DO-IT-YOURSELF CELLULAR IDS

Black Hat USA 2013

Presented by: Sherri Davidoff, Scott Fretheim, David Harrison
Date: Thursday August 01, 2013
Time: 10:15 - 12:45
Location: Florentine

For less than $500, you can build your own cellular intrusion detection system to detect malicious activity through your own local femtocell. Our team will show how we leveraged root access on a femtocell, reverse engineered the activation process, and turned it into a proof-of-concept cellular network intrusion monitoring system.

We leveraged commercial Home Node-Bs ("femtocells") to create a 3G cellular network sniffer without needing to reimplement the UMTS or CDMA2000 protocol stacks. Inside a Faraday cage, we connected smartphones to modified femtocells running Linux distributions and redirected traffic to a Snort instance. Then we captured traffic from infected phones and showed how Snort was able to detect and alert upon malicious traffic. We also wrote our own CDMA protocol dissector in order to better analyze CDMA traffic.

Sherri Davidoff

Sherri Davidoff has more than a decade of experience as an information security professional, specializing in penetration testing, forensics, social engineering testing and web application assessments. Sherri is the co-author of the Prentice Hall textbook, “Network Forensics: Tracking Hackers Through Cyberspace.” She is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.

David Harrison

David Harrison specializes in digital and mobile device forensics as well as information security research at LMG Security. He is a principal author of the DEFCON 2012 Network Forensics Contest. David holds a A.S. in Computer Science from FVCC and is pursuing a B.S. in Software Design from Western Governor's University.

Scott Fretheim

Scott Fretheim is an experienced web application penetration tester and risk assessment consultant. He advises clients regarding risk management and risk analysis, and enjoys conducting security training seminars. Scott is a primary author of several network forensics contests, including the "L33t Pill" series which was first released at DEFCON 2011. Scott is a GIAC Certified Web Application Penetration Tester (GWAPT) and holds his B.S. in Management of Information Systems.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats