Archive for the 'Physical Security & Pentesting' Category

Cell-Phone-Spy-How-to-track-a-cell-phone call-listening hqdefault

IN FEBRUARY 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.


A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.

The telecom industry has known for years that SS7 is vulnerable to spying, but did little about it because many assumed the risks were theoretical. This changed in the wake of the Ukrainian incidents, says Cathal McDaid, head of the threat intelligence unit for AdaptiveMobile, a mobile telecom security firm. His company and others devised ways to detect SS7 attacks, and since then they have discovered suspicious activity in the networks of multiple telecom customers, suggesting that SS7 attacks are very much real-and ongoing. AdaptiveMobile released a report in February highlighting some of those attacks.


SS7 is just now getting more public attention because of a 60 Minutes piece last week, which showed two German researchers using SS7 to spy on US Congressman Ted Lieu, with his permission. Lieu has called for a congressional hearing to look into SS7 vulnerabilities, and the Federal Communications Commission has plans to examine it, too.


So what is SS7 and why is it so vulnerable?


SS7, also known as Signaling System No. 7, refers to a data network-and the series of technical protocols or rules that govern how data gets exchanged over it. It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it’s a separate administrative network with a different function. Think of it like a passenger train system-SS7 is the maintenance tunnels workers use rather than the main tunnels through which passenger trains travel.
SS7 is often used now to set up roaming so that when you travel, say, from New York to Mumbai, you can make and receive calls and texts outside your carrier’s range. An outside carrier will send a request to your carrier via SS7 to obtain your phone’s unique ID to track your device, and also request that your communications be redirected to its network so that it can deliver calls and text messages to you. It’s a way of making sure calls and messages are delivered between networks.

The Problem


The problem is that SS7 is based on trust. Any request a telecom receives is considered legitimate. Therefore anyone with access to a server or gateway on the SS7 network can send a location or redirect request to your telecom for purposes of roaming, and the telecom will likely comply, even if the roaming request comes from St. Petersburg or Mumbai and you and your phone are in New York.


This makes it possible for a remote attacker to spy on lawmakers, corporate executives, military personnel, activists and others. It should be noted that in grabbing your texts and calls in this way, an attacker will also be able to grab your two-factor authentication log-in codes that Gmail and other services send via text so you can access your accounts. An attacker who already knows the username and password for an account can intercept these codes before you receive them in order to log in to your accounts.




Who has access to SS7?


Hundreds of telecoms around the world use it. Government intelligence agencies can also gain access to the network, either with the permission of telecoms or not. Commercial companies also sell SS7 phone tracking services to governments and other customers. Criminal groups able to purchase access from corrupt telecom workers can also use SS7, as can hackers who hijack unsecured SS7 equipment.

It wasn’t until December 2014 that telecoms began to implement ways to thwart SS7 attacks. That’s when Karsten Nohl of the Berlin-based Security Research Labs and an independent researcher named Tobias Engel gave presentations about SS7 at the Chaos Communication Congress in Germany, months after the Ukrainian incidents were discovered. Engel had demonstrated an SS7 method for tracking phones in 2008, but that method wasn’t as refined as the ones he and Nohl described in 2014. The latter prompted regulators in Northern Europe to demand that carriers there implement measures to mitigate SS7 attacks by the end of 2015.




How Exactly Can SS7 Be Hacked to Track You?


To track you, an attacker could send what’s called an Anytime Interrogation request to your carrier to get the unique ID of your phone and identify which mobile switching center (MSC) your phone uses—usually one MSC covers an entire city. Carriers use this information to determine your location to route your calls and messages through the cell tower closest to you. By sending repeated Anytime Interrogation requests to get this and your GPS coordinates, an attacker can track your phone, and you, to the street block where you are standing, using Google maps.


Carriers could thwart this by blocking Anytime Interrogation requests coming from outside their boundaries, Nohl says. But there are other ways to get location information using different queries via SS7, and these are not as easily blocked, he says.




In Depth


In mobile networks, subscribers are identified by the international mobile subscriber identity (IMSI), which is considered confidential information.


This attack is based on requesting the Mobile Switching Center (MSC) Visitor Location Register (VLR) address, and the IMSI. The request is part of the SMS delivery protocol, which allows the source network to receive information about the subscriber’s location for further routing of the message. The initial data includes the target subscriber number.


In case of successful exploitation, an attacker obtains the following data:

+ Subscriber’s IMSI

+ Servicing MSC/VLR address

+ Home Location Register (HLR) address where the subscriber’s account data is located


The MSC/VLR address will determine the subscriber’s location down to the regional level. Moreover, the intruder can use the obtained data in more complex attacks.



Screenshot from 2016-04-30 00:12:46




Discovering a subscriber’s location


Received data is commonly used for real-time tariffing of the subscriber’s incoming calls. The initial data is the IMSI and current MSC/VLR address.


The intruder obtains the CGI, which consists of:


+ Mobile Country Code (MCC)

+ MNCMobile Network Code (MNC)

+ Location Area Code (LAC)

+ Cell Identity (CID)



There are a number of services available on the Web that allow determining a base station’s location using these identifiers. In cities and urban areas, the accuracy of a subscriber’s location can be determined within a few hundred meters.


