Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here.

Published byIlene Owens Modified over 9 years ago

Similar presentations

Presentation on theme: "National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here."— Presentation transcript:

1 National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here were developped by Gemplus. Permission to use these images owned by Gemplus slides was obtained from Gemplus.

2

3 !!

4 Recent Case

5 In this talk… Back-end analysis techniques. A few standard techniques used to extract forensic data from GSM phones. Some new techniques. Credit: several images in this presentation are excerpts from presentations done by the author while being a Gemplus employee.

6 Back-end techniques Correlation of SIM in a given vicinity with: Anonymous public-phone card use. Credit card payment. Another SIM. Easy to do. Frequently used in homeland security contexts.

7 What are we looking for? User data: Directory, incoming/outgoing/lost calls, SMS, WAP bookmarks, MMS, images, movies, agenda, Mail, documents. Most mobile phone manufacturers (except very low cost ones) sell or provide tools allowing to manage such data. Pre-requisite: the SIM’s PIN code.

8 Example

9 What are we looking for? Operator data: IMSI (International Mobile Subscriber Identity) Ki (16 byte key used for voice encryption session key derivation) Network priority and restrictions. Geographic data (base station) SMS and WAP parameters Pre-requisite: the SIM’s higher-level PINs. Same tools as previously still work. Some data is not accessible even with these.

10 What are we looking for? Handset data: IMEI (International Mobile Subscriber Identity) Indication of active internal parameters

11 According to the situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional A collection of solutions

12 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

13 Solution Unsolder flash and read it externally. Requires very specific equipment. (integrated vision, air flow and unsoldering, e.g Retronics, Metcal) Flash containing user and phone dataµBGA connector

14 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

15 Solution Record and exhaust. Hardware for brute-force attacks against A5 exists, software also. Hardware exhausts a 54-bit A5 key in < 8 hours.

16 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

17 EM Monitoring A probe is positioned near the phone’s plastic cover (right above the SIM). Kc transferred on I/O causes huge variations in EM emanations (detectable 10 cm away). Interpret the 7816-3 byte flow to get Kc. Signal is much more readable than this TIA(00) vs. TIA(FF) power EM

18 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

19 Solution Use standard PC connection kit

20 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

21 Solution Objective: –Extract PIN codes, data, secret keys… Key Equipment: –Power analysis equipment: signal reader, oscilloscope, acquisition & analysis s/w, PC –Fault injection & analysis equipment: microscope, laser, dedicated analysis sw 4 steps –1. Identify when to inject fault –2. Identify where to inject fault –3. Fault injection –4. Differential Fault Analysis to extract keys

22 Situation Ability to access the target phone No access, temporary access, seized. Type of access to the target phone Passive, invasive, ability to replace parts. Knowledge of keys None, PIN, PUK, Ki etc… Device’s state Functional, still powered-on, dysfunctional

23 Solution A malicious piece of code... … hidden in a harmless and attractive applet such as a game

24 Trojan Horse technical details Written in Java Card Uses the GSM 11.14 / 03.19 API –Subscribes to external events (e.g. SMS delivery) –Is triggered when events occur –Performs proactive commands Displays text and gets input on the handset Constructs and sends SMS

25 General Panorama

26 Terrorist Handset Preferences (source Gartner Dataquest, 1238 terrorists interrogated)

27 General Panorama Market share EMEA (source Gartner Dataquest)

28 General Panorama Market share ASIA (source Gartner Dataquest)

29 General Panorama Split by Handset Type (source Gartner Dataquest)

30 Conclusion Phone forensics is a permanent race. To get real results one must remain constantly aware of technical evolutions. Opportunity windows open/close quickly!

31 What helps, what doesn’t 1500 different models Complexity increase Standardization Open research 1500 different models Complexity increase Standardization Open research

Download ppt "National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here."

Similar presentations

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.

IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
CS4032 Presentation SMS, SIM, MMS and Barcodes Richard Drysdale.

CS4032 Presentation SMS, SIM, MMS and Barcodes Richard Drysdale.
Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA www.in-arg.com MESH VOIP.

Voice and Data Encryption over mobile networks July 2012 IN-NOVA TECNOLOGIC IN-ARG SA MESH VOIP.
Available & Effective charging solution for electric cars Advanced mobile charging systems.

Available & Effective charging solution for electric cars Advanced mobile charging systems.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
GSM Security and Encryption

GSM Security and Encryption
CC4100 Active Cellular Intercept Technologies

CC4100 Active Cellular Intercept Technologies
PAPER PRESENTATION BY V.Priyanka CSE-A Roll no. 13K41A0548.

PAPER PRESENTATION BY V.Priyanka CSE-A Roll no. 13K41A0548.
GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.

GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.
FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert

FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert
Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.

Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.
SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.

SMUCSE 5349/7349 GSM Security. SMUCSE 5349/7349 GSM Security Provisions Anonymity Authentication Signaling protection User data protection.
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
DriveAP 1.2 & 2.1 DriveWare®.

DriveAP 1.2 & 2.1 DriveWare®.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Information Security of Embedded Systems 20.1.2010: Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.

Information Security of Embedded Systems : Communication, wireless remote access Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September 2014 1 Oberthur Technologies – Identity.

Secure Element Access from a Web browser W3C Workshop on Authentication, Hardware Tokens and Beyond 11 September Oberthur Technologies – Identity.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

Similar presentations

Ads by Google