Understanding IMSI Privacy

Presented at Black Hat USA 2014, Aug. 7, 2014, 3:30 p.m. (60 minutes)

It is said that 80% of the world's population now has a mobile phone. They use mobile devices to make calls, send SMS messages, and to access the Internet via the cellular network infrastructure. End-users carrying mobile phones 24 hours trust cellular network operators and believe that the provided mobile communication link is secure. However, on the other hand, mobile operators, device manufacturers, OS providers, and baseband suppliers do little to provide best security and privacy features to them. In particular, security capabilities of mobile communications are not shown to the end-users. Hence, it is easy for malicious attackers to mount subsequent attacks using IMSI catcher equipments. Further some hidden features, for example 'silent SMS', are supported in currently used mobile telephony systems but not notified to the end-users when in use. Attackers or illegitimate agencies exploit this weakness to track user movements regularly without the user's consent. In this talk, we address these long-standing issues by developing a low-cost, easy-to-use privacy framework based on Android OS. We demonstrate our effort to build an ideal way to protect user privacy. A live demo of framework detecting hidden (in ) security features of mobile communication system will be provided.

Presenters:

• Swapnil Udar - Aalto University
  Swapnil is a master student at Aalto University in Helsinki, Finland. After working for five years at a US based IT company and with a Swiss bank, he is enjoying research in mobile security.
• Ravishankar Borgaonkar - TU Berlin
  Ravishankar works as a Senior Researcher in Security in the Telecommunications Department at Technical University Berlin. His research themes are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS/LTE network security to end-user device security. Previously, he was involved in the investigation of weaknesses in the femtocell security architecture at TU Berlin. Further, he discovered USSD code vulnerabilities in Android devices. Ravishankar's research has previously been presented at the Black Hat, Hack In The Box, Ruxcon, Troopers, T2, and HES.

Links:

• https://www.blackhat.com/us-14/archives.html#understanding-imsi-privacy
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Understanding IMSI Privacy.mp4
• https://www.youtube.com/watch?v=E-IPzlptM1A

Similar Presentations:

• DEF CON 17 (2009) / Is your Iphone Pwned? Auditing, Attacking and Defending Mobile Devices
• AppSec USA 2013 / 2 Day Pre-Conference Training: Securing Mobile Devices & Applications Training
• ShellCon 2019 / Mobile Application Security - What you need to know?