Top Banner
PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI CATCHER TECHNOLOGY Dr. William Butler 8 Dec 2016
39

PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Apr 06, 2022

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI CATCHER TECHNOLOGY

Dr. William Butler 8 Dec 2016

Page 2: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Agenda

• The Study • Background • Problem Statement(s) • Purpose Statement • Significance • Research Question(s) • Qualitative Study • Study Population • Methodology • Standards (IEEE 2012 and ISO/IEC 15408) • Limitations • Study Findings • Themes • Recommendations • Future Research • Solutions • Questions

2

Page 3: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

The Study

This study is the result of interest in protecting unsuspecting consumers from a threat that is not so obvious and threatens their privacy. • Documented recent cases of electronic eavesdropping utilizing devices such as International Mobile Subscriber Identity (IMSI) by the ACLU and the Washington Post Wessler (2014a) and Timburg (2014).

• Lack of peer-reviewed research into countermeasures and a framework to objectively evaluate protection measures. Borgaonkar & Udchar (2014), Dabrowski et al. (2014), and Van den Broek et al. (2011).

• In 1993, the U.S. Congress was made aware of the issue via a live demo during a Commerce committee hearing. (Telecommunications Network Security, 1993) & (Pell & Soghoian, 2014).

3

Page 4: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Background

• An International Telecommunication Union (ITU) survey in 2008 revealed that over 90 per cent of the world’s population was served by GSM (ITU, 2008).

• GSM phones authenticate to the GSM network by utilizing the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI), which both serve to uniquely identify the phone to the network.

• Service providers are increasingly relying on GSM networks to deliver services to consumers (Van den Broek et al., 2011).

• GSM technology has known vulnerabilities, which exposes user data such as location to electronic eavesdropping through several means (Van den Broek et al., 2011).

• GSM technology does not employ countermeasures such as mutual authentication and fails to utilize point-to-point encryption between callers Wessler (2014a) and Timburg (2014).

• Failure to implement these types of measures exposes GSM cell phone communications to both interception and capture (Van den Broek et al, 2011). 4

Page 5: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Background

How International Mobile Subscriber Identity (IMSI) Catchers work: • IMSI Catchers (IC’s) are communications equipment designed to identify and intercept the

communications of phones within its operating area. IMSI Catchers were originally designed to capture a phone’s IMSI number (thus the name) and track those devices. However, recent advances in the technology now allow them to intercept messages and send operator messages to the phone. IC’s must force a phone to downgrade to 2G service then act as a cell tower to that phone to compromise its communications with the service providers network (Dabrowski, et al., 2014).

• There are two types of attacks associated with GSM phones. The first type of attack is eavesdropping on cell phone communications and the second type is the man-in-the-middle (MITM) attack:

– During the eavesdropping attack the IMSI catcher forces mobile phones to downgrade to 2G connections. Once the GSM phone is in 2G mode both authentication and encryption capability are downgraded (Dabrowski, et al., 2014).

– These IC’s log all TMSI and IMEI pairs within its operating area. Once logged in, the IC can then force re-authentication with targeted handsets forcing the handset to adopt weaker or no encryption (2G). This facilitates a MITM attack, allowing data and voice capture (Gold, 2011).

5

Page 6: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Background

The most popular IMSI-catcher is the Stingray built by the Harris Corporation. The Stingray operates in both passive (digital analyzer) and active (cell site simulator) modes. When operating in active mode, the Stingray impersonates a carrier cell tower. The Stingray then forces all nearby mobile phones and cellular data devices to connect to it.

“Are you my cell tower ?”

“Yes I am”

A Stingray device in 2013, in Harris's trademark submission

The Stingray can be hand carried, vehicle mounted, or airborne

6

Page 7: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Problem Statement(s)

General problem: The general problem is personal information transmitted by cellular phones in the U.S. is vulnerable to threats such as eavesdropping from cell phone interceptors. Location data, which are considered personal data, is also vulnerable to disclosure within the cell phone carrier’s network. Threat agents such as foreign intelligence agencies, criminals and paparazzi potentially operate these cell phone interceptors targeting specific American citizens or collecting on all cell phones within their range (Pell, 2014). Specific problem: The specific problem is phone communications are vulnerable to unauthorized disclosure of personal information by cell phone interceptors (IMSI Catchers) operated within the United States (Pell, 2014).

