Minecraft Anarchy – Practical Cellphone Spying

Yo humans yeah I’m back again and as you might have noticed in the last episode I was stuck in the floor and I told off off-camera leader about it and he know now now knows lost switching to English tough times but I decided to switch to English and to thank the

Ukrainian gangster the king himself for letting me out yeah because otherwise I would be like yeah dad yeah that’s what why I wanted to switch to an English video and I found this DEFCON 18 video from 2013 with 30,000 views with the title DEFCON 18 Chris Padgett I don’t

Know a practical cellphone spying but before we start the video yeah I really want to say thanks to the cranium gangster leader I probably mispronounced his name but yeah he’s super kind and yeah he saved my life thanks um oh I was so stupid to get in

Stuck in there I should probably yeah make sure that does not happen again he could have trapped me in there and lava obsidian or whatever I had to walk out before I started a new episode and I told him before so he was it was kind of nice for not killing me

So if you’re interested about what the server is it’s a Aniki server you can do basically what you want here I will try not to interfere with any admin actions I actually have no in-game account that has operator status to avoid people hacking into my account and taking over

The server yeah but I cannot guarantee I won’t I will never abuse my admin rights I will probably do something about it when there is some unclaimed experience on the server like like machines causing crashes or the server going down to zero TPS I will probably have to get active

Somehow but other than that you are like kind of free here to do whatever you want to do right so classical anarchy setting yeah I would say so that’s about the server it’s a vanilla server so you can use all your cheats you want to use because there’s no

Entity to plug in or whatever for now this also might change I don’t know I would probably be too lazy to do something about that yeah I’m too lazy to install anti cheat and I’m too lazy to get a cheat client I I’m a big I’m a

Big professional at this game yeah so that’s about that something left to say yeah so I already paid to server for a few years so it won’t go anywhere and also there’s no reason for me to reset the word file because now I have enough

Storage to to scale well yes so if you want to play on a server where your word file is safe for the next few years and this is this is a place for you to chill also there’s usually like no people at all I don’t know what is happening today

So it’s kind of cool environment here and you can actually play when like pure vanilla and just chill if you go a little bit away from spawn and nobody will find union you can just enjoy the game like in the old days I don’t know I might be a little bit

Nostalgic I was a big Minecraft main how many years ago probably 10 years ago yeah and I’m kind of stuck still in this time period and I dislike most of the new changes I have to admit though that things like in that chests nitrous and charcoal boxes those are crazy things

But other than that all the other changes are like pure crap yep that was a long intro and I would say let’s get started with the video so in the last episode which was German we watched a German video about like 5 Jean was it the last episode I did watch

Something different I don’t know I’m kind of lost but I think the last episode was about to 5g stuff and so I decided to stay with cellphones and watched a video practical cellphones buying it’s from the DEFCON conference channel and there will be a link to it

In the description I think I said too full title and everything already so I won’t repeat that let’s go if you’re interested in the talk you should actually watch the talk video I linked in the description it makes no sense to stay on this minecraft video listening

In the bad audio quality are talking about audio quality so make sure to check out that video instead of keeping watching here so if you’re interested in a server just join the server and you can turn off the video now awesome [Applause] before we start a couple of notes on

Privacy first off cellular phone calls will be recorded during the talk surprise if you do not want your cell phone calls reported turn your phone off if you’re on Sprint or Verizon you’re not GSM my system is not going to talk to your cell phone at all so don’t even

Worry about it having said that I would encourage people to keep their phones on during the talk if you’ve got a GSM handset because the whole point of this is to show how your I think I know what I talk I’m fairly certain I know what I

Talk let me quickly check if I watched it in this serious already because that would be kind of redundant hmm if not I can I can watch it again mm-hm doesn’t look like mm-hmm okay so I watched it off commander salted and if you’re not using your phone then that kind of doesn’t

Work okay see this is the machine that’s actually running the demo and then if you can see this big gap here where the hard drive should be it’s actually printed from this USB key and at the end of the talk I’m gonna be cutting that

USB key in half with a pair of with a Leatherman so I’m recording all kinds of very very sensitive information all kinds of settings about your phone logging phone calls all this kind of stuff but it is all going to be destroyed at the end of

The talk so don’t don’t worry about that too much and we just okay finally I do have back home in place here I’m currently connected to my verizon Droid which is giving me voice over IP back also if you do connect to the network generally the only way that

You’ll know that you’re connected to the network is when you try and make a call if you do make a call from the network you’ll get a recorded message saying being intercepted yadda yadda yadda so effectively keep your phones on during the talk and every so often just

A number see what happens if you hear that recorded message then you’re attached to my system here if you don’t hear the message you’re fine in either case anytime that anyone is connected to this network a best-effort is going to be made to connect calls subject to the limitations of asterisk

