Upload File

exploit gsm and rf to pwn your phone - ekoparty

30
EXPLOITING GSM AND RF TO PWN YOU PHONE Manuel Moreno Francisco Cortes

Upload: manuel-moreno

Post on 13-Apr-2017

586 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: Exploit GSM and RF to Pwn your Phone - Ekoparty

EXPLOITING GSM AND RF TO PWN YOU PHONE

Manuel Moreno Francisco Cortes

Page 2: Exploit GSM and RF to Pwn your Phone - Ekoparty

• Llamadas y acceso a datos podrían ser interceptados

• Si no desea participar en el demo FAVOR APAGAR su Teléfono o colocarlo en modo Avión.

Todo lo mostrado es con fines académicos y de investigaciónNO se debe realizar un ataque real de lo presentado, pues es ILEGAL

Page 3: Exploit GSM and RF to Pwn your Phone - Ekoparty

Somos de Chile!

Page 4: Exploit GSM and RF to Pwn your Phone - Ekoparty

• CEO GlobalSecure

• Creator of G|SIA, G|PPT and G|WPT Certifications

• EC-Council International Instructor for CEH, CHFI, ECSP and ECSA

Page 5: Exploit GSM and RF to Pwn your Phone - Ekoparty

¿COMO COMENZÓ LA IDEA DE ESTA CHARLA?

• Por el año 2002 Aproximadamente

• Película Hackers 2 - Sistema SAS

• Celda Celular Falsa para capturar a Kevin Mitnick

Kevin Mitnick

Page 6: Exploit GSM and RF to Pwn your Phone - Ekoparty

La Pregunta es ¿Como?… la Pregunta siempre es Como!

Hackers 2 - Takedown (2000)

Page 7: Exploit GSM and RF to Pwn your Phone - Ekoparty

MI CEREBRO EXPLOTO¿Como lo hizo?

Page 8: Exploit GSM and RF to Pwn your Phone - Ekoparty

BUSCANDO IDEAS

• ¿Ataque de Karma Wifi… en red Celular?

• Pineapple Mark V (Piña Wifi)

Page 9: Exploit GSM and RF to Pwn your Phone - Ekoparty

¿y que pasa en GSM?

Page 10: Exploit GSM and RF to Pwn your Phone - Ekoparty

IMSI CATCHER

Page 11: Exploit GSM and RF to Pwn your Phone - Ekoparty

• Desarrollado por Harris Corporation

• Casi exclusivo para militares y agencias de Inteligencia

• La primera version lanzada en 2001 y la segunda en 2007

• Captura IMSI- TIMSI

• Obtiene ubicación y metadatos

StingRay

https://en.wikipedia.org/wiki/Stingray_phone_tracker

Page 12: Exploit GSM and RF to Pwn your Phone - Ekoparty

• Exclusivo para agencias de inteligencia/Gobiernos

• Valor entre USD$80.000 a $200.000

StingRay 2

https://en.wikipedia.org/wiki/Harris_Corporation

Page 13: Exploit GSM and RF to Pwn your Phone - Ekoparty

CHRIS PAGET

Page 14: Exploit GSM and RF to Pwn your Phone - Ekoparty

USRP U$2000+

Solo se mostró Captura de Voz… ¿Pero y los datos?

Page 15: Exploit GSM and RF to Pwn your Phone - Ekoparty
Page 16: Exploit GSM and RF to Pwn your Phone - Ekoparty
Page 17: Exploit GSM and RF to Pwn your Phone - Ekoparty
Page 18: Exploit GSM and RF to Pwn your Phone - Ekoparty

Francisco Cortes

Page 19: Exploit GSM and RF to Pwn your Phone - Ekoparty

… en muy resumidas cuentasUNA RED CORE CS/PS

Page 20: Exploit GSM and RF to Pwn your Phone - Ekoparty

ATTACH PROCEDURE

Page 21: Exploit GSM and RF to Pwn your Phone - Ekoparty

CREACIÓN PDP CONTEXT

Page 22: Exploit GSM and RF to Pwn your Phone - Ekoparty

¡NUESTRO HARDWARE SALVADOR!

