SITCH

Presenter Notes

SITCH

GSM/Cellular Anti-Surveillance

Presenter Notes

I assumed that you:

  • Are interested in privacy technology
  • Have some basic Linux sysadmin skills, and a grasp of TCP/IP

Presenter Notes

Assume that I:

  • Have a background in network engineering, security tools, and integration
  • Have 2 years as a GSM/cellular hobbyist

Presenter Notes

Terminology

  • BTS
    • The transceiver equipment that your phone talks to
  • ARFCN
    • Channel within a GSM band
  • IMSI
    • International Mobile Subscriber ID
    • Serial number in your SIM card
    • Tied to your account with ${CELL_SERVICE_PROVIDER}

Presenter Notes

Terminology (BTS Metadata)

  • MCC
    • Mobile Country Code
  • MNC
    • Mobile Network Code
  • LAC
    • Location Area Code
  • CI
    • Cell ID

Presenter Notes

Terminology (BTS Metadata)

  • LAI
    • Location Area ID
    • MCC + MNC + LAC
    • Think of this like a subnet
  • CGI
    • Cell Global ID
    • MCC + MNC + LAC + CI
    • Think of this like an IP address

Presenter Notes

GSM Addressing

GSM Addressing

Presenter Notes

SITCH

  • What's the big idea?
    • Technical Surveillance Countermeasures (TSCM)
    • NIST SP 800-53r4, RA-6 (interval-based) [1]
    • Continuous monitoring for GSM networks

Presenter Notes

SITCH

  • Built to:
    • Detect Man-in-the-Middle (MITM) attacks on cellular networks
    • Detect GPS Spoofing attacks
    • Scale easily to many sensors
    • Easy to manage, no matter the sensor placement

Presenter Notes

Cellular MITM attacks

  • Costs < $600 to build an Evil BTS [2]
  • Small, easy to conceal (fits in a shoebox)
  • Easiest path is to conduct a 2G downgrade attack.
    • Phone prefers whatever is loudest
    • 2G protocol is easiest for MITM
  • Femtocells have been shown to be weak to compromise [3]

Presenter Notes

GPS Spoofing attacks

  • Why care?
    • Convenience unlocking features
    • Cheat at Pokemon Go
    • UAV control
    • Time servers can use GPS for time sync

Presenter Notes

Detecting GSM/Cellular Attacks

  • Signal strength (ARFCN)
  • BTS metadata (CGI)
    • Bad BTS metadata (invalid MCC, for instance)
    • Duplicate BTS (detected in two geographic regions)

Presenter Notes

Detecting GPS Attacks

  1. Establish an anchor point on sensor boot
  2. Alert if distance > x for anchor and subsequent measurements

Presenter Notes

Scale Out Easily

  • Rapid initial deploy
    • Image and install SD card
    • Mount/place sensor

Presenter Notes

Configuration and Ongoing Management

  • Central configuration
    • Everything driven by environment variables in Resin.io
  • Hands-off updates
    • git push resin master
    • All devices update, automatically.
  • All telemetry flows up to Elasticsearch-Logstash-Kibana (ELK) stack.

Presenter Notes

SITCH Sensor Update Workflow

SITCH Update Workflow

Presenter Notes

How SITCH Works

SITCH Architecture

Presenter Notes

SITCH Service Setup

https://github.com/sitch-io/demo

Presenter Notes

SITCH Sensor Setup

https://github.com/sitch-io/sensor

Presenter Notes

What now?

  • Sensor startup process
  • Confirming event flow
  • Slack alerts
  • Dashboards!

Presenter Notes

SITCH Sensor Startup Process

  1. Get config from environment vars
  2. Auto-detect USB devices (GSM, GPS)
  3. Get secrets from Vault
  4. Update feed files, merge with DB (First boot takes a while...)
  5. Start Filebeat
  6. Start threads

Presenter Notes

Confirming event flow

SITCH Events in Kibana

Presenter Notes

Slack alerts

  1. Set the ARFCN power threshold low
  2. Confirm alerts
  3. Set better threshold

Presenter Notes

Dashboards

SITCH Dashboard

Presenter Notes

Dashboards

Query language is regex-ish

SITCH Dashboard

Presenter Notes

Dashboards

SITCH Dashboard

Presenter Notes

Future plans

  • GSM Modem:
    • LAI out of range, LAI traversal
  • SDR:
    • Multi-SDR, Track 3G, 4G-LTE BTSes
  • Service:
    • HA, better storage infrastructure
    • Bundled dashboards
    • Auto-configured TSDB-based monitoring/alerting

Presenter Notes

Thanks!!!

SIM cards donated by Hologram.io

https://hologram.io

Presenter Notes

References

  1. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
  2. https://evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/
  3. https://www.youtube.com/watch?v=gfcq8clu1RI

Presenter Notes