Going over voice over IP going over Verizon and and given the Verizon’s the only cell phone network that one – we may have unpredictable results policy okay so I’m talking about indie catchers but in order to know what a name to capture is you need to know

What I mean Z is an MC is an International mobile subscriber identity you can think of it kind of like a GSN username it’s it’s one of two parts of the to two things that live in the same car that authenticate you you’re in like your username ki is the secret key that

Authenticate you into the network so MZ looks on the the SIM card obviously it’s somewhat protected when you connect to a network one of the first things are that network does is it’ll say stop using your NZ use this temporary NZ instead and what I’m going to showing you on the

On the demo later is you know how many of these Timbs these have been allocated to us a way of seeing how many people are associated with the base station so NZ is it’s kind of a secret the ICC ID that the the long string of numbers

That’s printed on your SIM card it’s fairly closely related for most US networks and a wallet networks around the world actually you can derive bmz from the ICC ID and vice versa so it’s not only that secret other places do a slightly better in the the ICC ID is just a random number

Either way the ICC ID doesn’t really play too much of a part I only mention it because you can derive the MZ format in the United States at least so what do I need to capture basically there is that it’s a spoof to gsm tower it’s it’s

A fake base station the idea is that when your phone is looking for a signal it’ll look for the strongest tower it’ll connect to the tower that offers it the best signal and in this case because I’m going to right in front of you with high gain antennas pointed directly at you

I’m going to be your strongest signal hair I’m only emitting about 25 milli watts here tiny tiny tiny amount of power but because I’m so close and because I’m using these these directional antenna hopefully I’ll I’ll be your strongest signal and you should come over to my

Network and you know have some fun another thing to bear in mind is that in GSM it’s the base station that picks all of the settings so when you connect to my tower it’s my tower that gets to instruct whether or not to use encryption whether

Or not to use frequency hopping all of this kind of stuff if I if I decide not to enable encryption then I just disable it and your phone just goes oh you’ve disabled encryption that’s fine I’ll talk by text it’s that simple there’s all kinds of stuff that the base

Station can instruct the handset to do please take my word on it that I’m not doing anything malicious here that this test is for functionality only but there should be no permanent changes made to your phone whatsoever if you do connect to the network but if I wanted to

There’s all kinds of stuff I could do I could update your same character I’m kind of fun to be had so essentially if you’ve got the ability to deliver a reasonably strong radio signal and your base station will negotiate a 5 0 which is plaintext your pwned there’s nothing

You can do about it and there’s a good chance that you won’t even know about it I find the tower there not only am i your network I also control your handset as well to a pretty significant degree the actual idea of a name to capture has

Been around almost as long as GSM has virtually patented by rodents wars in Europe in 1993 I’ve never seen reference to any US patents for it but either way patterns in Europe are just as public as they are here so you know all of the details of this is all public the the

Main important point about this is if you’ve got a if you were to go to Rona Schwartz and say I wanna buy an NZ catcher I’ll charge you a couple of million dollars the equipment that I have laid out on the table here by far the most expensive part is the laptop

Second up is the US RP at about 1,500 bucks and then in the next mode expensive things this $20 instant messaging device so the whole point is that using these techniques you can intercept phone calls for a thousand times or less money than the commercial systems that do exactly the same thing

Involved in in Indy captures and when the attacker and I create the base station you have a cell phone that connects to my base station I just say disable crypto I don’t need to break crypto we don’t need any rainbow tables I don’t need any solid state hard drive

So fast look that’s nothing I just say turn on my ricksha it’s that simple in reality the the GSM specification does actually say that when your handset connects to a network that does not easily richland it has to put up a warning message but then if you read

Further in the spec there’s another place where it says if you want to disable this warning message you’ve met this little configuration bit in the SIM card so every SIM card that I have ever seen in my entire life and I’ve seen a few from various networks around the

World every single one of them has that bit set every single operator that I’ve ever seen disables that warning message so no phone I’ve never seen a warning message on a cell phone that actually says you’re connected to an unsecured Network even though the GSM specification requires it so this is

This is a deliberate choice on the part of the operators the idea of it is that if you go to a country like India in India they don’t support cell phone encryption it’s it’s actually illegal so obviously you want to be able to roam in

India you want to be able to make cell phone calls so your phone has to support a five zero and if you’re getting a warning every time that you connect to a new tower in India you’re gonna be wondering what the hell’s going on and you know hassling AT&T org or whoever so

It’s one of those areas where you know functionality and security are directly at odds so note on spectrum usage one of the the issues that was raised with this talk in the press is that operating a transmitter on a US Cellular frequency is a very big FCC no no you

Get in a lot of trouble for doing that fortunately we don’t actually need to the reason for it is those blue bands used for GSM around the world 850 900 1800 1900 850 and 1900 the two that he used in the USA 900 1800 are abused in Europe if you actually look at

