How to find and hack various GSM-

devices: from children's watches to

industrial controllers
Aleksandr Kolchanov
About me
Independent researcher

GSM-devices fanboy

Telecom fanboy

I will mix it today

 Types of devices

Hacking methods
Plan for this talk
Several examples

Reasons to hack

Easy to hack, hard to find

Types of devices

GSM-alarms GSM-electric sockets GSM-smarthomes

controllers
● Uses detectors ● Uses SMS or calls to ● Can control different
● Makes the call when switch on/off devices
someone open door or ● Can be configured ● Uses SMS, calls or apps
window remotely to be managed
● Uses small microphone ● Can be configured
● Can be configured remotely
remotely

Kaspersky Industrial Cybersecurity Conference 2019

 Types of devices

Industrial controllers Access control

systems GSM-trackers Smartwatches for kids

● Are close to a home

● Uses SMS or calls to ● Collects information ● Like mobile phone, but
controller, but have
open or close door or gate about location, etc with addition control
more features
● Can be configured ● Some models can ● Can use microphone
● Different control
remotely be configured ● Can be configured
methods
remotely remotely

Kaspersky Industrial Cybersecurity Conference 2019

Reasons to hack
● Direct attack (silently open door)
● Using microphones to overhear someone
● Destroy property (explosions)
● Terrorism
● Political events
● Financial attacks
● Botnets for spam
● Reverse attack on accounts
● Penetration in a system
● Some funny ideas
Kaspersky Industrial Cybersecurity Conference 2019
Big problem:

Thousands of devices have dozens

of points of failure

Kaspersky Industrial Cybersecurity Conference 2019

 Physical environment (building)

Detectors

Controller Modem

Connected devices

Keys, keypads, magnets Scary outside

world

They can die (or be hacked) somewhere here...

Kaspersky Industrial Cybersecurity Conference 2019
… or there...
Dozens of services of mobile
operator

Mobile network
Modem of alarm
Online configuration tools

Base station Magic

Security companies

User’s device
Kaspersky Industrial Cybersecurity Conference 2019
Mobile operators employees
Attack on environment

● Break the wall

● Break the window or door
without opening
● Smash main unit fastly
● Bypass detectors
(magnets, Faraday cage)
● Jamming

Kaspersky Industrial Cybersecurity Conference 2019

Attack on connection

● Jamming connection modem - base

station
● Attacks on mobile networks
● Spend all money in account or
change tariff
● Block SIM-card
● Flood with calls

Kaspersky Industrial Cybersecurity Conference 2019

Attacks on device

● Caller ID check
● SMS sender check
● Bruteforce
● Default passwords, stolen passwords
● Lack of authorization
● Online configurators
● Hidden commands and passwords

Kaspersky Industrial Cybersecurity Conference 2019

Attack on other systems

● Insecure security agency

● Old protocols
● Attacks on family/employees
● Phishing
● Spoofed reverse call from device
● Reverse-attacks on mobile operator

Kaspersky Industrial Cybersecurity Conference 2019

Home devices Industrial devices

● Thousands (or millions) of ● Are not so widespread, as

devices home devices
● Easy to research ● Not so easy, not so hard
● Easy to hack to hack
● A bit hard to find ● Harder to hack
● Can be used to steal ● Hard to find
private information ● Can be more profitable
Targets
Individual person Individual company Unspecified (massive
attack)
● Target is an individual ● Target is a company or a ● Find as many as possible
person part of company ● Hack all devices
● Several facts are available ● Can be very hard to find ● Expenses/profit balance
usually devices phones and ● Automatization and “big
● Devices are common control phones data”
● Several people can ● May use uncommon and
manage device expensive devices

Kaspersky Industrial Cybersecurity Conference 2019

Big problem for hackers:

It is easy* to hack devices, but how

to find targets?

Kaspersky Industrial Cybersecurity Conference 2019

IP-addresses Phone numbers
● We can have ● We can have more
4 294 967 296 IPv4 than 999 999 999
addresses at all numbers only in
● We can scan fast VS Russia
● We can do it cheap ● No public database
● We have actual ● Scanning is expensive
databases ● Scanning is slow
Kaspersky Industrial Cybersecurity Conference 2019
 Mass “Scanning” Results:

● More, than million of roubles spent

1) Making a calls to all
● Collected information about
phone numbers (yes, it thousands of active* devices
sounds terrible) ● Maybe, some organisations will try
2) Record answers to understand, what happening
● Money burned in small regions
3) Try to get some
information form answers
4) …
5) Hack and get profit (or go
broke)
Idea:

Using different methods to get

information about phone numbers of
devices and reduce time for an
attack

Kaspersky Industrial Cybersecurity Conference 2019

Groups of phone numbers

Confirmed Unconfirmed Removed

● Used for required type of ● Can be used for device ● Used in mobile phones
device ● Can be used for anything ● Used in IVR systems
● Ready to be hacked, yeah ● ... ● Abandoned
● Are not sold

Kaspersky Industrial Cybersecurity Conference 2019

Numbers recycling problem

● Mobile operators deactivate numbers abandoned

for 2-3-6 months
● We can’t blindly beleave to old information,
owner can be changed

Kaspersky Industrial Cybersecurity Conference 2019

Select new number service

● Get information about definitely unused numbers

● Remove previous information

Kaspersky Industrial Cybersecurity Conference 2019

Mobile operators API answers

● Mobile operators systems can have special API,

which can be used to check, if this number is in
use or no
● Errors, different answers
● Unused numbers can be removed from list

Kaspersky Industrial Cybersecurity Conference 2019

Companies databases and anti-spam databases

● Several apps (like 2GIS on right) allows to get

information about phone numbers
● Attackers can download this databases and
remove companies phone numbers from list
● Also, an anti-spam database can contain
information about numbers, that can be released
soon

Kaspersky Industrial Cybersecurity Conference 2019

Spam databases

● Spam databases contain information about

thousands active phone numbers
● Attackers can buy/steal/get this databases and
remove all active numbers from list

Kaspersky Industrial Cybersecurity Conference 2019

Leaked databases

● Sometimes it is possible to get database with

information about millions users
● Attackers can try to select active numbers and
remove these numbers from list

Kaspersky Industrial Cybersecurity Conference 2019

Unauthorized access to mobile operators databases

By information from several public sources,

it is possible to pay a small bribe and get
access to info from mobile operators
database:
● It is possible to get info about
subscribers phone numbers
● Information about regular calls can be
used to find device and phone numbers
of family

Kaspersky Industrial Cybersecurity Conference 2019

GetContact and similar apps

● Several applications can show phone number

with related name from list
● Attackers can try to select active numbers and
remove these numbers from their database
● Also, it can be interesting to find phones with
names like “Alarm”, “Home”, “Car’, “Datcha”, etc

Kaspersky Industrial Cybersecurity Conference 2019

 Phone numbers and
passwords

Useful app to control

devices
Direct search

Usually, we know something: address, names,

phone numbers

● Bribes are still useful (it is not a suggestion)

● Antennas
● Fake base stations
● Social engineering
● Phishing
● Insecure security agency

Kaspersky Industrial Cybersecurity Conference 2019

Security companies

● Promotion is important
● Vendors can show information about clients
● Security agencies can show examples of projects
● Some companies show full list of clients

Kaspersky Industrial Cybersecurity Conference 2019

Conclusion
● It is not so hard to find devices
● Several models are totally insecure
● Industrial devices are not widespread, but you can find some
● The security level of mobile operators is questionable

Thank you,
Aleksandr Kolchanov, [email protected]