Presentation is loading. Please wait.

Presentation is loading. Please wait.

Project Overwatch: Multi-National Effort to Combat IMSI Catchers

Published byΦιλοκράτης Αλεβιζόπουλος Modified over 4 years ago

Similar presentations

Presentation on theme: "Project Overwatch: Multi-National Effort to Combat IMSI Catchers"— Presentation transcript:

1 Project Overwatch: Multi-National Effort to Combat IMSI Catchers
MBS-F03 Project Overwatch: Multi-National Effort to Combat IMSI Catchers Trent Smith Director of Overwatch ESD America @trentatesd

2 Who are we 6 years ago we commenced a joint research project into ways that groups like the NSA and GCHQ hack cell phones. The research was conducted on behalf of a major European government customer. The research focused on two main areas of attack: The SS7 protocol on cellular networks Over the air attacks using IMSI Catchers

3 “With access to Overwatch, our clientele are armed with real-time cellular network data that produces strategic, actionable intelligence aimed at stopping their exposures and securing their cellular networks.” J.D. LeaSure President/CEO, ComSec LLC TSCM, proven and perfected.™

4 IMSI Catchers in the Media

5 IMSI Catchers In The Media
IMSI Catchers have shot to fame over the last 24 months

6 IMSI Catchers In The Media
Their use/misuse is often a matter of perspective

7 IMSI Catcher Technology

8 What Is An IMSI Catcher IMSI - Individual Mobile Subscriber Identity
A IMSI Catcher is a device that pretends to be a cell tower in order to trick your phone into connecting to it. In truth, your phone has no idea the IMSI Catcher is not part of the real network.

9 Why Do Phones Trust Them?
Cell phones are designed to look for other towers with better reception. The IMSI Catcher operator must adjust settings to replicate a cell tower in your area. The phone will connect to the IMSI catcher if it’s made to look more ‘attractive’ than the real network. Broadcast a stronger signal (uncommon) Modifying the C1/C2 value Jam competing frequencies “Push the green button”

10 How Do They Work? In order to look more attractive than surrounding cell towers the IMSI Catcher could: Broadcast a stronger signal (uncommon) Modifying the C1/C2 value Jam competing frequencies “Push the green button” Techniques vary between hardware and the network being attacked (2G/3G/4G)

11 Why Use An IMSI Catcher Verify a phone’s (person’s) location
Track and locate a device Denial of service Monitor cell phone use (prisons) Intercept calls/SMS Alert to the arrival or exit of a phone

12 Are 3G/4G Calls More Secure?
They used to be 'safer' because he level of difficulty was higher and less 4G intercept systems were available. At the HITB Conference Unicorn Team explained how to force a targeted LTE phone onto an unsafe network We've been seeing phones jump to an available 2G network in the absence of 4G coverage, instead of falling back to 3G. Locking your phone to use 3G/4G isn’t always reliable. We’ve found that locking your phone to 3G/4G seems to just stop your phone looking for 2G towers. However is doesn’t stop an attacker putting your phone into a 2G channel once it’s been caught.

13 What about 5G? Yes 5G is the next step forward expected around 2020.
Doesn’t specify a particular technology yet. 4G IMSI catchers exist, so will 5G ones. You can bet your tax dollars that the 3-letter agency boffins are hard at work dreaming up solutions right now.

14 How To Catch an IMSI Catcher
Some of the signs to look for when hunting IMSI Catchers: ARFCN for the serving cell changes Same Cell ID or LAC used in close proximity Cell has no neighbors Ciphering Disabled Force down to 2G Short T3212 timer Sequence of these events and indicators matter. It takes analysis, experience, and situational awareness to make a reliable judgment.

15 Is There An App For That? Apps available from iTunes or the Google Play Store are either ineffective or lying to you. Detecting some of these anomalies require access to the phones baseband processor which isn't possible without a jailbroken or rooted device. That's fine for geeks, but instantly voiding the warranty on your hardware isn't a commercially viable solution for most businesses or government agencies.