The the size of those bands and the frequencies that they cover there is an overlap between European GSM 900 and the United States is M band a 902 the 9 to 8 megahertz so I’m actually running my transmitter here as a legal I ham radio

Transmitter in the I call it the I of sin ban that is technically a ham radio band and as far as your cell phones are concerned I’m just doing European radio transmitter I’m Lima European tower your phones don’t care that I’m in the stakes they don’t have it there in the states they

Don’t care that they were on a completely inappropriate band for the location that they’re in they’re just quite happily so yeah it was a tower let’s let’s body it’s pretty crazy so if you’ve got a European phone if you’ve got a quad-band phone and you’ll see the network if

You’ve got a us phone that only works on u.s. frequencies you will not see the network so the is M band industrial scientific medical the idea of it is it’s for very low-power devices that use very low utilization in a very low actual time on the air they change frequency very rapidly generally

Designed to be very non interfering but if you look at the regulations I say was actually secondary in the band it’s a ham radio that how read your mind it don’t what don’t tend to like it because I know there’s all this bias and crack cluttering up at third third the place

So the noise is too much of a problem for most ham radio applications so you know most hams dismiss it but for our purposes here we can run a GSM base station on a GSM frequency within a ham radio band how do we do that well the

First thing we need is a license this URL is is great the the licenses for the ham that the questions set for the ham radio exams are all public so if you go to this website what they do is they just keep asking you the questions over

And over and over and over and over again until you get them running and if you keep getting it wrong the little keep asking you and if you get it right then it’ll stop asking you and it just it didn’t beats the right answer into

You and you can sit down with a site for a few hours and walk into a hand radio exam and just pass it I’d recommend that you if you do want to get into this stuff take the time to learn it and take the time to understand I certainly

Learned a lot from from taking my hand tests and I recommend it to all of you as we’re a ham radio operator now we we have a 1.5 kilowatt power limit that’s a lot I have another amplifier that I’ve been using for RFID that’s 600 watts and

I have to turn that on because it’s it’s a terrifying amount of power he was 600 is too much so 1500 should be you know plenty for anything in terms of actually allow it to transmit technically we’re transmitting an unspecified digital code there’s bits going back and forth between your phone

And my tower so in ham radio terms you’re allowed us to transmit an unspecified digital code as long as the specification is public and in this case all of the specs for all the various GSM protocols they’re public so it’s all good you’re also not allowed to use

Cryptography you’ll know how to obscure the meaning of the message in any way so I guess by law if I’m running my BTS and a hammer I have to disable crypto and it’s so sad no no limits on antenna size antenna gain what basically if you can

Get your hands on it and run power to it you’re you’re golden the only thing that you ever need to be careful of is RF exposure limits the FCC publishes guidelines for what absorption rate people can tolerate safely in this case I am nowhere near those limits this site

Is my my transmit antenna I think as this site and it’s putting out a total of about 25 million watts to put that in perspective your cell phones if they’re on the the European if they’re on the higher bands the 1800 1900 they’ll be putting on a watt that’s 40 times more

If they’re operating on the lower bands here 800 900 they’re putting out two watts so that’s 80 times more so the phone in your pocket is exposing you to significantly more RF than than like big scary antennas the only other real requirement that we have is that the

Station has to identify itself every 10 minutes that’s actually pretty easy to do because to be a hand compliant callsign ID a straight carrier wave Morse code you know every 10 minutes just no more something out we could have integrated into into the USRP certainly the u.s.

He is capable of it but it’s that’s doing it the hard way there’s an easier way to do it and that being you take a second transmitter you tuned it to the same frequency you make sure that the power level of that second transmitter is slightly higher so that whenever that

Transmitter is on its effectively de-icing the GSM signal with a ham radio quartzite so all we need is a an easily scriptable 900 megahertz transmitter and as it turns out this little pink instant messaging device is perfect this is called the IME this was brought to me by Travis Goodspeed they’re fabulous little

Devices they have you know reasonably good power output obviously keypad and screen as is helpful no firmware security you can program them with a good fair unfortunately they don’t come standard with a JTAG and you know RF connectors but easy enough to ride so yeah we we can write firmware

For this we can match the frequency because we’ve got control over that in software and then we just need too much the signals together an amplifier it up so I actually pause there for one quick demo no actually I won’t come back to that one so in terms of third the BTS

Itself so we’ve got that at the IME for the ham radio slide what do we need for the GSM side it’s actually pretty easy you need a USRP Universal software radio peripheral these things are available online or they go for about $1,500 with the tube blotter boards that you need

I’d also recommend if you’re going get into I don’t know why on this old troll name right now but they really feel like the in GSM the handsets derived their timing from the base station so the base stations have extremely accurate clocks and the handset to figure out how much

