says you know thank you for being a customer with us it's sorry to see you go and here's a questionnaire with an HTTP link and encrypted link where they just want to ask me a single question about you know why did I leave or would I like to come back again and from my new phone provider selected by my employer I also got a text message interesting fact number one the sender number is an invalid phone number it's not possible to respond back to the number 4705050 as you can see on the slide and it says welcome to telea which is the name of the operator and your phone number is now transferred to us have a nice day best regards telea that's it and I'm just imagining my own mother receiving these two text messages and I am very certain that she would not really understand what's happening here and I'm not sure if she would actually call either of these two operators in time to understand what just happened and one of the things that I did as part of this because I've been working for several years looking into you know this issue of sort of like being able to hijack somebody's phone number in through social engineering and so on to do it online in the store and and and so forth and I talked to the largest financial newspaper in Norway Dargings Nagsley about this when I was sort of ready and said I have some theories I have some facts but I need to be careful not to step over you know the red line on what is legal and what is illegal to do but you are a newspaper so you can sort of defend doing things that might be considered shady because you are sort of working for the public and you should look into this so they did and they actually made an agreement with one of the most famous bloggers that we have in in Norway Sophia Lisa and they asked her would it be okay for us to try to sort of hijack your phone number and she agreed to that and the newspaper actually has a video online that you can watch for free it's like three minutes long where a female reporter from the newspaper that looks nothing like this blogger she goes out on the street to a couple of sales people from a phone company and she hands over a business card that is fake obviously she printed it on her own printer and she says I'm Sophia Lisa and I would like to port my number over to you and with the fake business card only they accept that as a valid ID and it initiates the process and the newspaper and of course Sophia Lisa they were shocked that is it that easy you know you can a fake business card really this was scary and was scary to me was scary to newspaper it was scaring to very scary to everyone to be precise now for simswap I know that simswap is the standard term to use especially in the US on these things and I wanted to make a difference between what I call mobile hijacking and and simswap attacks or port out and simswap attacks here simswap to me is the same as in the US you will get new sim cards for a specific subscription for a specific phone number I don't know if you can do this in the US I don't know if you can do this in Sweden or Denmark for that matter but at least in Norway as part of your current service with your phone company you can get the new sim card and you don't need any sort of valid reason you can just say I want a new sim card and you will get one you can also get the twin sim card so you can have two phones that are essentially the same so if somebody calls you it will ring in both phones and you can also get a data sim card that you know given the name you can not use it for making or accepting phone calls in or out but you can use it for data traffic only and you can get a specific data sim card for your existing service subscription with all the operators to the best of my knowledge and the same thing applies here fake ID will probably get you one of these sim cards that will also given the circumstances you will also be able to do sort of full or at least limited sort of surveillance of whatever victim you are targeting so it became very obvious to us that we have a problem with identifying people and we also have a problem in a business to business relationship and in general with authorization if you are not ordering or changing a phone subscription for yourself but for somebody else how do we identify and how do we find out whether you're authorized to make those changes on behalf of another person obviously there was a problem with this one of the revelations made by the newspaper dragons nine sleeve was that the telecom operator telia which is working out of many different countries it's it's home basis in in sweden they found out that in sweden the government requires telia to ask for proper id when you are setting up terminating or changing or moving a phone subscription like passport or something digital id which is government approved now telia also operates in norway and we also have digital identities in norway called bank id and in sweden they are using bank id to identify their customers so it was a pretty easy question are you using bank id or something similar in norway as well and telia they responded no we don't do that and when the question came up why don't you do that the question the answer the question was saying that we do as we are required to do by the government in norway and the answer to that again is the government in norway didn't require the telephone operators to ask for you know any kind of solid id being it on paper like passport or driver's license or a digital version of a digital id again a big surprise so i look to the federal trade commission in the us more specifically to lori krainer who is normally a professor at conningy melton university and she wrote several articles on the federal trade commission website one where she talks about how she got her phone hijacked through a sim swap attack it's an interesting article it's definitely worth reading and one of the things she did was to ask all the major mobile carriers in the us what consumers could do to protect themselves from a mobile account takeover one of the most important steps you can take is to establish a password or pin that is required before making changes to your mobile account each of the carriers offers this feature to the customers in a slightly different way and this was sort of good i mean social engineering pin guessing and so on can probably still get past this but at least it's one more speed bump for the bad actors to try to hijack your number and do a sim swap attack but interestingly none of the providers in norway had any feature like this at all in place and to the best of my knowledge they are still working on figuring out how to do this in norway so as a result of this or one of the many results out of this process which you know culminated in the in the spring of 2019 that means last year is our minister of digitalization at the time nicolai astrup he instructed the Norwegian communications authority and com to implement security functions in order to prevent mobile hijacking in cooperation with the telecom