Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware. Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: They target symptoms instead of solving the core issue.
This talks discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution. The evolution is exemplified by new advanced attack vectors against mobile communication and SIM cards: Mobile calls and identities are known to be weakly protected, but network progressively rolled out patches to defeat hacking tools. We will discuss — and release — tools to measure whether these changes are effective.
SIM cards were identified as a remote exploitation risk this year: Unnoticed by the victim, an attacker can take control over a card by sending a few binary SMS. Network operators started filtering binary SMS and patched some of their weak SIM card configurations in response to vulnerability research. The talk looks at filtering evasion techniques and discloses new configuration vulnerabilities present in many cards world-wide.
Mobile network attack evolution | 30c3 (Talk / Vortrag Hamburg 27.12.2013):
- CCC-Jahresrückblick 2016 [33c3] - 8. Januar 2017
- 33C3 Closing Ceremony [33c3] - 30. Dezember 2016
- Security Nightmares 0x11 [33c3] 2016 - 30. Dezember 2016
- Markus Beckedahl: Privatisierung der Rechtsdurchsetzung [33c3] - 30. Dezember 2016
- DE-CIX: Warum in die Ferne schweifen, wenn das Ausland liegt so nah? [33c3] - 30. Dezember 2016