National Security, Forensics and Mobile Communications - PowerPoint PPT Presentation

National security forensics and mobile communications l.jpg
Download
1 / 31

National Security, Forensics and Mobile Communications V Gratzer, D Naccache, D Znaty Acknowledgment: several of the techniques and tools described here were developped by Gemplus. Permission to use these images owned by Gemplus slides was obtained from Gemplus. !! Recent Case

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

National Security, Forensics and Mobile Communications

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


National security forensics and mobile communications l.jpg

National Security, Forensics and Mobile Communications

V Gratzer, D Naccache, D Znaty

Acknowledgment: several of the techniques and tools described here

were developped by Gemplus.

Permission to use these images owned by Gemplus slides was obtained

from Gemplus.


Slide3 l.jpg

!!


Recent case l.jpg

Recent Case


In this talk l.jpg

In this talk…

  • Back-end analysis techniques.

  • A few standard techniques used to extract forensic data from GSM phones.

  • Some new techniques.

    Credit: several images in this presentation are excerpts from presentations done by the author while being a Gemplus employee.


Back end techniques l.jpg

Back-end techniques

  • Correlation of SIM in a given vicinity with:

    Anonymous public-phone card use.

    Credit card payment.

    Another SIM.

    Easy to do.

    Frequently used in homeland security contexts.


What are we looking for l.jpg

What are we looking for?

User data:

Directory, incoming/outgoing/lost calls, SMS, WAP bookmarks, MMS, images, movies, agenda, Mail, documents.

Most mobile phone manufacturers (except very low cost ones) sell or provide tools allowing to manage such data.

Pre-requisite: the SIM’s PIN code.


Example l.jpg

Example


What are we looking for9 l.jpg

What are we looking for?

Operator data:

  • IMSI (International Mobile Subscriber Identity)

  • Ki (16 byte key used for voice encryption session key derivation)

  • Network priority and restrictions.

  • Geographic data (base station)

  • SMS and WAP parameters

    Pre-requisite: the SIM’s higher-level PINs.

    Same tools as previously still work.

    Some data is not accessible even with these.


What are we looking for10 l.jpg

What are we looking for?

Handset data:

  • IMEI (International Mobile Subscriber Identity)

  • Indication of active internal parameters


According to the situation l.jpg

According to the situation

  • Ability to access the target phone

    No access, temporary access, seized.

  • Type of access to the target phone

    Passive, invasive, ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional

    A collection of solutions


Situation l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on,dysfunctional


Solution l.jpg

Solution

  • Unsolder flash and read it externally.

    Requires very specific equipment.

    (integrated vision, air flow and unsoldering, e.g Retronics, Metcal)

µBGA connector

Flash containing user and phone data


Situation14 l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional


Solution15 l.jpg

Solution

Record and exhaust.

Hardware for brute-force attacks against A5 exists, software also.

Hardware exhausts a 54-bit A5 key in < 8 hours.


Situation16 l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional


Em monitoring l.jpg

power

TIA(00) vs. TIA(FF)

EM

EM Monitoring

  • A probe is positioned near the phone’s plastic cover (right above the SIM).

  • Kc transferred on I/O causes huge variations in EM emanations (detectable 10 cm away).

  • Interpret the 7816-3 byte flow to get Kc.

  • Signal is much more readable than this


Situation18 l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional


Solution19 l.jpg

Solution

Use standard PC connection kit


Situation20 l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional


Solution21 l.jpg

Solution

  • Objective:

    • Extract PIN codes, data, secret keys…

  • Key Equipment:

    • Power analysis equipment: signal reader, oscilloscope, acquisition & analysis s/w, PC

    • Fault injection & analysis equipment: microscope, laser, dedicated analysis sw

  • 4 steps

    • 1. Identify when to inject fault

    • 2. Identify where to inject fault

    • 3. Fault injection

    • 4. Differential Fault Analysis to extract keys

to learn how this is done: conference DFTC


Situation22 l.jpg

Situation

  • Ability to access the target phone

    No access, temporary access,seized.

  • Type of access to the target phone

    Passive,invasive,ability to replace parts.

  • Knowledge of keys

    None, PIN, PUK, Ki etc…

  • Device’s state

    Functional, still powered-on, dysfunctional


Solution23 l.jpg

A malicious piece of code ...

… hidden in a harmless and attractive applet

such as a game

Solution


Trojan horse technical details l.jpg

Trojan Horse technical details

  • Written in Java Card

  • Uses the GSM 11.14 / 03.19 API

    • Subscribes to external events (e.g. SMS delivery)

    • Is triggered when events occur

    • Performs proactive commands

      • Displays text and gets input on the handset

      • Constructs and sends SMS


General panorama l.jpg

General Panorama


General panorama26 l.jpg

General Panorama

Terrorist Handset Preferences

(source Gartner Dataquest, 1238 terrorists interrogated)


General panorama27 l.jpg

General Panorama

Market share EMEA (source Gartner Dataquest)


General panorama28 l.jpg

General Panorama

Market share ASIA (source Gartner Dataquest)


General panorama29 l.jpg

General Panorama

Split by Handset Type (source Gartner Dataquest)


Conclusion l.jpg

Conclusion

  • Phone forensics is a permanent race.

  • To get real results one must remain constantly aware of technical evolutions.

  • Opportunity windows open/close quickly!


What helps what doesn t l.jpg

1500 different models

Complexity increase

Standardization

Open research

1500 different models

Complexity increase

Standardization

Open research

What helps, what doesn’t

a permanent race


  • Login