7

Page 8: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Purpose Statement

The purpose of this qualitative study is to identify countermeasures to protect cell phone communications from unauthorized disclosure of personal information by cell phone interceptors (IMSI Catchers) operated within the U.S. In addition the study sought to identify a method of categorization of countermeasures into a framework based on providing confidentially, integrity and availability.

8

Page 9: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Significance

• The average consumer once informed of the threat could take this list, decide which measure is most appropriate for his/her situation and risk comfort level.

• The U.S. Government could use the results to promote more research and

development and inform future legislation by Congress.

• This study will influence researchers and developers to continue to discover and market new solutions and improve on existing ones.

• Civil liberties and consumer organizations, who have been the strongest advocates for consumer protections and removing the shroud of secrecy from U.S. Government use of IMSI Catchers, will have access to the most current information on which to base future advocacy for consumer awareness and protections.

9

Page 10: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Research Questions

The primary research question is what countermeasures exist to protect cell phones from IMSI Catchers? Sub-questions: 1. What countermeasures are available? 2. Can those countermeasures be categorized into a framework based on

providing confidentially, integrity and availability for example? 3. Which countermeasures are appropriate for inclusion into standards such as

NIST RMF and ISO/IEC 27001?

10

Page 11: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Qualitative Study

This study is qualitative in nature due to the results being derived from an exploration of existing IMSI Catcher research and solutions. The qualitative approach is appropriate for this study due to the type of data to be collected and analyzed which is qualitative in nature (Schram, 2006). Grounded theory begins with basic descriptions of reality then moves to conceptual ordering according to their properties and dimensions. Theoretical and descriptive coding will be used to organize the data so that connections can be made and patterns can emerge. The grounded theory approach provides no guarantee that findings will be profound but it does provide a recognized framework to identify findings based on the data collected (Patton, 2002). Grounded theory is appropriate because the objective is to study the issue of IMSI Catcher privacy violations and identify countermeasures that can be implemented by consumers.

.

11

Page 12: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Hardware Solutions • Cryptophone • Blackphone

Software Solutions • Darshak • SnoopSnitch • AIMSICD • G-NetTrack

Study Population

Documents • IEEE Std 2012 • ISO/IEC 15408

(Common Criteria) • CNSSI 1253 • GAO Studies (2) • NIST Publications • DISA Mobile

Device STIGS (5)

Studies • Borgaonkar and Udchar (2014)

(Conducted in Germany, created Darshak)

• Dabrowski et al. (2014) (Conducted in Austria, sICC, mICC (SnoopSnitch))

• Van den Broek et al. (2011) (Conducted in the Netherlands

• Pell & Soghoian (2014) (Privacy Lawyer)

• Pell (2013, 2014) • Thomson (2015) (Privacy

Lawyer) • Wessler (2014a, 2014b,

2014c) (Privacy Lawyer, ACLU)

• Committee on National Security Systems (CNSS)

• Electro technical Commission (IEC) • Institute of Electrical and Electronics

Engineers (IEEE) • International Organization for

Standardization (ISO) • Security Technical Implementation

Guide (STIG)

12

Page 13: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Methodology

This study uses standards such as IEEE Std 1012 and IEC/ISO 15408 (Common Criteria) to evaluate research and solutions which present objective means for the categorization process