Their own frequency is drifting compared to the tower so if I come along with a party tower if my frequency stability doesn’t match that of the local I was around me all your plans are going to be calibrated to those look I’m so lonely right now for Towson you’re not

Even gonna see my tower because I’m there maybe just a few kilohertz off clock tomorrow – gives me plus or minus 100 Hertz accuracy of 1.9 gigahertz that’s it it’s out of the box configuration it’s about 0.26 parts per billion accuracy and then you can get a GSM I

Beg your pardon GPS module that drops it down to something ridiculous crazy crazy crazy accuracy it’s all programmable and very flexible it’s highly recommended this is super dad reward on the software side just a laptop computer debian open BTS and asterisk RTS provides the soft bid that the GSM is slack and the

Asterisk takes the calls in from open BTS stop thanking my interwebs it’s a very basic base station it does do voice it does do SMS it does not do data and in fact for the purposes of this that this demonstration I’ve even disabled SMS purely because there’s no way I can

Get your caller ID easily so when you send an SMS yes I can route it out through the internet and connect it to where it goes but the person who receives it is not going to know who it’s from and they’re not going to be able to reply so I figured it’s just

Easier to disable it but the system does support it so let’s let’s get the BTS going here so I wanted to see if we can get some some video here is that a camel that we can get up on stage or do you me to turn the screen on okay

So I’m just going to plug in my US RP now that’s all on and then start the base station or try to if it would action let’s try this again and there we go so go BTS is up I don’t know how much detail are you gonna be able to see on

The screen here with the camera zooming in one thing I do want to show you is the Tim Z’s come on I don’t have any laughs I look good then you say make that out on the screen the c’mon I typed it was Tim Z’s TMS is what that shows me

Is a list of all of the the temporary Enzi’s that we allocated by the base station in other words how many people are cannot be associated with it so you can see right at the bottom here zero Tim Z’s in table so I’ve started it up clean there’s you know nothing there

Nobody’s connected a couple of things I’m going to show you as well I’m just going to turn this around so I can type so a couple of other commands that I’ve typed here Stuber ID I show you that my mobile country codes that I’m using at

The moment is zero zero one in the GSM specification country code one is test I’m then using a mobile network code an MNC of zero one so again that’s test so I’m gonna test Network and a test country I’m operating on a non European cellular sorry a non American study the

Frequency and then if you look at the bottom here the short name of the network that I’m starting is called DEFCON 18 some phones will display that others one but the point that I want to make across is that at the moment this is in a non-hostile configuration it’s

In a test mode it’s not advertising any no network it’s not operating on a u.s. cellular frequency and certainly as it started up nobody was connected to it so I’ll leave that running for a few minutes if people really want to do a scan to the network you can but I prefer

People to just leave their phones alone just you know take it out of your pocket every couple of minutes try and make a call see if it’s actually handed over because we’ll come back to this in just a second and you know show you how easy

It is to make phones hand over here so we’ve got the BTS in test mode how do we then make this into an NZ capture instead of just a random cellular network well the way that cell phones identify the network is by two values I mentioned them already the mobile

Country code mobile network code mobile country code spring one zero for USA there’s a full list on Wikipedia for every country around the world three digit number not really that hard to spoof mobile network code again to the three two digit number maybe a three-digit number that you can look up

On Wikipedia not really much security there it’s pretty trivial to change it you can I’ll show you how to do long on open BTS it’s not hard it’s it’s really not hard and then once I’ve I’ve set the MNC and the NCC I can change the network name as well

So that when it displays on your own instead of seeing DEFCON 18 you’ll see whatever network it is that that I want you to see in most cases well in some cases I’ve noticed that handsets will not hand across to the base station unless the short name of

The network but but the network name is entered pace correctly so it’s kind of sad when the security of your cell phone calls comes down to a case sensitive string comparison not much security there so that’s why we always involving spoofing a network so let’s come over

Here and actually do it before we do I’m just gonna typed in Z’s again guys I’m the efficient how to bow that’s 15 people that’s what people saying steady hands that are currently connected to my tower network so 15 people in this room are Carling having worked their cellular phone calls

Intercepted PC and my BTS is not advertising any known network in the world it’s in a test mode is on a non frequency and you’re still connected our glances talk okay if you do not have your hand in the air you’re probably not connected to my network in my experience

It’s it’s generally the iPhones but that connect most easily it’s actually been quite a bane of my existence trying to keep the damn iPhones away I kid you not it’s it’s impossible to get rid of the damn things okay we have oh wow we now

Have 30 Tim Z’s in the table you know people it’s not handing over to this so in the few seconds that it took me to explain why those 15 people 15 more people connected it’s insane it’s it’s really easy to do so let’s let’s spoof money Wednesday in an MCC so we