16 There’s NOT An App For That!
Apps with only standard API access are missing critical indicators from the phone base band. Type0 SMS also known as ‘Silent SMS’ are often used for location tracking Apps do not provide the ability to establish extensive rules sets. With Overwatch we can easily configure it for the network operators normal operations. As an example power changes on many European carriers are minimal but in the USA the towers constantly change output power. Knowing the environment and establishing a rule set helps provide the operator with a noise floor. Apps are also limited to which ever cell tower the cell phone is connected. Overwatch can do analysis on multiple towers at once and reassess any tower it sees as behaving abnormally. The best example of something BBFW/OW Sensor can detect that a user installed app on a non-rooted or jailbroken device could never do because of the restricted access to the baseband processor, is to detect incoming silent SMS (Type0 SMS). By definition Type0 SMS are not to be shown to the User on arrival. Our sensors can detect those and generate an alert for that.

17 Project Overwatch Eating Stingrays for breakfast since 2015

18 Project Overwatch has been a multi-national effort between USA, Germany, and Australia to create a solution leveraging GSMK’s patented Baseband Firewall technology.

19 Project Overwatch Can detect and combat rogue base stations and other cellular attacks in real-time: IMSI Catchers Hostile takeover of Baseband Processor (Audio Path/DoS) Modified Pico Cells Other air interface attacks (Jamming/2G force-down)

20 Network Events in Real-time
Jamming attack seen during a demonstration for Government customer

21 Rogue Cell Detected Tower was emulating the country and network codes for U.S. Cellular, however they don’t have 2G GSM cells. Their network is primarily CDMA in transition to LTE.

22 Rogue Cell Detected Overwatch logs detailed events for the suspicious tower

23 Rogue Cell Detected We can see from the Overwatch database that MCC 311 MNC 220 is actually an active CDMA service.

24 Project Overwatch A strategic deployment incorporating feeds from thousands of sensors creates an unparalleled view of the cellular air-interface.

25 Overwatch Demonstration

26 Government Response to IMSI Catchers
FCC has been involved with investigating their use, but at the same time also provides equipment certification for these devices. An effective tool that Governments and Intelligences agencies don’t want to lose. We provide governments and law enforcement the ability to detect and monitor IMSI catchers. It’s up to them to decide which ones are legal/illegal.

27 What can be done? In reality network operators need to consider the effect on IMSI Catchers on customer services. The sale of IMSI catchers it already tightly regulated. Government needs to take a proactive role in detecting and prosecuting IMSI Catcher operators. Prompt investigation of potential threats is required. To defend against IMSI Catchers, you need to be able to find them first.

28 overwatch@esdamerica.com esdoverwatch.com
Questions esdoverwatch.com

Download ppt "Project Overwatch: Multi-National Effort to Combat IMSI Catchers"

Similar presentations

www.dynamicsoft.com Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.
LinkSec Architecture Attempt 3

LinkSec Architecture Attempt 3
Cell Phone Jammer By:- Ganesh Pathak Pallavi Mantri Rohit Patil Pawan Kumar.

Cell Phone Jammer By:- Ganesh Pathak Pallavi Mantri Rohit Patil Pawan Kumar.
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Aappro Ltd GSM detection concepts for March 2010.

Aappro Ltd GSM detection concepts for March 2010.
 How Safe Are Smart Phones? By Sean Breslin. Can We Trust Our Phones?  Our cell phone, for most of us, is always by our side  If it is always with.

 How Safe Are Smart Phones? By Sean Breslin. Can We Trust Our Phones?  Our cell phone, for most of us, is always by our side  If it is always with.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.
1 INTRUSION ALARM TECHNOLOGY LOCAL VS. MONITORING.

1 INTRUSION ALARM TECHNOLOGY LOCAL VS. MONITORING.
RF Drive Test (Testing) Engr. Mehran Mamonai. Introduction Every good RF design, after its implantation should be evaluated. There are few ways to do.

RF Drive Test (Testing) Engr. Mehran Mamonai. Introduction Every good RF design, after its implantation should be evaluated. There are few ways to do.
Intrusion Detection System Marmagna Desai [ 520 Presentation]

Intrusion Detection System Marmagna Desai [ 520 Presentation]
Network security policy: best practices

Network security policy: best practices
Commercialization of Mobile Real-Time Situational Awareness Technologies for Business Decision-Makers S4 Worldwide LLC.

Commercialization of Mobile Real-Time Situational Awareness Technologies for Business Decision-Makers S4 Worldwide LLC.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.

©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
GSM Network Structure Lance Westberg.

GSM Network Structure Lance Westberg.
Cellular Mobile Communication Systems Lecture 8

Cellular Mobile Communication Systems Lecture 8

Similar presentations

Ads by Google