 Thanks for attending this workshop on detecting Imzi catchers and other mobile network attacks I'm I'm happy that you're here. I didn't expect that many people to to have interest in the topic We will Present three common attack scenarios that are to you and Actually, we want to explain how we Do detect them with an application that this team has built and we also want to make this as hands-on as possible, but also as Simple as possible. So we'll do a short intro I will be the idiot that that does the very very basic explanations and then we'll go over to Luca who is the the mastermind of all Mobile network research in our team He will explain the detection logic and then we'll move over to Dexter who is the the engineer of analysis and implementation and demonstration there will be a little demonstration Some of you may have noticed the demonstration already So we will start with the very very simple stuff and then we will dig down to the to the network level and I hope that we That we don't lose too many people along the way And if there are still any open questions afterwards, we're very happy to be Contacted and asked and we'll try to discuss whatever you want to discuss with us So one person I haven't introduced is Jakob. Jakob is the lead developer of the little Android application that we have built This Android application does all these detection logics that we're trying to present here and you can download it for your Compatible Android phone if it has a Qualcomm baseband It's called snoop snitch and this workshop is basically gonna focus on what snoop snitch does does and how it does it Okay, so you don't see the slide so I would just read them out to you This is the introduction part in which I show some material that was leaked I think on wiki leaks and is now available on buck planet and shows the attack tools and Equipment that have been available for years now to law enforcement agencies and anybody who wants to buy Equipment that allows them to track and intercept mobile phones and This was just the introductory part to show you how small these devices have now become they put them in vehicles You know, they're very convenient setups for demonstrations when you want to intercept or track people at demonstrations But you can also wear them as a vest I don't know. I think that's more of a James Bond thing But there can be a body worn in the catcher and they are now already as Small as phones, right? So they used to be much bigger setups like the one we have built here But now in the catchers are really cheap really small and also by now very cheap to get So this attack scenario is becoming more and more realistic And a threat to you as well So that's why we've built snoop snitch an open-source application for Android that should help you to detect these The three attack scenarios that we're trying to explain today is a location tracking emsy catcher Which is a machine that just detects that you are there the intercept fake base station so an emsy catcher that actually allows to intercept your calls and transactions and The so-called silent SMS of which many of you may have heard already so let's start with the Location tracking emsy catcher and Even I can't see the slide so I think I don't even need to flip through them anymore But I need them as a cheat cheat. So a location tracking emsy catcher basically is a network cell that Advertises the signal that your phone is expecting and Waits for your phone to connect to it at that point it will simply ask you for Identification so it will collect your emsy and your IME I which is a unique identifier for you in the network and For your phone as a network device and will then send you away again So that's as much as I have understood of it and I'm looking forward to have Luca explain it in detail now Yeah, exactly like Lino said The idea is that you want to collect the identity. There is a permanent unique identifier of the user Over the phone of the mobile in case you need it for attacks Like if you want to know if it's an iPhone or a blackberry or Android you can know that and there are also other Little details in the in the procedure that is displayed There are for example, you can know in which network the user work was currently connected to and which temporary identifier he was using so you can You can track the user after that also The main purpose is just to collect your identity and you will never notice about those those devices except if you are running Snopesage, of course and You should have noticed some of you because I don't know if our antenna can reach you Some of you might have received some some message. I Don't know if this happened Okay That was our image a catcher so we are proving you that we collected your Imzi and You you notice because we are sending you an SMS, but this would be completely silent and How do we detect this how do we plan to detect this you know skin can we go? Okay, so still you probably cannot see it Our our logic has many criterias that work in parallel that make the The detection more reliable because otherwise We did we know from our measurements that it's not always Reliable if you only choose one criteria and we have many criterias there that we are using So for example first of all we check if a location update was rejected a location update is something that happens when you move from one cell to another one and The the imzi catcher that we are using is faking a cell that didn't exist before so you are actually moving there and Your phone can know that is moving to a new cell and if the cell Says no, I don't want you you can say this is not good And also you can say you can see if the network was asking for your identities if the network doesn't do authentication if the network doesn't do ciphering and and we have such such Criteria is all in parallel and they multiply into a score and this score is saying basically how likely you have been caught in an imzi catcher Not only for the location update We find some evidence We also have some permanent evidence in the cell parameters that are set in the broadcast information of this cell and they can be Custom teller to to catch you faster for example so the choice of a Location area that was not used before makes it