Mentioned the cell ID command so that shows you the MCC MNC location area code and so ID I can then do cell ID quick question for the audience raise your hand if you’d like me to spoof t-mobile okay raise your hand if you’d like me to spoof AT&T should have seen that one

Coming okay so I’m just going to turn this around all I do it I type some ID and then I give it the mobile country code while we’re in the States so our mobile country code here is three one zero I’m going to give it a mobile network oh well

AT&T mobile network code the mote that they have several but the most common one that they use is four one zero so let’s type that in I’m gonna go to leap the location area code and the cell ID the same so it’s going to be six six six and ten that’s it

I know spoofing AT&T I could you know be a little more careful about it I can do config so here the the somebody command here 3 104 106 6 6 10 that said to my my mobile country covered in my mobile network code and then this come on down here

Conflict GSM shortname 80 amps ante and as far as your cell phones are concerned I am now indistinguishable from AT&T so raising the question was how long does it take to handover that’s kind of a point of the talk in all honesty from this point so at this point we have a

Ninja catcher I can I can sit here and over the next 20 minutes half an hour every a PMT cell phone in the room will gradually hand over to my network gradually start giving me audio traffic so from this point on the only question becomes how can we make phones handover

More rapidly in in practice it might sit here for an hour before you know any any significant number of phones connect so we want some some techniques to speed it up so at this point we do have a simple NZ catcher with spoofing a cellular network clearly handsets in the audience

Are handing across to me anyone actually tried to make a call and hear the recorded warning message yeah yeah one here another of the back another over here so yeah I mean clearly you guys are handing over you know you’re connecting to my network I’m getting all of your

Traffic so how do we filter this down well firstly I now know you’re NZ’s so I can filter based on NZ I know the NZ of the specific person that I want to target I can exclude everyone but that NZ likewise I can do the same with the IMEI which is the equipment

Serial number the equipment identifier I could say you know only allow Nokia’s to connect or any large phones to connect oh sure you can play get it down to that level of granularity but you say this particular IMEI is allowed to connect and nobody else’s so I can’t restrict

Down to a limited set by by you know various different parameters as I mentioned it takes time for people to migrate across we can make it faster I’m going to talk about some techniques for that a sec one major limitation that this current system has it only intersects outbound calls so when you’re

Attached to my tower as far as t-mobile AT&T is concerned your phone is off it has no signal it’s it’s you know whatever it’s just not there because you’re not connected to one of their towers so when a call comes in it’ll just go straight to your voicemail we

Can bring it around there so I’ll come back to that but for the moment we’ve got you know outbound calls getting recorded so how do we speed up handover you know we don’t want to be sitting here all day watching everyone’s phones handover so you know what techniques

Have we got to speed up that process well there’s actually a few neighbor lists changing my mind I mean receive gain I’m a minute all about all of these individually some of them almost some of them I won’t but there’s there’s lots of different ways to do it

The first one is GSM neighbors so each tower each gsm tower when our phone connects to it the phone will retrieve vomit a list of neighbors and what that means is each gsm base station is on a specific channel obviously the the base station will say if there are base

Stations nearby on these other channels and what your phone will do is they’ll take that list of neighbors and it will monitor all of those channels and it will keep watching you know the signal strength on all those those neighboring towers and when one of those neighboring towers becomes a stronger signal

It’ll handover so how can we use this to our advantage well all we need to do is we know that the the cell phone is going to be monitoring these neighboring frequencies so if we put a survey of the local area and find out what neighbors

Are around we can then compare that to what frequencies the phone can actually see what towers it can connect to and whatever and eventually we can find a channel that is advertised as a neighbor but perhaps it’s on the other side of the tower so you can actually see it

From here so I can put up my tower on a frequency but I know your friends are listening to and that I know there isn’t that tower there so that you know the moment that base station pops up okay we must have driven down the street and

This now is now closed so so I’ll just hand over time so how do we do this it’s actually pretty easy you get a Nokia DCT for power and I believe the 33 10 is the the the two European bands the 3390 does at least one of the u.s. bands what

These do is they said what a thing called network monitor mode and what network monitor does is effectively dumps a log of every GSM thing that the cell phone does every packet that it’s saying is the base station every every bursts that it receives from the base station everything every single thing

That that cell phone does get a lock doesn’t allow you to interact with it doesn’t allow you to control it other than you know beyond what you can do on the handset already but it does at least give you very very detailed insight into what your phone sees on the GSM network

So you don’t want to be spies you get a special F bus M bus switching tech able and a program called gamoo there’s a demo is open-source it connects to the the phone over this cable and just dumped out a trace in XML which you can

Open up in Wireshark I was going to demo it but my my 3390 is has done wondering so what are they doing said is just show you what the traffic looks like so this is a capture that I recorded last night this was over a handset connecting to t-mobile and I actually

