Last day of #enigma2021 and we're kicking off with @cooperq from @EFF talking about "DETECTING FAKE 4G LTE BASE STATIONS IN REAL TIME"

usenix.org/conference/eni…
Focus on tech which targets at-risk people (e.g. activists, rights defenders, sex workers)
What is a cell site simulator?

*transmitter or receiver which intercepts metadata from cell phones, often by pretending to be a legit cell tower
First started looking at these because of reports from the Standing Rock protests (people were seeing weird things with their cell phones, tried apps to detect e.g. Stingray)
Packed a bag, headed out there, and tried to detect something.

Figured out had no idea what he was doing. The apps had a lot of false positives and didn't know what to do with the spectra.
But weird -- there was no 2G anywhere in the area. Why is this important?

Stingray pretends to be a base station, but pretends to be 2G, so it wasn't that. Also the apps (probably) don't work because they're trying to detect Stingray.
How do the 4G versions work (e.g. Hailstorm)?
* it has to have vulns to work -- but we didn't know about any
* so @rival_elf went and dove in and found a bunch of them
Want to see @rival_elf's work on this? It was at @enigmaconf last year:

usenix.org/conference/eni…
How often are these fake cell sites being used? To the FOIA!
* federal law enforcement: ICE/DHS 100s of times/year
* local law enforcement:
- Oakland 1-3 times/year
- Santa Barbara PD 231 times in 2017

Why the difference? Oakland has strong privacy laws
Not everyone responds to FOIA...
* foreign spies
* cyber mercenaries e.g. NSO group
* criminals
Previous efforts to detect:
* app based -- cheap and easy to use, but limited amount of data (only for towers the phone is connected to, what is visible through API)
* radio based -- expensive, harder to use, have to have programming/DB knowledge
Can we detect 4G cell-site simulators?
* how can we do better than previous efforts?
* how can we detect 4G rather than previous 2G?
* how can we verify the results?
So made crocodile hunter to detect 4G cell site simulators
* relatively cheap and small (fits in backpack)
* open-source
Each of these red dots are cell sites
... the skulls look suspicious (they're not all IMSI catchers)
Mapping out where base stations are located in real time, so can track them down to figure out
* does it have a history or is it new?
* is it missing parameters?
* is it moving?
* etc
Found some suspicious things on first test in DC
* why the heck did this suddenly stop claiming it's a US cell phone and then start claiming it's not part of any country's network in the world?
* why is this other one claiming to be off the coast of Nova Scotia?
Didn't track that one down, but then looked in Oakland during a march and found more suspicious signals (don't correspond to US country codes and network codes which don't match the country codes)

What the heck is this?
More research needed.

The name is after Steve Irwin (crocodile hunter), who was killed by a stingray.
How can we stop these cell site simulators?
* better security
* taking this seriously
Key takeaways
* we have a pretty good understanding of the vulns used
* none of the previous IMSI catcher detector apps really do their job any more, but the same principles should work on the next gen
* the problems of CSS abuse can be solved but it's going to be a lot of work
[end of talk]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Lea Kissner

Lea Kissner Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @LeaKissner

3 Feb
Last talk of #enigma2021 by Marcus Botacin: "DOES YOUR THREAT MODEL CONSIDER COUNTRY AND CULTURE? A CASE STUDY OF BRAZILIAN INTERNET BANKING SECURITY TO SHOW THAT IT SHOULD!"

usenix.org/conference/eni…
The outcomes I get from my analysis of malware I find in Brazil were quite different than what I saw in analysis of malware from other researchers. Why? Because the malware attacks were different!
The Brazilian banking system:
* let's move banking to computers (80s)to keep up with hyperinflation
* desktop clients for users... and the attackers migrated from physical to fake desktop app attacks -- that would only work in Brazil because that's where the banking was ImageImage
Read 18 tweets
3 Feb
@gianluca_string is up at #enigma2021 speaking about "COMPUTATIONAL METHODS TO UNDERSTAND AND MITIGATE ONLINE AGGRESSION"

[Make sure to catch the talks when they're posted -- my hands can't keep up with these speakers and the talks are 🔥]

usenix.org/conference/eni…
Content note: this talk is about online abuse as some of the content may be upsetting
Got pulled into this after a screenshot of a class assignment sending folks to post on 4chan to post about race/gender/etc issues got posted on 4chan without the email address... so the 4chan folks thought it was @gianluca_string. It wasn't, but they doxxed and harassed anyway
Read 15 tweets
3 Feb
Kicking off the last session of #enigma2021, @katestarbird is speaking about an extremely pressing topic: "ONLINE RUMORS, MISINFORMATION AND DISINFORMATION: THE PERFECT STORM OF COVID-19 AND ELECTION2020"

usenix.org/conference/eni…
So much mis/dis-information in the last few months about covid: rumours about lockdowns, home remedies... and then conspiracy theories Image
This ... thing was taken viral by media and social media and spread so much mis/dis-information. Image
Read 24 tweets
3 Feb
"THE LIMITS OF SANDBOXING AND NEXT STEPS" from Chris Palmer at #enigma2021

usenix.org/conference/eni…
This talk is going to go through the experience pushing the boundaries on sandboxing in the Chrome browser

What is sandboxing?
* breaking something into lower/higher privileged process
* necessary for browers, OSes, VMs etc. Image
Chromium uses to reduce the amount of privilege of the application: also to reduce the amount of privilege for code that touches websites (renderer)
* split different websites into different processes
* good defense against logic bugs (e.g. same-origin policy)
Read 18 tweets
3 Feb
Next up at #enigma2021, Alex Gaynor from @LazyFishBarrel (satirical security company) will be talking about "QUANTIFYING MEMORY UNSAFETY AND REACTIONS TO IT"

usenix.org/conference/eni…
Look for places where there are a lot of security issues being handled one-off rather than fixing the underlying issue Image
We tried to fix credential phishing mostly by telling people to be smarter, rather than fixing the root cause: people being able to use phished credential.

2-factor auth just ... fixes the problem. ImageImage
Read 15 tweets
3 Feb
It's time to talk about @zoom_us security over @zoom_us at #enigma2021 by Merry Ember Mou with the talk "BUILDING E2EE AND USER IDENTITY"

usenix.org/conference/eni…
Zoom's launched end-to-end encryption 5 months after the white paper was published
* prevents eavesdroppers between users who are speaking to each other
* protection against compromised servers
[ here's the E2EE whitepaper from Zoom]

github.com/zoom/zoom-e2e-…
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!