SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started...
Transcript of SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started...
![Page 1: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/1.jpg)
SITCHInexpensive, coordinated GSM anomaly detection
![Page 2: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/2.jpg)
About Me• 2000: Technology career started (I can get paid for
this??)
• 2003: Started building with Linux
• Came to infosec through systems and network engineering, integration
• Security tools and integration (SIEM, HIDS, etc…)
• Current: R&D
![Page 3: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/3.jpg)
About You
• Background in systems and network engineering
• Interested in GSM threat detection
• Tinfoil hat not required… but not unwelcome!
![Page 4: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/4.jpg)
–Ashmastaflash
“Thoughts and opinions expressed are my
own. If you take anything away from this talk
and act on it, I’m not responsible if you go to
jail, become a pariah, or your dog stops liking
you. Know the laws you’re subject to and
operate accordingly.”
![Page 5: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/5.jpg)
What We’re Covering Today• Why Care?
• Current Threat and Detection Landscape
• Project Goals
• SITCH: MkI
• SITCH: MkII
• Service Architecture
• Future Plans
• Prior Art
• Q&A
![Page 6: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/6.jpg)
Why Care?
• Invasions of privacy are bad, even when they’re unnoticed.
• Industrial espionage costs money and jobs.
![Page 7: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/7.jpg)
WTF Is Under All That??
![Page 8: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/8.jpg)
Is Anybody Home?
![Page 9: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/9.jpg)
Terminology• Software Defined Radio (SDR): Using software to perform signal
processing in concert with an adjustable-frequency RF receiver
• ARFCN: Absolute Radio Frequency Channel Number
• BTS: Base Transceiver Station
• CGI: Cell Global ID (MCC + MNC + LAC + CI)
• MCC: Mobile Country Code
• MNC: Mobile Network Code
• LAC: Location Area Code
• CI: Cell ID
• IMSI: International Mobile Subscriber Identity
![Page 10: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/10.jpg)
GSM Addressing
![Page 11: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/11.jpg)
Threat and Detection Landscape
• Malicious Devices
• Indicators of Attack
• Existing Detection Methods
![Page 12: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/12.jpg)
Hacked Femtocell
Trusted part of provider’s network
Your phone doesn’t know it’s evil
![Page 13: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/13.jpg)
Evil BTSHandset will automatically
associate, unable to assert trustworthiness
![Page 14: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/14.jpg)
Indicators of Attack
• ARFCN over threshold
• ARFCN outside forecast
• Unrecognized CGI
• Gratuitous BTS re-association
• BTS detected outside of range
![Page 15: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/15.jpg)
Detection Methods
• Commercial Options:
• Pwnie Express
• Bastille Networks
• Open Source:
• Fake BTS
• AIMSICD
• Femto Catcher
![Page 16: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/16.jpg)
Project Goals
• Inexpensive (what can I get for $100?)
• Small footprint, low power requirements preferred
• Functional Targets: Indicators of Attack (IOA) Coverage
• Centrally managed software and configuration
![Page 17: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/17.jpg)
![Page 18: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/18.jpg)
Raspberry Pi 2
![Page 19: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/19.jpg)
Raspberry Pi 2 logarithmic antenna
![Page 20: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/20.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
![Page 21: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/21.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
![Page 22: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/22.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
![Page 23: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/23.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
![Page 24: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/24.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
![Page 25: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/25.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
![Page 26: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/26.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
![Page 27: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/27.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
Intel NUC
![Page 28: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/28.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
Intel NUC
Intel Edison
![Page 29: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/29.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
Intel NUC
Intel Edison
GSM Modem
![Page 30: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/30.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
Intel NUC
Intel Edison
GSM Modem
RTL-SDR
![Page 31: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/31.jpg)
Raspberry Pi 2 logarithmic antenna
Odroids
C1+
XU4
galaxy of
RED
BLUE
GREEN
ORANGE
Intel NUC
Intel Edison
GSM Modem
RTL-SDR
I didn’t really *need* all of this…
![Page 32: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/32.jpg)
![Page 33: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/33.jpg)
SITCHSituational Information from Telemetry and Correlated Heuristics
![Page 34: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/34.jpg)
SITCH Sensor MkI
![Page 35: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/35.jpg)
SITCH Sensor MkI
![Page 36: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/36.jpg)
MkI ResultsTargets MkI Coverage
ARFCN over threshold YES
ARFCN outside of forecast YES
Unrecognized CGI NO
Gratuitous BTS re-association NO
BTS detected outside of range NO
Price ~$100
![Page 37: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/37.jpg)
Releasing MkI?