13

Page 14: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

IEEE Std 1012 Used to Evaluate Solutions

5.4.1 Activity: Concept V&V (Validation and Verification) The concept activity represents the delineation of a specific implementation solution to solve the user’s problem. During the concept activity, the system architecture is selected and system requirements are allocated to hardware, software, and user interface components. The Concept V&V activity addresses system architectural design and system requirements analysis. The objective of Concept V&V is to verify the allocation of system requirements, validate the selected solution, and ensure that no false assumptions have been incorporated in the solution. The V&V effort shall perform, as specified in Table 2 for the selected software integrity level, the following Concept V&V tasks described in Table 1: 1) Task: Concept documentation évaluation 2) Task: Criticality analysis 3) Task: Hardware/software/user requirements allocation analysis 4) Task: Traceability analysis 5) Task: Hazard analysis 6) Task: Security analysis 7) Task: Risk analysis

IEEE Std 1012 Table 1 Definitions 14

Page 15: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

IEEE Std 1012 Used to Evaluate Solutions

IEEE Std 1012 Table 2 15

Page 16: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

NIAP Threat Definitions Used to evaluate Solutions

16

Page 17: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

NIAP Security Objective Definitions

Used to Evaluate Solutions Target of evaluation (TOE) is the product or system that is the subject of the evaluation

17

Page 18: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Limitations

The limitations of a study are potential weaknesses that are mostly out of the researcher’s control (Simon, 2011).

– A limitation of this study is that the results will not include verification of the

listed countermeasures actual ability to preserve consumer privacy due to the legality of such research.

• That level of verification would require laboratory testing in a recognized cellphone certification laboratory, which is beyond the scope of this study.

• Thus, consumers will have to depend on industry-recognized product certifications before making an informed decision as to which countermeasure to adopt.

18

Page 19: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Study Findings (1/5)

The overall findings of this research are summarized in Tables 9, 10, 11 and 12. First, there are very few published and peer reviewed studies into IMSI Catcher countermeasures. • Table 9 depicts the distribution of solutions derived from the categorization

process against the Common Criteria. • Table 10 depicts the distribution of solutions which are technical versus non-

technical. • Table 11 lists countermeasures by source (solutions). • Table 12 lists recommended countermeasures by framework (NIST RMF or

IEC/ISO 27001)

19

Page 20: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Results Table 9: Coverage Summary

20

Page 21: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Results Table 10: Coverage Summary

21

Page 22: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Results Table 11: Recommended

Countermeasure by Source

22

Page 23: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Results Table 12: Recommended

Countermeasure by Framework

23

Page 24: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (1/6)

Themes which emerged: Theme 1: Consumers are generally not aware of the IMSI Catcher threat. Theme 2: Software solutions meet less of the Common Criteria and offer limited protections. Theme 3: Hardware solutions meet more of the Common Criteria than software-based solutions and offer more protections. Theme 4: Network providers are silent on the IMSI Catcher issue. Theme 5: Numerous controls were identified for adoption by the NIST and the ISO/IEC based on the findings of this study

24

Page 25: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (2/6)

Theme 1: Consumers are generally not aware of the IMSI Catcher threat. According to Pell & Soghoian (2015) and the ALCU (Wessler, 2014a, 2014b, 2014c) consumers are aware of the use of these devices by law enforcement (federal and local). This study by design did not focus on IMSI Catcher operators but the threat the device poses to privacy of cell phone communications. Once consumers are generally informed then their legislatures will act to do their will. GAO (2012) recommended that the FCC raise public awareness of cyber security threats to include IMSI Catcher technologies. The existence of a clearinghouse for this specific information on the threat was not noted during this study.

25

Page 26: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (3/6)

Theme 2: Software solutions meet less of the Common Criteria and offer limited protections. This study was not exhaustive in listing all known solutions but listed a sample of the population to validate the categorization process. The products are limited in applicability in that they only work on specific models of mobile phones thus limiting their utility to protect consumer communications (See Table 5). These software solutions warn consumers of the presence of an IMSI Catcher but offer no protections.

26

Page 27: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (4/6)

Theme 3: Hardware solutions meet more of the Common Criteria than software-based solutions and offer more protections. As depicted in Tables 9 and 10 the hardware solutions address more Common Criteria than software solutions. These hardware-based solutions (mobile phones) may require the consumer to buy into a proprietary product and network service to protect their privacy.