faster. You could also use a real location area, but it really takes longer You can check if that location area was used in some other place of your country, for example, that would be suspicious if that frequency was used before by another cell ID that's also a tricky thing to to check but we are trying to do that and Yeah, other parameters in the broadcast can be Can be set not like the network does normally so for example Not having neighbors a cell that doesn't have neighbors is pretty strange and in our case we are we are setting some some parameters that are out of normal and You will be able to to see all all of this in in what Dexter will show next that is actually The the radio traces that we can record with snub snitch So I'm not sure you will actually be able to see it, but oh, yeah Now I have to press the button, but you don't see anything That's maybe a good idea when you do that Yeah Go to some extent Yeah, where does the picture stay? That would now be Interesting question Scaling type I don't know what I'm going to say This is also my my primary picture. I'm like right away. I can pull it out again and then I open my control center Yeah, so I guess even if this works you will not be able to see the small Digis on the screen You might be able to see them when we release the slides, but so yeah to to fill the this this awkward moment We all the traces that we that we're going to discuss here We have also uploaded to our repository so you can download them. These are wire shark Traces that you can open in wire shark and you can see Exactly with the little instruction manual that we've created for you as well You can see when which message is sent and in which GSM frame the phone actually jumps to the cell When it is rejected and you can see the difference of a legitimate location request and one that is being rejected after the phone is Asked for the IMZ and the IME I so this is what we were trying to show here now I think we will be forced to to skip that unless Unless the thunderstorm hits and the Sun goes down so The training material I'll show you the link at the end of the presentation And you can do all this at home as well And that's of course the the main part of a workshop that you that you get some hands-on things to do And that's why we've prepared the training material Shall we head on? Yeah, so maybe we we just give two lines of what you can see the traces as Leo said previously All the sequence of messages and you can dig into every single detail that that we crafted for making the IMZ catcher more effective For example setting some timers There is a timer that is used by the network to tell to your mobile how many times does it have to do this update? so your mobile will Talk to the network every let's say three hours and say to the network. I'm here. I'm here I'm here, and you can change it that you can say tell me your position every six minutes for example That would be a bit suspicious other parameters you can change some Radio offsets so that your mobile would prefer our cell rather than all the surrounding ones As I said the neighbor configuration if you can check all of this in the in the trace Yeah We can probably Okay, so we've we've now tried to discuss the location tracking IMZ catcher that tries to collect your identity information and then get rid of you and As you may have noticed This this IMZ catcher has a design problem Which is as long as you're connected to the IMZ catcher you won't be able to Receive or place any transaction so you can't receive SMS if you can't receive calls and you can't call anybody and of course the attackers If they provide service to you, they're not going to give it to you for free in get actually They are going to give it to you for free in this case But they also want to make sure they can intercept you and this is where the the next type of IMZ catcher comes into play which is Not really only an IMZ catcher but a device that Downgrades your encryption and make sure that your your transactions can be intercepted So here we have the standard call flow what you can't see now is the standard call flow When a phone connects to a well-configured network, so when it connects to a Well-configured network it would say okay, here's a location update request I would like to connect to you and then the network would usually say in a well-configured network. Well, I Require authentication prove your identity. I want to know if I even want you here You may be a user of a different network, so I want to make sure that you are that I want you here So the mobile phone authenticates there is a Response a challenge response procedure there that is based on the IMZ on the keys that are in the sim And by then by that time the network knows, okay, this is a legitimate user And in an even better configured network You would then have the ciphering mode command so that all transactions are encrypted and everything is fine And then the location update is accepted in an intercepting fake base station You don't have the authentication part because the phone the the network the fake network is not able to do the authentication And it's also not able to do encryption. In fact, it doesn't even want to do encryption So you would connect you do you would do your location update request and say hello I would like to connect to the cell the cell says well, that's beautiful. Just tell me you I me I yes Here's my I me I Beautiful what can I have your IMZ as well? Yes, and then the network says beautiful You're now connected to me and it doesn't reject you and Then when you want to do a call so you do the CM service request message the network would say fine fine Let's go ahead. We can do this with the little Difference that none of the transactions are encrypted so that the cell that is providing the service Can intercept everything that you're talking about Yes, that's that's the case that that you are seeing now So we are we are keeping the users that we we hijacked into our cell and We are sending an SMS of course unencrypted you could even try to call somebody I don't know if this works because yeah, it shouldn't work The the catch here is that okay no encryption that's easy to detect if you if you Would see the traces later. You will