Transcription
How to find and hack various GSMdevices: from children's watches toindustrial controllersAleksandr Kolchanov
About meIndependent researcherGSM-devices fanboyTelecom fanboyI will mix it today
Types of devicesHacking methodsPlan for this talkSeveral examplesReasons to hackEasy to hack, hard to find
Types of devicesGSM-alarms Uses detectors Makes the call whensomeone open door orwindow Uses small microphone Can be configuredremotelyKaspersky Industrial Cybersecurity Conference 2019GSM-electric sockets Uses SMS or calls toswitch on/off Can be configuredremotelyGSM-smarthomescontrollers Can control differentdevices Uses SMS, calls or appsto be managed Can be configuredremotely
Types of devicesIndustrial controllers Access controlsystems Are close to a homecontroller, but havemore features Different controlmethodsGSM-trackers Uses SMS or calls to Collects informationopen or close door or gateabout location, etc Can be configured Some models canremotelybe configuredremotelyKaspersky Industrial Cybersecurity Conference 2019Smartwatches for kids Like mobile phone, butwith addition control Can use microphone Can be configuredremotely
Reasons to hack Direct attack (silently open door)Using microphones to overhear someoneDestroy property (explosions)TerrorismPolitical eventsFinancial attacksBotnets for spamReverse attack on accountsPenetration in a systemSome funny ideasKaspersky Industrial Cybersecurity Conference 2019
Big problem:Thousands of devices have dozensof points of failureKaspersky Industrial Cybersecurity Conference 2019
Physical environment (building)DetectorsControllerModemConnected devicesKeys, keypads, magnetsThey can die (or be hacked) somewhere here.Kaspersky Industrial Cybersecurity Conference 2019Scary outsideworld
or there.Dozens of services of mobileoperatorModem of alarmMobile networkOnline configuration toolsBase stationMagicSecurity companiesUser’s deviceKaspersky Industrial Cybersecurity Conference 2019Mobile operators employees
Attack on environment Break the wall Break the window or doorwithout opening Smash main unit fastly Bypass detectors(magnets, Faraday cage) JammingKaspersky Industrial Cybersecurity Conference 2019
Attack on connection Jamming connection modem - basestation Attacks on mobile networks Spend all money in account orchange tariff Block SIM-card Flood with callsKaspersky Industrial Cybersecurity Conference 2019
Attacks on device Caller ID checkSMS sender checkBruteforceDefault passwords, stolen passwordsLack of authorizationOnline configuratorsHidden commands and passwordsKaspersky Industrial Cybersecurity Conference 2019
Attack on other systems Insecure security agencyOld protocolsAttacks on family/employeesPhishingSpoofed reverse call from deviceReverse-attacks on mobile operatorKaspersky Industrial Cybersecurity Conference 2019
Home devices Thousands (or millions) ofdevices Easy to research Easy to hack A bit hard to find Can be used to stealprivate informationIndustrial devices Are not so widespread, ashome devices Not so easy, not so hardto hack Harder to hack Hard to find Can be more profitable
TargetsIndividual person Target is an individualperson Several facts are availableusually Devices are common Several people canmanage deviceKaspersky Industrial Cybersecurity Conference 2019Individual company Target is a company or apart of company Can be very hard to finddevices phones andcontrol phones May use uncommon andexpensive devicesUnspecified (massiveattack) Find as many as possibleHack all devicesExpenses/profit balanceAutomatization and “bigdata”
Big problem for hackers:It is easy* to hack devices, but howto find targets?Kaspersky Industrial Cybersecurity Conference 2019
IP-addressesPhone numbers We can have4 294 967 296 IPv4addresses at all We can scan fast We can do it cheap We have actualdatabases We can have morethan 999 999 999numbers only inRussia No public database Scanning is expensive Scanning is slowKaspersky Industrial Cybersecurity Conference 2019VS
Mass “Scanning”1) Making a calls to allphone numbers (yes, itsounds terrible)2) Record answers3) Try to get someinformation form answers4) 5) Hack and get profit (or gobroke)Results: More, than million of roubles spent Collected information aboutthousands of active* devices Maybe, some organisations will tryto understand, what happening Money burned in small regions
Idea:Using different methods to getinformation about phone numbers ofdevices and reduce time for anattackKaspersky Industrial Cybersecurity Conference 2019
Groups of phone numbersConfirmed Used for required type ofdevice Ready to be hacked, yeahKaspersky Industrial Cybersecurity Conference 2019Unconfirmed Can be used for device Can be used for anything .Removed Used in mobile phonesUsed in IVR systemsAbandonedAre not sold
Numbers recycling problem Mobile operators deactivate numbers abandonedfor 2-3-6 months We can’t blindly beleave to old information,owner can be changedKaspersky Industrial Cybersecurity Conference 2019
Select new number service Get information about definitely unused numbers Remove previous informationKaspersky Industrial Cybersecurity Conference 2019
Mobile operators API answers Mobile operators systems can have special API,which can be used to check, if this number is inuse or no Errors, different answers Unused numbers can be removed from listKaspersky Industrial Cybersecurity Conference 2019
Companies databases and anti-spam databases Several apps (like 2GIS on right) allows to getinformation about phone numbers Attackers can download this databases andremove companies phone numbers from list Also, an anti-spam database can containinformation about numbers, that can be releasedsoonKaspersky Industrial Cybersecurity Conference 2019
Spam databases Spam databases contain information aboutthousands active phone numbers Attackers can buy/steal/get this databases andremove all active numbers from listKaspersky Industrial Cybersecurity Conference 2019
Leaked databases Sometimes it is possible to get database withinformation about millions users Attackers can try to select active numbers andremove these numbers from listKaspersky Industrial Cybersecurity Conference 2019
Unauthorized access to mobile operators databasesBy information from several public sources,it is possible to pay a small bribe and getaccess to info from mobile operatorsdatabase: It is possible to get info aboutsubscribers phone numbers Information about regular calls can beused to find device and phone numbersof familyKaspersky Industrial Cybersecurity Conference 2019
GetContact and similar apps Several applications can show phone numberwith related name from list Attackers can try to select active numbers andremove these numbers from their database Also, it can be interesting to find phones withnames like “Alarm”, “Home”, “Car’, “Datcha”, etcKaspersky Industrial Cybersecurity Conference 2019
Phone numbers andpasswordsUseful app to controldevices
Direct searchUsually, we know something: address, names,phone numbers Bribes are still useful (it is not a suggestion)AntennasFake base stationsSocial engineeringPhishingInsecure security agencyKaspersky Industrial Cybersecurity Conference 2019
Security companies Promotion is importantVendors can show information about clientsSecurity agencies can show examples of projectsSome companies show full list of clientsKaspersky Industrial Cybersecurity Conference 2019
Conclusion It is not so hard to find devicesSeveral models are totally insecureIndustrial devices are not widespread, but you can find someThe security level of mobile operators is questionableThank you,Aleksandr Kolchanov, pyrk1@yandex.ru
Mobile operators API answers Kaspersky Industrial Cybersecurity Conference 2019 Mobile operators systems can have special API, which can be used to check, if this number is in use or no Errors,
