Tuesday, April 12, 2016

HCK the BRCK (i)

Hailed as the revolution of Africa's connection to the internet the BRCK has been one of the most talked about modem/router , with rugged features to allow secure usage through any kind of physical elements, I moved the advert up a ladder to test its security.

Details about the BRCK
  • Modem
  • Router 
  • Power back up
This are the main/surface details about the BRCK, beyond this it contains an operating system (BusyBox) closed source however.

I managed to get my hands on one of the 1st generation BRCKs from the founder a very jovial, smart lady Juliana Rotich, she gave me a task of 'checking it for bugs' I went a little further, and as off by the end of this four part series on how we dive into working the BRCKs security and development wise.

Wednesday, April 6, 2016

Testing the CryptoPhone 500 against OUR... DIY IMSI catcher

I got a chance to use and test the GSMK Cryptophone 500 , with this phone , rumors have it to cost in between 2000USD to 5000USD depending on make and model/vendor , I am not into prices so much as features and specifications, however the phone is noted to have the following:

The GSMK CryptoPhone 500 is an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.
Cp500 72dpi
By combining GSMK’s renowned end-to-end voice and message encryption with a highly sophisticated approach towards mobile device protection, the CryptoPhone 500 offers a defence-grade mobile phone security solution with true 360° mobile device security:
  • Secure messaging and voice over IP calls on any network, including 2G GSM, 3G UMTS/W-CDMA, and Wireless LAN
  • Hardened Android operating system with granular security management and streamlined, security-optimized components
  • Permission enforcement module controls access to network, data and sensors, keeping you in control of your security policies
  • Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures
  • Two-layer storage encryption system protects data at rest against unauthorized access

(pulled from the products website)

I really wanted to check the performance of security offered by the cryptophone 500 that claims to be able to protect one from IMSI catchers which can listen into your GSM conversations/do OTA attacks / perform DOS on your phone to kick you off the mobile network / spoof address e.t.c

So we created a very cheap IMSI catcher (50 USD or less i.e without a computer)

The firewall on the phone was up:

I ran the IMSI catcher with some interesting results, here are the screenshots:

the above shows the IMSI caught by our catcher

the cryptophone registering to the IMSI catcher (we only allowed it to see the messages for POC purposes+verify IMSI)

With the phone 'ON' (we also had rebooted the baseband to check we shake of any unwanted connection and try again)

We managed to capture the CryptoPhone and get a connection to/from it and received the following (on the baseband firewall prompt):

Where it alerted us of a medium 'suspicion data' entry saying the BTS (IMSI catcher) had no neighbouring cell available (this is pretty easy to fix... we dint move to fix it as we were trying it on a base level budget [single osmocombb BTS])

We then moved to attacking the CryptoPhone by simple attacks such as spoofing the SMS address and sending an SMS to it

spoofing a text message

and more down here (means we can spam/fuzz :)   )

We then tried to make calls to verify our call integrity , but however we were greeted by a stern warning:

We turned on back encryption (we could still however record the call) and this is what we received:

encrypted huh :)

We managed to record the conversation irrespective of been allowed to make the call under 'secure' infrastructure, we will not disclose how our IMSI catcher is setup, however we will reach out to CryptoPhone for this findings, :)

Using Typhon OS and an OsmocomBB phone to create a RogueBTS (Rogue GSM Base Station) IMSI catcher


OsmocomBB compatible phone (Motorola c113/115/118/123)
CP2102 cable (can be found here)
TyphonOS (read this is you havent, or directly head to downloading)


Boot up the OS(live or install)

All the softwares referenced here are already installed.

To run an OsmocomBB application on the phone, you must first find out what interface your CP2102 cable is connected to. Run this command:
dmesg | grep tty

If you want to run it on ttyUSB0 (and I propose that you do) remove all USB devices and plug the CP2102 cable in first. The CP2102 cable will automatically move to /dev/ttyUSB0. To run it on other interfaces, modify the firmware upload string appropriately.

You can now upload firmware on the phone and observe output.
 From the /rf/osmocom-bb/src/host/osmocon/ directory, run:

sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor –c ../../target/firmware/board/compal_e88/rssi.highram.bin

Then, with the phone powered off, press the power button once briefly and wait for the firmware to load onto the phone.
As it loads, the screen output should look like this:

RSSI stands for Received Strength Signal Indicator and is can be used to identify the strongest ARFCN in the area. This is important as the BTS needs to sync with the strongest legitimate BTS in order to receive configuration information.

Once done exploring the RSSI app, there are plenty more applications that you can run which are beyond the scope of this document. However, feel free to explore them to further your understanding on the OsmocomBB platform.


After installing everything, we can now run the full system.
Plug in the calypso phone with the CP2102 cable, and ensure that it is on ttyUSB0 before proceeding. Note: Charge the phone to its fullest as the power cable interferes with transmission.
From the /rf/osmocom-bb/src/host/osmocon/ directory run the trx application with the following code (on one line):

sudo ./osmocon -p /dev/ttyUSB0 -m c123xor -c ../../target/firmware/board/compal_e88/trx.highram.bin ../../target/firmware/board/compal_e88/chainload.compalram.bin

Then press the power button on the phone briefly to load the application.

From the /rf/public/smqueue/trunk/smqueue directory run the smqueue application with the following code:

sudo ./smqueue

From the /rf/public/subscriberRegistry/trunk directory, run the sipauthserve application with the following code:

sudo ./sipauthserve

Finally, from the /rf/public/openbts/trunk/apps directory, run the OpenBTS application with the following code:

sudo ./OpenBTS

After a few seconds, the OpenBTS terminal (top right) will look like this indicating that syncing has taken place and it is transmitting:

Figure 15 - Running TRX, smqueue, sipauthserve and OpenBTS

If you had set your MCC and MNC to that of a legitimate network operator, the 2G phones in the area will begin connecting to your fake base station. If you left it as the default then you will see a name either “Test” or “Range” or "Safaricom [this is not legal by the way assuming you spoofed the name too]" when perform a manual search on your phone.

The above setup creates a fakeBTS (IMSI catcher) and works as a spoofed Mobile Network.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.


:) No longer posting, all articles should be treated as archived and outdated