sector that is a pretty serious move to do when you instruct them to work on this immediately and not only that but also in september 2019 the government also released a hearing named actions to prevent mobile hijacking as a direct consequence of the stories made by dargings nice leave and by me earlier in the spring this came out and there was a hearing process until december 2019 where you know everybody government organizations and private people could then give their input on the proposal for changing changes to the existing law now this hasn't passed into law yet but we are sort of waiting for the results from the hearings to see what's going to happen next and also while working with this on my own and together with dargings nice leave i was not aware that our news website for the it and security industry in denmark were also looking into the same thing more or less in in in in denmark with different providers simply social engineering into stores selling sim cards making replacement sim cards and so on and they succeeded many many times and you know they posted this article among many others saying that after multiple multiple failures telcos are actually considering to completely stop handing out sim cards in physical stores now norway is next to sweden next to denmark and next to finland they are our neighbors and we are very much alike in society in law in language and so on but one of the things that has been fascinating to me is to see the different reactions from the telcos from newspapers from you know normal people like you and me on the streets and from politicians on how they have reacted to these stories in the media because stopping completely to hand out sim cards in physical stores haven't even been mentioned by anyone in norway or in sweden at all but it is pretty much the same operators working in these three countries so it's kind of like are you people not even talking to each other internally in the same company or what is happening here so to sort of more and better exemplify the problem of spoofing i say what if i could be you as a bad actor now this is krypton privacy village you know we have had lots of talks on this you are most probably watching e f f closely you are watching what is happening in your country right now in terms of privacy it doesn't good quite a few places all over the world now in norway we do consider our so you know our very safe solid democratic country with a government that you know well we trust our government believe it or not but still there are cases where things are happening now this one is an article or serious articles that were released in the fall of 2019 chasing max and this is about a guy that has been caught by the police and he is charged for hacking the accounts of approximately 50 different random women around the country extracting pictures videos contact details harvesting usernames and passwords gaining access to instagram facebook and so on 50 women randomly all over norway and the newspaper told us a story about nina nina was smart nina was using two-factor authentication sms based two-factor authentication for her phone account for facebook for google for apple and so on and she woke up one morning with a picture like this where she had received authorization codes from different services like microsoft like google like apple in order to do a password reset and she had lost access to a lot of her accounts and she really couldn't understand how did this happen because i was using two-factor authentication and lots of people say that well if you have two-factor authentication you're secure right wrong what they actually found out in this particular case is that nina was using telia one of the telecom providers in norway and they had a service called sms copy you could log on to their web page like you know my page and you could configure the sms copy service which is essentially a message service so that if you receive a text message to your phone telia will also silently forward that text message either to another phone number or send it to an email address in what could possibly go wrong with this and in order to get access to the my page at telia you needed a username and a password and they did not offer any kind of two-factor authentication at all so what this bad guy did who is now being prosecuted by a police he went to that page and tried to log in with a lot of different usernames and passwords and as we know people are reusing passwords and i suspect that he got in through credential stuffing or online password spraying and by getting in there he could configure the sms copy service he could order a password reset from different services and although nina received the messages she received them in the middle of the night when she was sleeping and he was up and he received the same messages and by that he gained access to all the accounts of these women and that i think serves as a really hard and scary example of what the possible consequences can be if you don't have secured your entire chain with two-factor authentication or something else two-factor authentication can be bypassed in so many different settings and scenarios now this was about hijacking your phone number and receiving your text messages and so on but i also been looking into voicemail hacking and this goes back again to the title of of Paris Hilton because all the way back in 2006 sorry there was a lot of articles around the world saying that you know Paris Hilton and Lindsay Lohan had got into a sort of a disagreement and they were trying to hack each other's phone numbers spread them online and also gain access to each other's voicemail boxes and the story is to the best of my knowledge is that Paris Hilton gained access to the voicemail box of Lindsay Lohan and in even mainstream Norwegian media this was mentioned on august 27 2006 and not only did they mention this happening they also actually mentioned the specific service that Paris Hilton had been using to do this now you know if you google voicemail hacking you will find interesting results one of them is a talk that has been presented at defcom before that also includes a tool that you can use for some services with voicemail where you can try to basically brute force the pin code to get into the voicemail boxes some voicemail boxes will have a four digit pin three digits five six digits that are randomly selected and provided by the telco to the user other users uh sorry other telecom providers may allow you to select your own pin one of the things we know from pin code research is that as soon as you allow users to select their own pin code those pin codes are not going to be any good at all in pretty much all cases there was also back in 10 years ago there was also a large scandal with news of the world in the uk where the british royal family got their phones and their voicemail hacked by reporters that were able to extract messages that were you know most definitely not meant for the public to listen into this