Wiretap Detector - detecting cell-site simulators
Download as PPTX, PDF0 likes502 views
Presentation about Wiretap Detector - an app for detecting cell-site simulators (stingrays, IMSI catchers)
Wiretap Detector - detecting cell-site simulators
- 2. About me ● Software engineer ● Minister of electronic governance of Bulgaria (2021-2022) ● Member of Bulgarian parliament ● https://techblog.bozho.net ● X: @bozhobg
- 3. Disclaimer ● No classified information in these slides ● I’ve obtained no information present in these slides just because I’m a member of parliament ● The slides are entirely with my “expert hat” on
- 4. Interception
- 5. Methods for (legal) interception ● Interception interfaces (directly streaming calls and sms from telecoms) ● Spyware (Pegasus, Predator) ● Cell-site simulators, stingrays, IMSI-catchers ● Other SS7 vulnerabilities
- 6. Rumours ● Private interception companies use some of these technologies ● These technologies are used to wiretap activists, journalists and opposition politicians ● Key leaks for 3G+ authentication
- 10. How does it work? ● Not much public information; whistleblowers and rumours ● Mobiles devices connect to the strongest signal ● No mandatory cell tower authentication ● 2G-downgrade ● Session key leaks through rouming (3G, 4G) ● Passive IMSI catchers (not actual fake towers) ● Active (fake towers)
- 11. How to protect ourselves? ● We can’t ● Stop 2G support on your phone (some phones support this) ● Detecting interception: ○ EFF Crocodile hunter (requires specialized hardware) ○ Android IMSI Catcher Detector (requires root, not present in the play store) ○ SnoopSnitch (requires root) ○ Wiretap Detector (https://github.com/Glamdring/wiretap-detector)
- 12. Wiretap Detector ● Mobile application with no root permission requited ● Built by volunteers, open source ● No guarantees for successful detection ● The app solves only the cell-site simulator approach (and doesn’t detect spywhare, interception interfaces, etc.)
- 13. Detection methods ● Compares public IP with the announced IP ranges of the telecom ○ Gets ASN based on the initial IP ○ https://ip.guide (RIPE) ○ Countermeasure that could be used: the simulator can route requests to the right telecom (if it supports multi-SIM) ● Detecting changes on the first 2 hops of traceroute ○ Countermeasure: removing the first hop(s) ● Detecting changes in the combinnation of (geocoordinates, cell identifier ● Countermeasures: Spoofing all cell IDs ● Countermeasures are possible, but they complicate things and may not be implemented (yet) by cell-site simulators
- 14. TODO list ● Deploy on iOS ● Compare more cell details ● Compare with public cell databases ● Detecting attacks using fake roaming ● Centralized database with detections
- 15. Using Signal, Threema, Wire, etc. increases privacy guarantees
- 16. Everyone is welcome to help develop the project further
- 17. Thank you