see that that message is missing. So no cyphering authentication. Yes, that's something that can be can be possibly fake Depends there are three cases. So you could as a fake BTS you could say no authentication authentication type GSM and you can fake that because in fact you are just sending a random sequence and the mobile is answering with another sequence And you don't care about the response a real network would care about the response But you don't care and then there is a third case that is a mutual authentication that is used only for your MTS compact my mic okay, and In that case, it's a bit more difficult to fake So that that case is not present in in cicatures that that for example the one that we simulate Can we see the the slide the my slide Yeah, so as well as before we have some critters that that are working in parallel We have some analysis that works on the transactions So calls and SMS that you try to send or receive and and there is some other logic that Looks at the parameters of the network that are just announced by the by the cell Something that can happen in in this type of Imzi catcher is that not only you are still connected to this catcher, but the the the person that operates the catcher can Try to locate you precisely establishing a silent call a silent call is like a call But there is no caller ID So your mobile doesn't display anything on on on your screen But there is actually a call going on and this helps who who wants to track you to use a directional antenna and Move it until they find the source of the strong strong sealant that you are sending This is also detected by our application of course Sometimes the network does that And for a mistake so in case you are paged because there is a call that was supposed to go to you But then the caller just hang up and then the network takes some time to to hang up your your Conversation and there was actually no call. So we have to be a bit careful there but we have some logic that should work and So if a channel is allocated to you and really nothing was sent from the network. We think that this is very weird Other things we can say from the from the broadcast We can see that this This cell is not advertising neighbors So that you will never search for neighbors and you will think that this is the only cell that is in this area And you will keep your your attention on on this on this cell and will never lose it Other things the registration time that I was mentioning before I think we said it to to the minimum So six minutes you will continuously Try to talk to us and we we will be updated on on your presence or not and We use some some tricks for for keeping your mobile here Changing the the perceived signal level so the reselect offset all of this is All summed up and then if we if we reach a score that we think is is relevant then we will show an alert in your in your application saying this can be names the catcher and I don't know if you are running any of you the snoopsage right now You might have I mean Jacob was was just running it and he found the alert These alerts are as I said there's a score the score goes from zero to At least 11 and there is no limit and If you detect something and the score is around three you Might be detecting some just some normal anomalies of the network. Let's say but We will see that with our configuration you will get a much higher score and that's the real catcher evidence I Think the logic was was described Would be nice to see the details so in the trace that Dexter has there you can see All the messages that are not sent or that there are sent And all the parameters that that I talked about about the cell broadcast Yeah, so something tricky for example is to set the correct location area So here I didn't check before but there can be let's say three location areas that are surrounding our our camp and We choose one location area that is actually not used in the camp so that you are attracted to this location area and You could easily say looking at the the history of your mobile that that's that's a Single occurrence of that location area. There is a single cell single location area and you can say Okay, either. I'm just entering a new location area or this could be an easy catcher So this is part of our our logic there Yeah, so this is what what it regarded what regards the the Imzi catcher that is able to track you. Sorry to keep you and Yeah No, no chance of seeing it. Well, yeah, okay We've proceeded with the next scenario So I think we should mention So the Imzi catcher that we're running here is Targeting users that are in the camp network. So we're not intercepting or tracking on any of the standard mobile networks Because we don't we think the legal trouble we're in with this is already big enough So In order to receive the SMS or to test your snoop stitch phone You would have you would need to run on the camp network sim card and have a camp network number Who has one here? so Okay, so there's many and who of you has received the SMS that notifies you of your I am as I Okay, beautiful. So Those were the ones that are caught if you now have an Android phone You may try to install the snoop stitch app and Operate the phone again and it should alert you of what has happened to you. It will alert you Yeah, so I I know that because I was I was testing the catcher before and Apparently since the signal of real network is so weak your mobile is constantly constantly looking for a network And it thinks that this is a this is actually a foreign network And it tries to to to connect there and in this current setup. We are not really rejecting you so it can happen Okay, let's let's get to the to the third attack scenario that that does that doesn't really require an Active equipment on site and that's the silent SMS and silent SMS are a very interesting concept because they they only Became so popular with law enforcement Because of the legal regulations that forbid what silent SMS are doing so silent SMS are a means to to track your location at all times and the law enforcement agencies can't really request the location data from From users as long as they're not doing transactions. So the idea was born to just Initiate transactions to your phone all the