was a big scandal and also in this case this suspicion was targeted against the same service as paris hilton had been using several years earlier now this is probably a picture that you have seen before uh in order to do a password reset at microsoft you have several different options you can have an email sent to you with a link that you need to click to gain access or you can also ask to use an authentication app if you have a tlgp app installed and you can also have an sms sent to you so there you know with sms you already see one problem with the sms copy service but there are also services where you know to do a password reset and so on you can also ask the service provider to give you a robot called and to read the pin code for you out loud so one of the things i was curious about is hmm can i initiate a password reset for someone online and ask that service to make a phone call and just well go directly to voicemail and enter that pin code into the voicemail box so i can get access afterwards listen to the code and use it to get access to an account interesting experiment so you know let's hack and what i did i used the same service as paris hilton from 2006 which is called spoof card they are still operational today and they are still doing their fancy little tricks today but of course they do say that this service is to protect your privacy and you should of course not use this for any kind of legal purposes so i did and the case number one was teleno the biggest telco in norway i managed to get access to people's voicemail of course i did this and a responsible disclosure and i also talked to my potential victims friends family and others co-workers and asked them can i try this and if you want to listen in you can do that i showed them how i could very easily use spoof card to get access to the voicemail listen to the messages delete them and also change the welcoming message for the voicemail i told teleno about this on a tuesday and on the first day they had fixed it so in less than 48 hours which is really really good they also of course after you know fixing this there was a media article and they said that they were sorry for this and they acknowledged that this vulnerability had probably been available for use and abuse for 13 years or more you know dating all the way back to the paris hilton incident 13 years an interesting thing is this specific service spoof card was mentioned all the way back in 2006 in new region mainstream media but when teleno was informed about this in november 2019 they said never heard of it which is well i mean you don't have to read mainstream media do you but in this case i was a bit well surprised and as a consequence of my findings in this the Norwegian government agency that are overseeing the telecom industry in norway they chose to issue a fine of 1.5 million Norwegian kronor that is equivalent of 165 thousand us dollars today as a fine because they didn't have sufficient security for the voicemail system and depending on the country you're in if you're in the us i would guess a fine of 165 thousand us dollars doesn't sound much in norway you know to the company it's it's pocket change not even that but it is very very rare that any company is being given any fine at all by this government agency so that sort of underlines the seriousness of this security breach and also our uh Norwegian data protection agency they also issued a reprimand to teleno saying that this is really not good and you have basically violated two different gdpr articles on this but since you have already been fine once we are not going going to slap another fine on top of that that's usually not how it's being done here in norway and there's case number two because i asked friends in in other countries as well can i try to hack your voicemail box so with telio in danmark um um you know the version two news website in danmark they tried this out on on my behalf and they found that this works i proved it for them i talked directly to telio they fixed it and they also ended up in news saying that you know this is a big scandal and it's not not just in danmark it also applies to another provider you know other providers in norway and in sweden and i'm kind of fascinating that you know version two even have an article saying that telio is now considering better voicemail security so i'm sort of waiting to see what's going to happen there but hopefully it has already improved case number three is telitu which is the third provider and that i found vulnerable in this based in sweden they operated in eight different countries i tested against voicemail boxes of people in sweden i found them to be vulnerable i got access to their voicemail i do not know about the you know hackability of telitu voicemail boxes in other countries where they operate because i didn't test uh but telitu says nope they are not vulnerable so hopefully that's uh true at least again this also led to media attention in sweden again back to you know my fascination of the different ways of how this was handled or wasn't handled in all handled handled at all in the different countries in norway there was a lot of media attention on this mainstream media picked it up there have been issued a fine there have been issued a reprimand by the data protection agency of norway in danmark there have been a little bit of media attention but politicians have said well the problem is fixed so there's nothing left for us to do and we'll just leave it to the telecom providers to you know they have to talk to each other and figure out what to do and that's it and in sweden pretty much nothing has happened at all so far in fact there were one or i think was two or three articles in total about this and then it went completely quiet but all in all i found that several million people across norway sweden and danmark were affected by this and have most probably been affected for 13 years or more at the same time the telecom providers they have logs that maybe go go back two three or four weeks in time so proving or disproving that this haven't been hacked and abused by anyone for the past 13 years is completely impossible so they have concluded that well since we haven't heard anyone complain about it nobody have probably been hacked and there's nothing we can do about that so i just want to say that you know this is sort of still work in progress but i would really really you know recommend you to listen in on the talk from kelly robinson on sunday here at the krypton privacy village where she will be talking about stir shaken not saying anything more than that just listening to that talk and by that we have reached the end and i say thank you and i am ready for your questions now or you can contact me later you have my cryptic contact details here on screen thank you just listening to that talk and by that we have reached the end and i say thank you now i'm ready for your questions now or you can contact me later that was the talk hacking like paraseltin 