Caught it only partway through the boot sequence so there’s there’s a bunch of traffic that was you know hanging off the top here but you can see you’ve got all of the the various GSM messages in here and if I click on the right packet let’s try system information type two

Which is that one you can see Wireshark brings it down nicely and within this packet it actually says here’s my list of neighbors so literally you you just take this phone you turn it on you connect the table you run gamoo and then you look at the Wireshark trace and

You’ve got a list of channels you then compare that you know just literally turn a radio receiver onto each of those channels and see if you get a signal on them it’s it’s not hard and using this you can find a an advertised neighbor that’s not actually in use in the local

Area and speed off handoffs by taking advantage of that now I’m not actually going to demonstrate that today because that would require me to you know transmit on a an ATT frequency and I don’t want to do that certainly an attacker would have no such compulsion and could easily take advantage of this

To his benefit so we can find GSM neighbors and we can take advantage of that another way to speed up handoffs is the location area code the idea of the the l AC is it groups together a bunch of cells so you’ll have you know a whole

Bunch of cells in one specific area that advertised the same la see and in general all go to you know the same higher level controllers as well but what happens is when the firm is monitoring all these neighbors and you know if it just sees another tower or whatever reason it is

To look at that secondary towel that it’s seen it’ll see that if that tower is is advertising a different location area code and means that the cellphone is moved at least as far as the cellphone is concerned and if the software is moved and it’s moved into a

New area then they should really do a handoff so from open BTS here I have complete control over the LA city so I can just change the LHC and everyone’s phone LEC is changed we must have driven 50 miles down the road let’s handoff to the new

Tower so the more you change the lack you can you can keep rolling the lac every every few minutes just to entice more handset it’s it’s not particularly difficult to do I give you a quick demo of it first up let’s let’s see how many answer so before we started spoofing

AT&T we have our 30 handsets connected now that I’ve got a tMT’s network name MMC and NCC let’s see how many handsets we have connected now 24 don’t quite know how that went down Timms these do timeout so another command but I can try and load and this

Is telling meaning obviously telling you that there’s 24 teams these in use as well so I’m not too sure what’s going on there but we’ve certainly got a bunch of handsets connected and then we can use the cell ID command the gain to roll the location area code

Turn this around a second so I can see so my location area code was 666 I guess I should change that to 3 1 3 3 7 and I keep the cell ID at 10 in fact I’ll change the style ID as well just so that the handset – no it’s a new

Tower and it’s that hard that’s how the role of that not a complex operation at all and then like I say that will encourage handsets to you know believe that they’ve change location and that should entice more handsets to camp across for the new network well we’ll come back to

That when when we when we do the next agent we’ll see how successful that was so what happens when the handset turns on how does 3rd that the handset first find its very first tower when it obviously when it boots up it knows nothing you know it doesn’t know where

It is it doesn’t know what frequency it’s on doesn’t have any neighbors toilet poor doesn’t know the current lack nothing like that so it does a very long scan over the entire band and whatever towers it finds the checks the MMC and the MCC tries to make sure that

You know those are allowed networks based on you know what the SIM card will actually connect to and then the signal strength as well and it’ll just you know connect to the strongest tower once I start finding some towers it limits the size of that scan it becomes a much

Smaller stand much more rapidly because it has some information about you know what bands are in use what towers are in use what channels to look for all this kind of stuff so an attacker can actually use this to it to is an advantage because if you do s the cell

Phone system in order to make people lose signal when those handsets connect back up again they’re going to perform this long scam they’re going to perform this this much wider scan and have a much higher chance of connecting to the attackers tower so how can we do this well first time we’re

Only talking about second-generation gsm 2g 3g has much better security much much much better security so if we Jam the GSM band then we turn the camera off your handsets going to perform a wider search it’s going to perform at a slightly slower search a bit more chance

Of finding the tower however if you want 3g there’s really nothing I can do the 3G protocols are much much stronger than GSM and it’s a lot harder to intercept the 3g phone call so we really don’t want people using 3G if we’re trying to intercept phone calls so what we have to

Do is is Jam the 3G bans if we jam the 3G band your phones lose the ability to connect to a 3d tower and they quite happily drop down a 2g so all you have to do literally is broadcast noise and block the ability to talk to 3G which

Point everyone drops down to 2g and plain text it’s like saying well if you if you can’t connect to port 22 and then I just fail over the 423 seriously you can even think of 3G as you know ssh and gsm is equivalent to tell that in this

Situation so yeah back to the SSH port if you know the toggler already okay it’s not yeah whatever I will finish the talk that’s effectively how I remember quite a lot from it so it’s kind of how is it to jam a cellular band really not

Very all you need to do really is transmitting noise I mean when I say noise I mean a very specific thing I don’t just mean you know randomness I mean completely flat spectral noise such that there is you know equal amounts of power in each octave and