27

Page 28: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (5/6)

Theme 4: Network providers are silent on the IMSI Catcher issue. Network providers play a critical role in protecting consumer cell phone communications. Network providers also play a critical role in assisting law enforcement in investigating crime with a warrant. Service provider make improvements such as: implementing mutual authentication, stronger encryption, retrofitting 2/2.5 G (legacy networks) with stronger encryption, and upgrading their legacy networks to a more secure Universal Mobile Telecommunication System (UMTS) standard. They could prevent IMSI Catchers from impersonating actual cell towers.

28

Page 29: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Themes (6/6)

Theme 5: Numerous controls were identified for adoption by the NIST and the ISO/IEC based on the findings of this study.

The purpose of this study was to identify hardware and software solutions to protect cellphones from IMSI-catcher technology and categorize them into frameworks such as the NIST SP 800-53 (NIST, 2014a) and ISO 27001 (ISO, 2015b). These solutions were mapped to the NIST SP 800-53 (NIST, 2014a) controls such as AC-3, AC-18, AC-19, AT-1, MP-7, PE-3, PE-4 , SA-1, SC-5, SC-13, SC-15, SC-19, SI-2, SI-10, which should be considered by the NIST and ISO/IEC in their next round of revisions to specifically address the IMSI-catcher threat.

29

Page 30: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Recommendations

Themes Recommendations

Theme 1: Consumers are generally not aware of the IMSI Catcher threat.

Recommendation 1: Consumers should be made aware of the IMSI Catcher threat as a component of our overall cyber security awareness

Theme 2: Software solutions meet less of the Common Criteria and offer limited protections.

Recommendation 2: Software solutions should meet more of the Common criteria and offer consumers more protections.

Theme 3: Hardware solutions meet more of the Common Criteria than software-based solutions and offer more protections.

Recommendation 3: Mobile phone manufacturers should implement measures to protect customers from IMSI Catcher technology.

Theme 4: Network providers are silent on the IMSI Catcher issue

Recommendation 4: Network Providers should implement measures to protect consumers from IMSI Catcher technology.

Theme 5: Numerous controls were identified for adoption by the NIST and the ISO/IEC based on the findings of this study

Recommendation 5: The NIST and ISO/IEC should consider the controls identified in this study to address the IMSI-catcher threat

30

Page 31: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Future Research

This study suggests several areas for future study and work. Listed are just a few research areas deserving of further exploration: • Industry test and certify countermeasures (hardware and software) in a

certification laboratory authorized to operate IMSI Catchers with an experimental FCC license. More vendors should submit their products to the USG for official evaluation for certification testing.

• Developers write software that not only warns the consumer but blocks access from IMSI Catchers.

• Investigate consumer knowledge of the IMSI Catcher threat.

• Academia/USG/Industry create a “center for cell phone security” to track solutions for consumers and provide other useful information.

31

Page 32: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions

32

Hardware Solutions • Cryptophone • Blackphone

Page 33: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: Darshak

33

Page 34: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: SnoopSnitch

34 https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch&hl=en

Page 35: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: AIMSICD

35 https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/

Page 36: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: G-NetTrack

36 http://www.gyokovsolutions.com/G-NetTrack%20Android.html

G-NetTrack is a wireless network monitor and drive test tool for Android OS devices. It allows monitoring and logging of mobile network parameters without using specialized equipment. It's a tool and it's a toy. It can be used by professionals to get better insight on the network or by radio enthusiasts to learn more about wireless networks. It can be used even if you want just to make easy representation of your traveled route.

Page 37: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: Cryptophone

37 http://www.cryptophone.de/en/products/mobile/cp500/

Page 38: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Solutions: Blackphone

38

Blackphone provides Internet access through VPN. The telephone runs a modified version of Android called SilentOS that comes with a bundle of security-minded tools. On 30 June 2014, the Blackphone began to ship advance orders. https://en.wikipedia.org/wiki/Blackphone

https://www.silentcircle.com/products-and-solutions/devices/

Page 39: PRESERVING CELLPHONE PRIVACY - COUNTERING IMSI …

Questions

39