14 years later and still winning by pair we have them here for our live q&a so please put your questions in the discord cpb q&a channel so pair one of the first questions we have is in the usa many carriers use the phone number as a default pin so if you spoof the number and call its voicemail you can access it using the phone number as a default pin if the user didn't change it and a lot of people don't is that the same outside the us of other carriers well i can say for sure that at least that's not what we have uh that's not what we have here in norway i haven't seen this in in sweden or danmark but i i really can't answer for all telecom providers in all the countries outside the us that's impossible to do but i do have my suspicions that you will find a lot of bad security connected to both voicemail accounts and also in general the accounts where you can log in on your telco home page for in any way administrating your subscription with them awesome thank you so much for that um in your ideal world uh what would you like to see exist in place of the current available options that we do have well there are many facets to this and one of the things that i pointed out early in my presentation presentation is starting with whenever you go into a shop and say that you want a new sim card or if you want a data sim card or a twin sim card if you want a new subscription if you want to change it if you want to end it to move it to to another telco and then you have the issues of logging on to your telco provider to administer your subscription there like you know this sms copy service which is now of course turn off and options like that and then you also have the stuff like doing the voicemail hacking using spoofed numbers now some of the issues are sort of you know they are specific to each telcom provider like you know the absence of two factor application for administrating your account and then you have the security awareness training for staff on help desk online chat and in stores but there are also problems with the the basic telco networks worldwide for mobile communication using the ss7 protocol and stuff like that and that is i'm not going to say it's an unsolvable problem but it's not up to a single telcom provider to fix it it's not up to a single country to fix it and basically you know if you are to fix the fundamental security issues that we have in the gsm networks today all uh providers and makers of phones of networking equipment all at telcos they have to come up with solutions and you have to replace all the handsets in the world and we can't do that that's just impossible to expect that to basically ever happen so one of the things that are coming now which is very interesting of course as i said kali robinson will be talking about stir shaking uh so you know i'm not going to spoil that anymore but you know that's a that's a talk that i really hope people will listen into and one of the things that i'm doing as well is trying to you know to the extent i can i'm trying to pressure the Norwegian government and also the governments in in sweden and Denmark as well together with other people to ask the telco to at least look into stir shaking and eventually also consider can it be implemented and how can we make the rest of the world implemented as well so long answer to a short question wow that was a really great thorough answer thank you so much so another question we have is should we just disable our voicemails and at that point yeah oh yeah disable voicemail now i mean there's absolutely no point i can't really understand why people are using voicemail at all and i i was in in check republic last year i think and i was surprised to hear from friends in in the check republic that voicemail nah now they don't have that with with their phone subscriptions and i asked around and they couldn't think of any friends or family who had voicemail in norway we have three companies that are providing a physical infrastructure for mobile mobile communications and then we have lots of virtual operators as well and all of them absolutely all of them by default provide voicemail as a part of the service and there actually is no option to say i don't want voicemail but they do have options to turn it off so one of the things i would like to see is that you know well i i just don't need voicemail at all and i actually i just don't pay for it either because i can turn it off but i'm sort of still paying for it yeah that's actually really huh i did not realize i was an option other places like that thank you um i you kind of answered some of this question already but someone asked as a regular user what can i do to protect myself if anything or is it completely out of my hands well to protect yourself you know i'm working as a chief security officer for a large hotel chain and of course i've been asking my colleagues and friends about this as well you know what do you think about this and of course uh i can say i have truly scared a lot of people by being able to sort of hack into their voicemail using a spoofed phone call and also making phone calls that appears to be coming from your mom or your dad or your brother or whoever this um and they are really surprised to see that i can do that so there are some things you can do and the very simple thing that you can do is that whatever text message you are receiving or the phone number or the name that you see in the display on your phone when somebody's calling you do not trust it because it is exceptionally easy to spoof and i don't know how you know i don't know you know you're in the us so i don't know how much people in the us in general know about phone spoofing you know number spoofing and and text message spoofing but to people here in Norway the vast majority of people in the IT security industry were absolutely clueless about this existing at all when i started working with this and when i did my initial presentations last year people were shocked that this was possible so as an end user first and foremost do not trust that the number you see or the name you see in your display are correct no matter who calls or texts you do not trust it as a millennial who does not pick up any phone calls at all that's really fascinating to know about oh yeah you youngsters uh yeah well yeah i mean you you have a completely different sort of way to protect yourself in this area but i know again robocalls as far as i know is a very big problem in the us it it almost doesn't exist over here yet except for the operational microsoft is calling you to say you have a computer virus on your on your system that's that's the only robocalls we get and when i got one last year i was like yes finally so there you go that is a very different reaction that i have i think along about their people oh gosh with that said thank you so much again pair for all of your answers to this q&a and for your talk today please take care and enjoy the rest of your def con i hope you have fun thank you so much again