No.
![Page 38: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/38.jpg)
What’s wrong with MkI?
![Page 39: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/39.jpg)
Start Demo Here!
• Confirm device registration
• Image download starts
![Page 40: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/40.jpg)
Deployment Pipeline
![Page 41: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/41.jpg)
Service-Side SoftwareTool Purpose
Logstash Inbound Information Processing Alert delivery
Elasticsearch Scan document retention
Carbon/Graphite Time-series database Statistical analysis of time-series data
Kibana Browse scans
Tessera Dashboard for Graphite
Graphite Beacon Alert Generation
Vault Secret management
Resin Software Deployment
Slack Notifications
![Page 42: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/42.jpg)
SITCH Service Architecture
![Page 43: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/43.jpg)
SITCH Intelligence Feed
• OpenCellID Database:
• MCC, MNC, Lat, Lon, Range
• Twilio:
• MCC, MNC, CarrierName
![Page 44: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/44.jpg)
SITCH Sensor MkII
![Page 45: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/45.jpg)
SITCH Sensor MkII
![Page 46: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/46.jpg)
SITCH Sensor MkII
![Page 47: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/47.jpg)
SITCH Sensor MkII
![Page 48: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/48.jpg)
SITCH Sensor MkII
![Page 49: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/49.jpg)
SITCH Sensor MkII
![Page 50: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/50.jpg)
Return to Demo!
• Slack alerts
• Tessera graphs
• Kibana scan search
• Resin logs
![Page 51: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/51.jpg)
MkI, MkII Summary
Targets MkI Coverage MkII Coverage
ARFCN over threshold YES YES
ARFCN outside of forecast YES YES
Unrecognized CGI NO YES
Gratuitous BTS re-association NO YES
BTS detected outside of range NO YES
Price ~$100 ~$150
![Page 52: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/52.jpg)
Going Forward• Automatic device detection
• Device and service heartbeats
• Gnuradio = pure SDR:
• GR-GSM
• ADS-B
• FPV drone
• Dedicated radios:
• Ubertooth One
• YARD Stick One
![Page 53: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/53.jpg)
Prior Art• DIY Cellular IDS (Davidoff, Fretheim, Harrison, & Price,
Defcon 21)
• Traffic Interception and Remote Mobile Phone Cloning with a Compromised Femtocell (DePerry, Ritter, & Rahimi, Defcon 21)
• Introduction to SDR and the Wireless Village (DaKahuna & Satanklawz, Defcon 23)
• http://fakebts.com - Fake BTS Project (Cabrera, 2014)
• How to Build Your Own Rogue GSM BTS for Fun and Profit (Simone Margaritelli)
• Gnuradio (many)
• Gr-gsm (Krysik, et al.)
• Kalibrate (thre.at)
![Page 54: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/54.jpg)
THANKS!
• John Menerick
• Gillis Jones
• Christian Wright
• Dave Doolin
• Silent Contributors…
![Page 55: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/55.jpg)
Q&A
![Page 56: SITCH · About Me • 2000: Technology career started (I can get paid for this??) • 2003: Started building with Linux • Came to infosec through systems and network engineering,](https://reader034.fdocuments.us/reader034/viewer/2022052101/603bc6060b1c4866d76bdfbf/html5/thumbnails/56.jpg)
#OMW2 Scan Your GSM