An Ominous Weaponization of Mobile Exploits
Another day, another mobile exploit. Last week we realized the dangers of public WiFi abuse are magnified by inexpensive hacker kits for snooping on our supposedly HTTPS-protected logins. This week, we learn of inexpensive IMSI catchers bringing cell phone eavesdropping from the realm of APTs to script kiddies.
“What the heck is an IMSI catcher anyway?” I thought, as I read “Mike” from KeyTalk’s comment on my public WiFi post. It didn’t take long to find out.
How it Works
Wikipedia: “An IMSI catcher (International Mobile Subscriber Identity) is an…eavesdropping device used for intercepting mobile phone traffic…it is considered a man-in-the-middle (MITM) attack, and can be detected using tools like SnoopSnitch. IMSI catchers are used in some countries by law enforcement and intelligence agencies, but based upon civil liberty and privacy concerns, their use is illegal in others.
The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole is exploited by an IMSI catcher. The IMSI catcher masquerades as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode)…”
Commercially Available IMSI Catchers?
“Mike” from KeyTalk commented on my previous post “A malicious party can use a sub $200 kit to create an IMSI catcher and thus create a MITM on your cell phone connection.” I basically verified this through a more detailed SBA Research Group paper: “The first IMSI Catchers date back as early as 1993 and were big, heavy, and expensive. Only a few manufacturers existed and the economic barrier limited the device’s use mostly to governmental agencies. However, in recent years, a number of smaller and cheaper as well as self-built projects appeared making cellular network snooping attacks feasible o much larger audiences. Chris Paget built an IMSI Catcher for about $1,500 and presented it at DEFCON 2010.”
In the folksonomy of Google one finds well-trodden paths suggesting weaponization of this exploit. Example search terms: “IMSI Catcher for Sale” and “IMSI Catch DIY” and “IMSI Catcher Detector.” Per Arstechnica a body-worn “IMSI catcher” for all your covert phone snooping needs was being sold to law enforcement in the U.S. circa September 2013. The arms race is on.
Hard to Detect
The SBA Research Group paper notes that “Simple, cheap, and easily deployable IMSI Catcher Catchers (ICC) either need to run directly on a user’s mobile phone or on affordable hardware (e.g. stationary device)” and goes into some detail on both implementations and the many challenges. What would be practical for more users is an “IMSI Catcher Catcher” app, but they’re hard to come by. According to an open source detector project site: “There are almost no phones on the market which offer an option to check what kind of encryption is used to “secure” GSM traffic…The ones you may find are very expensive and not open source.”
The Erosion of Assurance
The only way you keep up with this ever-changing security landscape is to know your threat landscape and exercise a healthy bit of paranoia. Security professionals have long assumed that advanced attackers such as intelligence agencies could, with few exceptions, breach most logical defenses. For most of us that doesn’t mean that nothing’s safe since we follow the rules, don’t make enemies and seek to avoid notice from advanced threats. Occasionally, a phenomena I call “mental laziness” trips us up, and this happens to laymen and pros alike. In my case I assumed well-implemented HTTPS was safe against basic threats but not advanced threats. But last week it dawned on me that MITM attacks on HTTPS were technically much easier than I thought. All you need’s a proxy.
In our mental risk assessment arithmetic we’re constantly multiplying risk = impact times likelihood, where likelihood = threat times vulnerability. When you get the vulnerability variable wrong, you over- or under-rate the risk, like I’ve done with public WiFi all these years.
Even if you understand the vulnerability correctly, its easy to slip up on the threat. The time from discovery of an exploit by advanced threats to its weaponization by basic threats seems to be getting shorter. And with the state sponsored cybersecurity arms race in full throttle, the number of exploits-in-discovery will grow. We have a pretty wicked problem I call the “erosion of assurance.” Its too easy to under-rate the likelihood variable in our risk calculus.
Stay tuned for the next exploit…