time and then later Collect your transaction records because that's something law enforcement can do. So they just sent you SMS that your phone doesn't display and At the end of the month just collect your call records and with the call records They can collect from which cell you were being served. So that helps them to collect where you've been at the time And that is a very commonly used Technique our friend Andre over there regularly reports on on the use of and use and abuse of this technology In German in Germany, and I think the numbers of silent SMS that are being sent are increasing yearly And of course this is just a standard behavior by the phone not to display the message the phone just does what it's had has what It has been programmed to do But with the low-level access that snoop snitch snoop snitch has to the baseband it will see these messages and alert you about them So there are three Parameters to it to an SMS message that help you identify a silent SMS and Luca is going to present them to you now yeah, there are there are many parameters that are encapsulated in in the radio message that carries your your text and some of them are Very old like they were just defining the standard and not very commonly used But they have a lot of power for example. There is a protocol identifier that says to your mobile Please discard this message Or please receive the message send me a knock and discard and the same applies For the DCS the DCS has another role. It was Designed to set an icon on your screen that says you have voicemail and there is of course another command that says these disable the icon on your screen that says you have voicemail and of course you don't have a voicemail so We can send this message anytime and you will never see anything on your screen and It's an SMS that will never be displayed A third possibility is to use Port addressing this is something not common So when you are sending SMS, you will never use this feature, but there is this feature in the standard This this feature is used for example by I messages all the I stuff voicemail Other application that are running on your on your mobile and they use a specific Port addressing like the internet ports, let's say and if you use such an addressing to a port that doesn't exist Your mobile doesn't know what to do with that and it discards the message So you can use one of those ports as well to to make an SMS invisible We look for those values. It's a bit difficult to I mean we could say all these combinations are a silent SMS, but that's not actually true and We we put some effort in detecting the most common configurations that are used by operators to send you voicemail or the Apple stuff Or there is another category. There is binary SMS that the network send you for updating something on your sim card. Let's say your Your favorite roaming partners. So what would a sim card would connect if you go abroad? That's something that the network can do and it's completely invisible to you so we detect all of them and we try to analyze if they are supposed to happen or not and Do you have the other yeah, I wanted okay These are the services that I mentioned before so all the Apple services. What's up as well does that? There is some what push so when you connect for the first time a sim card with a new mobile The network usually sends you a configuration message to set up your internet settings for example That's the binary SMS. There is not visualized as a normal text But of course you will get some alerts like ah, your network wants you to set these parameters. Would you accept? Yes, but there are other types that are not visualized So this is what is inside snub snatch there are three main criteria so PID DCS and port address they are implemented and tested let's say and There are other options that we we are thinking of implementing that are more difficult actually to to test and to Make reliable so for example you could check that who sends you the SMS is sending you the SMS through your SMS gateway the SMS gateway of your mobile operator and you could check if The SMS comes from another one that shouldn't happen But we cannot ask you for that number. It's a bit complex for a user to know in advance What is the SMS see but we will try to implement this in in the in the next versions? Another thing that we could do is inspect the payload. So the the content of your message Usually silent SMS are have no content. So length zero. That's very suspicious. I would say but they can also have some Unreadable texts. So for example I don't know Chinese characters that are not displayable Or other binary payload that is not usually displayed by the phone and So there is there is some space for investigation there and another thing we should do is Trying to understand if you receive such voicemail a notification after you actually missed a call That's a bit complex. We will we will try to see if we can do that that would help to to limit the false positives that We might detect in some countries for example in Germany this doesn't happen frequently but in the US Operators usually send you this Voicemail notification and that causes some false positives. We will try to to avoid this Did any of you Tried snups it before Yeah, okay. Good. Yeah, we want to to know from you if you ever detected such events Or if you maybe already just submitted something to our Website and we will do some some analysis with you if you if you want And it's it's important if you if you want to understand this you can you can see this in the traces that Dexter produced and We will be released together with the with the slides Okay, as we had to skip the major part of the workshop We have come to an end of the slide deck and I suggest we now just move over into the shade And those of you who are interested are welcome to join us in a looking at the catcher setup that Dexter has built and also look at the detection routines that We wanted to show you here so we can do we can deep dive now into the into detection algorithms And I suggest we just do that in a smaller group in the shade because honestly, it's quite hot up here still So thanks for for the main presentation and please join us in the in the smaller workshop group now