Aaron Demello

Workshop Title

GSM Exploitation

Speaker Profile

Aaron deMello is a seasoned serial entrepreneur in the technology / IT space, having founded, owned & operated 5 companies since 1995. His current venture, Privail, focuses on the defense / intelligence sector, providing a massively scalable, open platform for surveillance and legal intercept (LI). He has been a keynote speaker at major international conferences on security, mobile data, and location-based services, and sits on the board of several technology and media companies, as well as advising a private VC fund in Canada, and acting as a technology expert for several prominent angel investors. He has also been an expert on the use of geo-location as evidence in civil and criminal cases in Canada, and was nominated for Young Entrepreneur of the Year in 2001 by Ernst & Young Canada. Having lived in North America for almost 20 years, he has relocated to India to expand his current company, Privail.

Workshop Details

• 1. Introduction to GSM
• Overview of network from Um Air interface to BTS to Abis to BSC to A interface to MSC to MAP interfaces to HLR/VLR
• Overview of design of GSM from architecture standpoint
• Migration to “3G” and “4G” (LTE)
• Critical Data and Protection Mechanisms in GSM
• Identity Protection: IMSI / TMSI
• 2Location Protection: HLR, TA, lack of time-sync makes triangulation impossible
• Communications Protection: A5/1 over air interface, use of frequency hopping
• Known Vulnerabilities
• By design - lack of encryption on A interface, network authenticates handset, handset does not authenticate network, SS7 is a true trusted network where all entities within the network are assumed to be validated at the time access is granted.
• By technical advancement - A5/2 cracked using modern day desktop computing power that required supercomputer at the time GSM was designed; A5/1 cracked in real-time using FPGA array and/or pre-computed Rainbow Tables; A5/3
• Through the introduction of Lawful Intercept equipment
• Through rapid design of modern devices (iOS, Android, Symbian, etc.)
• Overview of Encryption used in GSM
• A5/0
• A5/2
• A5/1
• A5/3
• Interactive Map of world’s GSM networks where various ciphers are used
• Attacks
• Overview of types of attacks
• Active vs Passive
• Over-the-air vs in-network
• Air interface attacks
• LI equipment attacks
• Core network equipment attacks
• Case study: Vodafone “Athens Affair”
• Vendor equipment backdoors
• Device attacks
• Android becoming #1 most popular attack vector
• SMS attacks
• Internet re-direct attacks
• Socially engineered attacks
• AT&T password reset attack
• Apple ID iCloud reset attack
• Rogue Base station Attacks
• Location Tracking Attacks
• Via HLR / MSC
• Over the Internet (!)
• Via BSC monitoring (A-bis)
• Via active rogue base station/li>
• Via passive air interface monitoring
• GPS spoofing for honeytrapping
• Attacks on subscriber identification
• Encryption attacks
• Attacks on mobile devices
• Denial of Service attacks
• On a handset
• On a segment of the network
• On the entire network
• Jamming spectrum (all networks)
• Demo - subject to getting approval from regulatory authorities)
• Rogue base station
• Passive air interface “sniffing”
• Practical Application of Attacks
• Real-world usage
• Defense mechanisms against attacks
• Emerging attacks
• Open source projects to commoditize GSM from handset to BTS to core network
• What about data networks?
• What about 3G / 4G?
• What about satellite i.e. Inmarsat / Thuraya?
• Recap & Q/A

Prerequisites

It is assumed that the participants will have little or no prior knowledge of GSM

What to Bring

Bring your mobile phones :-)