You know it’s a nice flat spectrum a minute it makes sure to cover the entire behind cover every channel effectively what we’re doing is instead of you know removing the tower completely we’re just removing the ability to see the tower we’re masking that with with noise noise generators really aren’t very expensive

I have one over here I can do this without which she went in too much again now it’s all good so this is a this is a noise generator this was $450 on eBay and if I connect this to a power amplifier and I have a power amplifier

Upstairs and make an echo parent before into an antenna and I have antennas clearly if I turn that on that’s rather a large disruption to cell phone service I can I can I mean the noise generator itself was as I say as it says 450 bucks

On eBay the power amp was 400 bucks on eBay not 90 they on the Internet at least that’s 100 watts a hundred watts of wideband noise is a huge huge huge disruption this is what it works like the this particular noise generator has two modes it has one for the the 900

Megahertz bands and one for the 1900 megahertz band so what you’re looking at here is the trace from a spectrum analyzer the lowest frequency on the left is about 500 megahertz and the highest frequency on the right is 2.5 gigahertz and then as the line goes up there’s obviously more power at whatever

Frequency that corresponds to so you can see on the Left we’ve got a really big fat block around 900 megahertz but that is effectively the same transmitting on every possible frequency in every possible channel between about 850 and 950 megahertz turn that thing on and and yeah 850 and 950 just stops working

Likewise in 1900 mode you can see again the major peak is a little further over it’s it’s pretty clear that this does what we needed to do so what happens when you Jam a saddle about what happens when I turn this thing on and you know broadcast a hundred watts of noise of

Course I haven’t done it I’m not stupid if you were to do this if I was to put this thing into my hundred watt power amplifier and I was to connect it to an antenna and turn the whole thing on it would probably knock out gsm cdma 3g

Horizon you know pretty much every cell phone service there is for most of Las Vegas [Applause] so yeah I I’m not turning this thing on the main reason that I have this is because it’s a fabulously useful piece of test equipment if you’re trying to classify the filters you put white band

Noise into a filter and as long as it’s nice and smooth you can compare what comes out and very very accurately characterize your filter and that’s what I use this for not for the dus thing about jamming is that there is no way to depend it’s impossible can be done short

Of swamp in it with with more and more power you do in the new a short burst few seconds but it’s still way way way too offensive for football I’m doing here so as I said hundred watt amplifier on a reasonable antenna would probably knocked out Las Vegas cellphone systems

So another technique that we can use to make handsets handover there’s a command that the BTS can send the handset that basically says treat my signal as if it was stronger than it actually is meaning that if if I just let’s let’s say you know on a scale of you know plus

52 minus a hundred let’s let’s anyone who knows will understand why I’m choosing that range but piss 50 to minus 100 let’s say my signal is coming in at minus 80 really early low I can say to your handset it’s just just add a hundred to that widget 20 DBM super hot

Why your strongest power around now I’ll connect to you it’s it’s ridiculous and it’s it’s again it’s another great example of some of the instructions that a BTS can send a handset so you know I don’t even necessarily need to be the strongest signal I just need to have a

Signal that you can pick up I’ll be telling you that I’m the strongest signal it’s it’s ridiculous and the handset will comply it has to comply because that’s how GSM works when the handset gets an instruction from the tower it complies with it but of course the attacker to make use

Of this you know of course it means that he has to use less RF power to win the strength competition with the local towers open BTS doesn’t actually support it yet so I won’t demonstrate it here this is actually the the essence of the road visual patterns on MZ caches there

Was a case in the UK where someone was selling in Z caches Brenda Schwartz who effectively came down to this one technique briefing MMC’s MTC’s Network names it’s all trivial but you know this this one technique is that the one that’s patented so I mentioned earlier

That we we don’t see inbound calls we only see outbound calls effectively the MZ capture is a completely isolated cellular network as far as you carry is concerned your phone is off it has no signal it’s just it’s not there so of course they’re gonna send calls inbound

To your voicemail where else are they going to send it your phone’s off so the attacker doesn’t see the the inbound calls so the way that we get around this is obviously if you’re connected to my my tower my tower has to authenticate you therefore it will ask

For your MZ and your phone will quite happily supply so I know you’re in Z what I can then do is I can you know donate TNT and say hey here’s my MZ I’m buying spoofing this guy over here but you don’t need to know that this is my

MZ and I know that this guy’s not on the network because he’s on my network therefore it’s perfectly safe to do this without you seeing two phones so I I claim this MZ the problem with that is that we don’t know the secret key in the

SIM card we don’t know ki and what’s going to happen is the want to claim that MZ 2 AT&T or t-mobile they’re going to send me a random number a 32-bit number just a challenge and what normally happens is that challenge gets past your SIM card gets encrypted

