Wednesday, April 6, 2016

Testing the CryptoPhone 500 against OUR... DIY IMSI catcher

I got a chance to use and test the GSMK Cryptophone 500 , with this phone , rumors have it to cost in between 2000USD to 5000USD depending on make and model/vendor , I am not into prices so much as features and specifications, however the phone is noted to have the following:

The GSMK CryptoPhone 500 is an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.
Cp500 72dpi
By combining GSMK’s renowned end-to-end voice and message encryption with a highly sophisticated approach towards mobile device protection, the CryptoPhone 500 offers a defence-grade mobile phone security solution with true 360° mobile device security:
  • Secure messaging and voice over IP calls on any network, including 2G GSM, 3G UMTS/W-CDMA, and Wireless LAN
  • Hardened Android operating system with granular security management and streamlined, security-optimized components
  • Permission enforcement module controls access to network, data and sensors, keeping you in control of your security policies
  • Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures
  • Two-layer storage encryption system protects data at rest against unauthorized access





(pulled from the products website)

I really wanted to check the performance of security offered by the cryptophone 500 that claims to be able to protect one from IMSI catchers which can listen into your GSM conversations/do OTA attacks / perform DOS on your phone to kick you off the mobile network / spoof address e.t.c

So we created a very cheap IMSI catcher (50 USD or less i.e without a computer)

The firewall on the phone was up:





I ran the IMSI catcher with some interesting results, here are the screenshots:




the above shows the IMSI caught by our catcher





the cryptophone registering to the IMSI catcher (we only allowed it to see the messages for POC purposes+verify IMSI)


With the phone 'ON' (we also had rebooted the baseband to check we shake of any unwanted connection and try again)

We managed to capture the CryptoPhone and get a connection to/from it and received the following (on the baseband firewall prompt):








Where it alerted us of a medium 'suspicion data' entry saying the BTS (IMSI catcher) had no neighbouring cell available (this is pretty easy to fix... we dint move to fix it as we were trying it on a base level budget [single osmocombb BTS])

We then moved to attacking the CryptoPhone by simple attacks such as spoofing the SMS address and sending an SMS to it



spoofing a text message


and more down here (means we can spam/fuzz :)   )





We then tried to make calls to verify our call integrity , but however we were greeted by a stern warning:





We turned on back encryption (we could still however record the call) and this is what we received:



encrypted huh :)

We managed to record the conversation irrespective of been allowed to make the call under 'secure' infrastructure, we will not disclose how our IMSI catcher is setup, however we will reach out to CryptoPhone for this findings, :)


6 comments:

william anderson said...
This comment has been removed by the author.
Toby Valentine said...

Almost the same cryptography codes are using a lot of VDR systems, and ideals is one of the easiest way to manage your documents

UberWaves said...

Would you be interested to test my Secure Phone? Is there any way to contact you to arrange this? I can assure you that it is not vulnerable to OsmocomBB attacks, rogue BTS, even telco's equipment (other operator than the SIM's provider). More info after more personal communication.
Thanks.

nyoike thuo said...

Hi @UberWaves I would love to test your secure phone, reach out to me on nyoikethuo<@>gmail.com

dast said...

where can I got the GSMK cryptophone 500 !?

kate said...

nice post

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...