Crypto and Privacy Village - Hacking like Paris Hilton 14 years later - and still winning!
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/51626 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode325 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Information privacyContext awarenessTotal S.A.Message passingEmailGezeitenkraftHacker (term)Mobile WebElement (mathematics)PasswordBitAuthenticationAsynchronous Transfer ModeMultiplication signTwitterPrime idealOperator (mathematics)QuicksortCryptographyStatement (computer science)PlastikkarteTelebankingMobile WebMoment (mathematics)Operating systemNumberTouchscreenProcess (computing)SimulationMessage passingWeb portalOrder (biology)Computer clusterType theoryLink (knot theory)Position operatorService (economics)CASE <Informatik>Information securityElement (mathematics)Translation (relic)Hacker (term)Video gameInsertion lossSpywareInformationTraffic reportingComputer hardwareAuthorizationBlock (periodic table)Android (robot)Mobile appRegulator geneWeb 2.0Context awarenessInformation privacyUniform resource locatorInternet service providerDifferent (Kate Ryan album)DigitizingPersonal identification number (Denmark)Proxy serverPrice indexSoftware protection donglePhysicalismQuantificationSource codeComputer animation
08:31
EmailPlastikkarteSimulationInformation privacyAuthorizationSystem callTwin primeService (economics)Latent heatValidity (statistics)Operator (mathematics)EmailNumberMessage passingLimit (category theory)Pay televisionMathematicsQuicksortTraffic reportingVideoconferencingProcess (computing)BlogDifferent (Kate Ryan album)Term (mathematics)Link (knot theory)Internet service providerMultiplication signLine (geometry)Data storage deviceEnvelope (mathematics)TelecommunicationWindowInsertion lossOcean currentPlastikkarteDefault (computer science)Social engineering (security)SpywareSimulationHoaxMereologyMobile WebFrequencySineTheorySlide ruleAuthorizationFrame problemComputer animationLecture/Conference
17:03
Information privacyCryptographyPasswordPersonal identification numberMobile WebCharge carrierDigitizingSpywareInformation securityFunction (mathematics)ImplementationGroup actionExistenceRevision controlPlastikkarteSimulationProcess (computing)Schmelze <Betrieb>Polar coordinate systemDuality (mathematics)PasswordMathematicsReading (process)Personal identification numberResultantInternet service providerWebsiteUniverse (mathematics)Device driverDigitizingDifferent (Kate Ryan album)Solid geometryIdentity managementQuicksortOperator (mathematics)FacebookMobile WebTelecommunicationAuthenticationPay televisionCodeMilitary baseGoogolVideoconferencingSimilarity (geometry)Maxima and minimaSimulationRevision controlCASE <Informatik>Data storage deviceInformation privacyFormal languageService (economics)AuthorizationPlastikkarteMultiplicationMultiplication signPhysical lawPhysicalismInformation securityoutputCharge carrierSpring (hydrology)Group actionSelf-organizationProcess (computing)SpywareSocial engineering (security)Order (biology)Coma BerenicesFunctional (mathematics)Right angleCartesian coordinate systemImplementationCryptographyDivisorGoodness of fitBasis <Mathematik>Source codeComputer animation
25:34
Ring (mathematics)Message passingOnline helpInformation privacyOperator (mathematics)Hacker (term)System programmingCASE <Informatik>Message passingFamilyService (economics)CuboidVector potentialSystem callHidden Markov modelInternet service providerRoboticsMobile appAuthenticationInformation privacyPasswordWeb pageNumberCASE <Informatik>Computer configurationOrder (biology)Link (knot theory)EmailCodeTraffic reportingDigitizingPersonal identification numberTelecommunicationResultantPower (physics)Data storage deviceForcing (mathematics)Physical systemDifferent (Kate Ryan album)Formal verificationQuicksortSet (mathematics)ChainAddress spaceComputer filePlastikkarteHacker (term)Replication (computing)DivisorCartesian coordinate systemSource codeComputer animation
32:30