With your secret key and then split into two parts half gets returned to the tower it’s just kind of proof that you know the secret key and the other half is used as the ciphering key well what I can do to exploit this is I can just

Pass that random challenge along to your phone well upon your phone will happily you know encrypt your secret key with it and all the rest of it and send the result back to me but the result doesn’t come back to me as you know here’s the here’s the answer the the the session

Response I do get just kinda here’s the answer but the secret key I have to crack and here’s the the great thing about MZ caches as opposed to crack in an airport open those kind of things how many folks sort out release a black hat a 5-1 cracker so the big limitation that

That thing has is that it doesn’t work on frequency hopping based stations which virtually every base station in the civilized world is so it kind of doesn’t have real-world applications well in this instance I’m the base station I set the hopping sequence so I could just say to you okay let’s negative she

885 to because I can break that really easily and then let’s disable hopping so that you know I don’t have to worry about that and then I can use these rainbow tables to crack your secret key whereupon I recover the session key I now know the session key and the session

Response which was the authentication response and I can just reuse it all to the carrier and as far as the carrier’s concerned okay it took a few seconds for me to you know establish challenge to your handset and then crack it and all

The rest of it but at the end of the day I provided the right response to the carrier so hey I must be you it’s it’s it’s not implemented in this system yet but it’s it’s definitely possible to do it it’s the technique but commercial indie cancerchat

In Z captures use to catch inbound calls certainly yes I cannot do that in this system currently but then it’s absolutely possible with empty caches so just a little more on breaking that session King it is the only time when you’re using an Indy capture that any cryptography is needed at all the

Majority of the time I just configured my base station to just negotiate a 5-0 just disable encryption what do I care if I negative share a 5 to a 5 to is very very easy to crack much easier than a 5 1 so you know that gives me a very

Quick way into your handset alternatively and I think I never know you regard a 5-1 well clearly a 5-1 is still you know crack a ball and we can still do that but in either case any calls that originate from your phone and come to me as plain text so that’s the

Solution to all of this you know how do we how do we fix this and the reality of it is that there is no good solution not in the context of GSM GSM is broken that’s one it is the telnet of cellular systems in order to fix GSM you’d have

To redesign GSM and if you’re redesigning GSM it’s no longer G’s every handset you have to change every tower you have to change the networks that live behind them so why bother if you’re going to that much effort to redesign everything why don’t you just move to 3G

The solution here is 3g and later protocols 3G or medication is much better obviously three and a half G 3.9 G LTE over the subsequent protocols build on that as well the primary solution here is turn off 2g unfortunately how many people have Android phones you seen the setting that

Says using only 2g networks yeah supposedly saves battery how many people have ever seen a setting in a phone that says use only 3G networks ok BlackBerry has one so the Android doesn’t iPhone doesn’t so how can we be secure here certainly 3G is it showing cracks it’s not been broken by

That the Kasumi cipher has been somewhat broken but the 3G protocol hasn’t so yeah just use 3G look for that icon on your screen with a little 3G if you see that then you’re pretty good alternatively just treat it like a data network just you know layer another put

Another layer of clipdown on top of it treat it like voice-over-ip just use it as a data network treat it like the internet encrypt everything that goes across it just just don’t trust it and then in the long term the big solution is to just turn off 2g which what

Happened eventually has you know three and a half G and for Jia at the point more widely you know I’ve demonstrated this they’ll be little argument but you know it’s probably possible to intercept 2g phone calls so hopefully will spur some uptake of 3G and you know we’ll see where it goes

So one final demo let me just see how many Tim Z’s we have connected here 17 okay so people are actually handing back to the normal network that’s unusual certainly there was a lot of handsets connected to start out with it’s possible that I actually miss typed AT&T

That I think there’s some spaces in there so it’s entirely possible at your hands that so connecting to mega you’re not spending AT&T correctly on that matter here so either way certainly you know feel free to make some calls through it the only limitation is that you have to dial

One in front of the number or you know whatever country code you want you’re only limited by the the $20 of credit myself account feel free if you’ve not heard the recorded message then you know like I say connect to the network and you know how we’ll play it’s it’s it’s

There for the next couple of minutes when I take some questions so yeah [Applause] no questions alrighty yeah I would say interesting talk it is for sure but yeah it’s kind of boring if you’ve seen it already yeah I guess that’s it from this episode I do not feel like fighting phantoms right

Now this is getting quite inconvenient up here I don’t know how I will solve that problem but I guess I just let need it finish this side and then go to the other side in the next episode um yeah so I do not have to yeah expose myself to phantoms so if you’re

Interested in the server it’s mine and I own a cassava that will stay online for sometime then connect to the demon calm yeah if you were interested in the talk about the circle spying then check the link in the description to the original DEFCON talk and yeah let me quickly do that

Yeah that’s it from this episode see you in the next one