Infosec In the City (IIC)
Attacks On GSM — Alarms, Smart Homes & Smartwatches For Kids — by Aleksandr Kolchanov
#IICSG2019 Conference Workshop Track
Day 2 (20 Jun 2019)
@ Breakout Room 3
[#IICSG2019 Conference Full Schedule]
This workshop will cover different attacks on popular GSM-devices: alarms, smart home systems, access control systems and smartwatches for kids. GSM-devices are popular and easy for use: for example, you just need to insert SIM-card in GSM-alarm, and the system is ready for use. But the security of these devices is questionable.
Common alarm-devices was tested properly, researchers found different vulnerabilities and attacks. At this training will be coerced attacks on the GSM part of devices, because this part is not covered properly and there are some easy and effective attacks.
Students Should Have
Notebook with a modern browser
Favorite editor with script language (optional)
I Will Provide
Different GSM-devices: alarms, smart home systems, access control systems and smartwatches for kids
SIP accounts for calls
Special accounts at service for calls with spoofed Caller ID
Plan For Training
1. Introduction and basic information about GSM-devices, typical use cases, discussion about requirements.
2. Types of attacks, short information about the plan for training.
3. Calls with spoofed phone number as one of most effective type of attacks. For a big amount of devices, attackers can call with spoofed Caller ID (phone number) and perform different actions. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands), attackers can try to use it to perform actions.
For GSM-alarms (depends on a model of device) attackers can change settings, switch on and switch off security mode, add new control phones, and listen to rooms.
For smart home, attackers can switch on and switch off devices, get information, and listen to rooms.
For access control systems, attackers can open doors, raise barriers.
For a smartwatch for kids, attackers can send fake messages, call with parents phone numbers, listen to the environment, and get information.
Also, we will discuss devices with authorization only with Caller ID check and devices with default passwords.Students can use SIP-accounts to make calls to test devices (I hope, that every student will be able to call to 2-3 different devices to learn about the attacks).
4. Bruteforce and "locking bruteforce" — in this part two interesting attacks will be discussed:
Bruteforce of authorization code in call to IVR menu. Most devices have short authorization code (usually it is 4 digit-code) and do not have protection against bruteforce. Attackers can use bruteforce to find the correct code and then he will be able to perform commands. Students are invited to try hack authorization code for some devices with bruteforce (manually or create simple script) to learn the basics of this attack.
"Locking bruteforce" is a side-effect of protection against bruteforce (only rare devices have this protection). If a bruteforce attack was detected, the device can lock authorization for some time. Attackers can use it to not let the owner do something. It can be dangerous in case of alarms and smart homes. Students will be invited to test this attack if I buy devices with protection against bruteforce.
5. Attack on mobile operators. GSM-devices use mobile network for communication (SMS, calls, mobile internet), so attacks on mobile operators can effect on the security of devices. In this part different attacks will be discussed: problems, that allows to remotely change tariff, spend money from account, lock SIM-card, forward calls and other attacks. Attacks mostly use spoofed call to support (IVR menu) of mobile operators and bruteforce attacks on sites of content providers. For example, that attacks allows to spend money from account and disable communication with the device. Students are invited to perform some of these attacks on a test environment (test environment will simulate vulnerabilities at some real mobile operators).
6. Advanced attacks. In this part, some special attacks will be covered.
Attacks on DIY alarms and smart homes. We will discuss some popular "models" and typical issues.
Physical attacks on devices. We will discuss, why hammer can be too effective against alarms in some cases.
Attacks with spoofed SMS. We will discuss some situations, when attackers can send spoofed SMS (usually, vulnerabilities at mobile operators can be used) and how he can use it to attack alarms and smart homes.
"Incoming call attack" — This attack looks a bit stupid but is effective. Some devices cannot send SMS or make a call while another call is in process. Attackers can use it to disable the alarm for some time.
Students are invited to perform "Incoming call attack" on some devices.
7. Attack on mobile applications and personal accounts. That services are one other method to control devices and smartwatches for kids. In this part will be covered different classical attacks on web and mobile applications in case of GSM-devices.
Students are invited to perform some attacks in the test environment.
8. Defence part. In this part basics of protection for GSM-devices will be covered. We will create a list with minimal requirements for the security of GSM-alarms and smart homes.
Students will learn about different GSM devices, typical targets and victims.
Students will know basic and some advanced techniques of attacks to GSM-devices (GSM-alarms, Smart homes with GSM connection, GSM access control systems, smartwatches for kids).
They will try most attacks in practice.
After this training, they will be able to create their security requirements for GSM-devices.