CASE <Informatik>Information privacyComputer wormRevision controlHacker (term)Vulnerability (computing)TelecommunicationBitFigurate numberInternet service providerCuboidSoftware testingWebsiteQuicksortData storage deviceMathematicsDifferent (Kate Ryan album)Information privacyPhysical systemReading (process)Service (economics)Incidence algebraInformation securityRevision controlNumberCASE <Informatik>TouchscreenPlastikkarteVulnerability (computing)Multiplication signLoginArithmetic progressionTotal S.A.CryptographySource codeComputer animation
39:26
Information privacyCryptographyCharge carrierNumberDefault (computer science)MathematicsPersonal identification numberComputer animationMeeting/Interview
40:12
Information privacyInternet service providerTelecommunicationHome pagePay televisionInformation securityIdeal (ethics)Meeting/Interview
40:52
Information privacyComputer configurationSimulationPlastikkarteInformation securityOnline helpContext awarenessInternet service providerStaff (military)Wave packetNumberTelecommunicationQuicksortSoftwareData storage deviceCommunications protocolOnline chatPresentation of a groupReplication (computing)Twin primeBeta functionExtension (kinesiology)Single-precision floating-point formatFundamental theorem of algebraPay televisionDivisorCartesian coordinate systemMeeting/Interview
43:42
Information privacyPoint (geometry)MereologyFamilyOperator (mathematics)VirtualizationPay televisionMobile WebQuicksortPhysicalismComputer configurationService (economics)Default (computer science)Musical ensembleMeeting/Interview
45:15
Information privacyComputer configurationOffice suiteNumberChainElectronic visual displayMessage passingPresentation of a groupInformation securityFamilyHacker (term)System callMeeting/Interview
47:14
CryptographyInformation privacySystem callPhysical systemQuicksortOperator (mathematics)Computer virusDifferent (Kate Ryan album)AreaMeeting/Interview
47:55
Information privacyMeeting/Interview
Transcript: English(auto-generated)
00:01
Hi, my name is Peter Wilson, and I am the founder of passwords.com. I'm really happy to be speaking once again at the crypto and privacy village here this time at the DEFCON safe mode 2020 edition. My talk is entitled hacking like Paris Hilton 14 years later and still winning.
00:23
And, uh, this is, uh, you know, uh, uh, uh, uh, talks that have been in the making for quite a few years by me and now, so I'm really, really happy to sort of tell the entire story on this one. First, a very quick introduction by myself, uh, of myself.
00:40
Here you have a tweets a couple of years ago when I said that I do have a certain interest in passwords and call my colleague at Microsoft research. He responds back saying that confirm I have a healthy curiosity while talk some is pathologically obsessed with passwords and well digital authentication. So that's basically me in a nutshell.
01:03
Now I do say this because, uh, for this talk, it's important for me to provide a bit of background and context to the stuff that I'm going to talk about. I'm going to talk about essentially two topics, hijacking of mobile phones in different ways, and also voicemail hacking, getting access to your or somebody else's voicemail,
01:25
uh, with the provider in question that you are using. And why am I talking about this? Well, my interest is in passwords and digital authentication. And in some cases we have stuff like two front vacation, which is, you know, everybody
01:42
is talking about now you should be using two from vacation. I agree, but in a lot of cases, people are using their mobile phones to do exactly this. In fact, uh, you know, you are using two fabrication using text messages, maybe email, which more and more people are probably using on their phones or iPads anyway, uh, that
02:06
can be also voice-based, uh, SMS to fan for location. Uh, you have in app push messages, you have TOTP authenticator apps. Google authenticator is probably the most common one. And of course, maybe you're using web auth as well, either through a hardware key,
02:23
or maybe you have an integrated in your operating system like Android has today. And, um, if I want to hack into your account somewhere and you are using two for vacation to five on vacation, well, it doesn't actually block me from hacking your account.