Screenshot from 2016-04-30 00:31:19


Intercepting incoming SMS messages


After registering the subscriber with the fake MSC/VLR, SMS messages intended for the subscriber are instead sent to the attacker’s host.

The attacker is able to:


+ send a confirmation that the message was received (it will look to the sender as if the message was delivered)

+ re-register the subscriber to the previous switch so that he/she also gets the message.

+ send a confirmation to the sender, re-register the subscriber to the previous switch and send him/her an altered message



The attack can be used to:


+ steal one-time mobile banking passwords delivered as SMS messages

+ Intercept or recover passwords used for various internet services (email, social networks, etc.)



Screenshot from 2016-04-30 00:16:06


Intercepting outgoing calls


An attacker substitutes a billing platform address with their equipment address, in the subscriber’s profile. When the subscriber makes a call, the billing request along with the number of the destination subscriber are sent to the attacker’s equipment. The attacker can then redirect the call and create a three-way (destination subscriber, calling subscriber and an attacker) conference call.


Screenshot from 2016-04-30 00:30:16





What Can Be Done?


That kind of attack should be easy to thwart with an algorithm that knows it’s illogical for a subscriber to move back and forth between the US and Germany every five minutes. “But, again, nobody has implemented these smart checks,” Nohl says.


There’s not much you can personally do. You could try to protect your communications by using an encrypted service like Signal, WhatsApp or Skype, but McDaid says an attacker could send a request to your carrier to disable data use for your phone, preventing you from using these services.


“So all you’re left with then is text messages and phone calls if you’re in an area with no Wi-Fi,” he says, leaving you vulnerable to an SS7 interception attack.



April 18, 2015

Companies invest a lot in IT Security equipment these days, but more than often especially small and medium sized businesses fail on physical and human security.

Many of our assessment contain an onsite piece where we are tasked to enter restricted areas and photograph the progress we made. Whilst social engineering (pre-texting, tail gaiting) is responsible by far the most successful security breaches, simple plain lock picking works in so many cases.

Businesses (and individuals) think that a standard door lock, cabinet lock etc. will do. Unfortunately even the most basic lock picks are often successful against standard locks. For us it’s shocking to see that companies invest hundreds of thousands of dollars in latest Firewall, IPS and DDoS solutions and then have their cabinets locked with basic rack locks in standard rooms. More often Racks are even not locked at all. In more than 50% of the cases neither the server rooms, nor the racks are locked. Better security exists when hosted in Data Centers but that’s normally only affordable for larger clients.

We highly recommend to have Physical Security evaluated on a regular basis. You may have read our previous articles around the IT Security (or better lack of IT Security) in Latin America, but we must say that Latin America is ahead and far advanced when it comes to Physical Security around the SMB markets and those breaches are not as frequent as in other countries due to tight physical security.

For Physical Security Audits, Pentesters can purchase Lock Picks in online shops such as:



April 4, 2015

Here’s another impressive video from the Tiger Team. This time they are breaching physical and logical security at a car dealership as part of an authorised Penetration Test.



March 19, 2015

Surely a lot of our readers have seen the TIGER PENTEST TEAM videos. If you haven’t however, take those 20 minutes and watch it. It’s an impressive documentation of a successful full scale Security Breach into a Diamond store. The group uses IT, Social Engineering and other techniques to defeat all security systems.



Physical Security Checklist

Author: Martin Voelk
November 30, 2014

Visible Security

  • Is the facility visible from the street during both the day and night so that roving patrols can conduct external security checks?
  • Are all entrances and exits visible from a distance and well-lit in the evening? Such visibility provides a deterrent to crime and assists employees in the event of an evacuation.
  • Are shrubs cut to mid-point of window or lower?
    Low shrubbery discourages crime and provides a safer work environment.
  • Are tree limbs cut at least six feet from ground level?
    This policy increases visibility and helps deter crime.
  • If the property incorporates fences into to its security, are they in good condition?
  • Have you installed motion-activated lights around entrances and exits?
    This type of lighting has been shown to deter criminal activity.
  • Are all pathways and parking areas well-lit?
  • Are pathways and parking lots patrolled?
  • Are pathways and parking lots equipped with emergency communication equipment that links to a centrally-monitored or police system?

Location Security

  • Are details on the business’ location listed on an outside directory?
  • Does the organization’s website provide detailed information on the building’s location?
  • Does the organization’s website provide detailed information on the location of the management team?

Lockdown Security

  • Are all doorways and exits easily accessible and clear of blockage?
  • Do all doors and windows close completely?
  • Do all doors and windows have working locks?
  • Are doors and windows alarmed and monitored?
  • Do all sliding windows have anti-slide locks?
  • Are curtains, blinds or other privacy providing covers installed on all windows?

Access Security

  • Is outgoing mail accessible only to the Postal Service or other designated carriers?
  • Are all deliveries and delivery personnel monitored when inside the facility?
  • Are all incoming deliveries inspected before being delivered to the designated recipient?
  • Are all visitors asked to sign in on any visit to the facility?
  • Are visitors assigned a temporary security badge?
  • Are employees instructed to visibly display security badges?
  • Are employees instructed to challenge anyone not wearing a security or visitors badge?
  • Can windows, heating-ventilating air conditioning (HVAC) equipment, and doors be secured in the event of the release of hazardous material?