Portable

USB 3.0

300MHz - 3.8GHz

Full-Duplex

USD ~$400

Page 23: Exploit GSM and RF to Pwn your Phone - Ekoparty

Y SU MEJOR AMIGO

SGSN y GGSN (resuelto el MM, SM, PDP CONTEXT)

Nos permite definir el DNS

Facilidad para definir parametros de la red

Page 24: Exploit GSM and RF to Pwn your Phone - Ekoparty

+ =

Page 25: Exploit GSM and RF to Pwn your Phone - Ekoparty

¿DONDE ESTA EL QUESO?

Capacidad que da la combinación del software

y hardware de poder

¿Posibilidad de identificar

Page 26: Exploit GSM and RF to Pwn your Phone - Ekoparty

COMO BUSCAR CELDAS?• Kalibrate

• Gmon (Android)

Page 27: Exploit GSM and RF to Pwn your Phone - Ekoparty

DEMO

Page 28: Exploit GSM and RF to Pwn your Phone - Ekoparty

DEMO:- Interceptación de llamada Celular- Captura de Correo Electrónico

Page 29: Exploit GSM and RF to Pwn your Phone - Ekoparty

a las 2PM en Sala D

Tenemos un Workshop “A Practical introduction to Software

Defined Radio and GSM Signal”

Page 30: Exploit GSM and RF to Pwn your Phone - Ekoparty

Francisco Cortes Farias

@polux_troy

Manuel Moreno Leiva

@insecurechile

http://globalsecure.academy

http://globalsecure.academy

PWN Linkedin 2014 sesión 29 Abril

Pwn phone2014 jrs

Pwn the Pwn Plug - DEF CON...Pwn the Pwn Plug: Analyzing and Counter-Attacking Attacker-Implanted Devices Wesley McGrew Assistant Research Professor Mississippi State University Center

How I “Pwn” Your Network

Financial Marketing for SMBs - PWN 150424

Abusing GDI for ring0 exploit primitives ... - Zeronights 2017 · - In September 2016 (Ekoparty), Diego Juarez (Pnx) and I presented memory leaks and improvements at ”Abusing GDI

Java vulnerabilities write once, pwn anywhere

Exploit Kit - IWSEC · Exploit Kit Drive-by Download Exploit Kit Exploit Kit MWS2015 Improving Cyber Attack Detection System To Adopt The Changing Of Exploit Kit ... Angler Exploit

Explore-Exploit Graph Traversal for Image Retrievalopenaccess.thecvf.com/content_CVPR_2019/papers/Chang_Explore-Exploit... · tween exploit and explore steps. The exploit step maxi-mally

To pwn a believer?

Slides taller ekoparty

Presentatie reparatie zinker PWN

Balancing the Pwn Trade Deficit - Black Hat Briefings · Balancing the Pwn Trade Deficit ... He's currently focused on Pen testing, Exploit Development, Reverse Engineering, ... reverse

PWN Marseille-Provence 2012 - 2014

Custom Power Pwn

Genetyka molekularna - Piotr Węgleński PWN

PWN Prior Written Notice

pwn sp evol

Pwn the SAT

PWN Stockholm Network Profile Analysis, 2015

Księgarnia PWN: Andrzej Białynicki-Birula - Algebra

Presidenta PWN Madrid

Prior Written Notice (PWN) - ASEC Compliance 14... · • A prior written notice (PWN) is required whenever the ... Points of Clarification • The PWN for an IEP documents the actions

Getting fun with Frida-Ekoparty-21-10-2016 - Core Security · language and inject C/C++ code ... FridaExtract is a Frida.re based RunPE extraction ... Getting fun with Frida-Ekoparty-21-10-2016

Pwn Plug R2 User Manual

Pwn zelfverklaring 28 08 2012

PWN Presentation 3/26/13

IRFZ44N Modulador de PWN

Exploiting A/B Testing Ekoparty 2016 Slides

ekoparty 2009 - Attacking SS7 v6.key

Poznaj i pokonaj problem - PWN

PWN Romania Press · PDF filePWN Romania Press Clippings PWN Romania Conference Gender Diversity 3rd November 2015 PWN Romania 12/4/2015 . ... Romania, cea mai mare scadere din UE

Bandpass PWN PA

Shoulder Surfing 2.0 Old school techniques made easy ekoparty 2013

Magazine Rico Pwn Definitief