02:46
It makes it more difficult, but the only thing that is certain in life are death and taxes and everything else can be hacked and probably will be sooner or later. So mobile hijacking, something that came up to me many, many years ago when we saw sort
03:05
of like, um, two fabrication by SMS coming in as a thing that some were using. And I got curious, well, you know, how can I bypass this? How can I hack it? And so on. So seven years ago, actually the, uh, Norwegian government agency for financial supervision
03:26
and regulation. They issued their annual report about, you know, the financial market in, in Norway with lots of interesting information to some nerds, including, um, losses due to like skimming,
03:40
fiscal card skimming, and also online banking attacks as an example. And they said, and this is 2013, they did say that they were expecting a rapid increase in mobile hacking. And they said that they were cautious and they were concerned about the fact that people
04:03
were starting to have their entire, um, digital life, including banks, including, you know, uh, passport information, you know, your money, uh, and your digital life on your phone and you would be carrying your phone with you all the time.
04:21
And it was, you know, I, I'm sort of willing to say that, you know, they were basically ahead of the time, at least for Norway, where I live, uh, because did we see any, you know, sudden increase in mobile hacking in 2013? Not really. And it also depends on what kind of mobile hacking I was talking about.
04:43
Now here's a typical example that you have probably seen. Now the message here is a text message received in Norwegian. Uh, and, and the, the, the simple translation is, you know, we could not invoice your membership for this month, try again, or update your payment details in order to continue watching
05:00
Netflix. And there's a totally legit link down below that you're supposed to click. Now I was actually sitting on my couch in my living room and watching Netflix with a woman next to me, uh, on a Saturday evening. And, you know, we had turned down the light, but I had turned down the lights and we had
05:20
some, we had some tips and we had some food and we, you know, enjoying a good movie. And then suddenly it's saying, says ping in her phone and politely, of course I stopped Netflix and I look away and she's typing and she's typing and she's typing even more on her phone. And I'm, well, I'm sort of getting curious about, you know, what happened now. And then she suddenly asks me, is it common that Netflix asks for your social
05:46
security number? And that's the moment when I turn on the lights and turn off the TV and said, Hey, love's got to wait. We do have a security problem at hand. Give me your phone. And I got it. And this is, this is the text message that I saw on screen.
06:04
And I said, well, you have probably already given away your username and your password. So now we have to change that for Netflix. Simple scam. A lot of people, lots of people fall victim to this one, but it's the big thing. Well, monetary wise, I don't know.
06:21
Uh, is it a threat to society? No, not really, but we have also had other and more, should I say interesting cases in here in Norway, as an example, we had a minister in the government who actually went on a holiday trip to Iran with his new Iranian girlfriend.
06:44
And when you are a minister, you know, you should be sort of careful of that, at least in the current political climate. And he did travel and it did not tell the secret police. He didn't tell any intelligence services or lifeguards. He didn't tell the prime minister, anyone else.
07:00
He just went for it. And that's a big no-no. And when they came back back, one of the statements that he issued was pretty amazing. He said that, you know, he had been, you know, traveling before he knew his stuff when it comes to security. So he said that his phone was secure because most of the time it was turned off and was
07:24
just left in the hotel room in Iran. Now this, and a lot more about, you know, this person and in this case led to the simple fact he was forced to resign from his position.
07:40
Now for mobile hijacking, I will be talking about port out attacks, which I have chosen to call them and to differentiate that a little bit from SIM swap attacks. And I will also talk about spoofing the sort of the thing of, you know, what can you do when you are trying to pretend to be somebody else, or if you actually succeed
08:01
in becoming somebody else, uh, there are sorts of traditional fraud involved in, in mobile hijacking as something as simple as having an insider issuing a SIM card for you in the wrong name and so on. I will not be talking about that. Portals attacks are the simple process of transferring a phone number to another operator.
08:24
That is one of the things you can do in Norway. You don't have to change your number. You can transfer freely to any operator you want to. And when I started, started working for my current employer three years ago, I came to the, to, you know, for the, for my first workday on, on August 1st.
08:44
And I have been a customer of one telecom provider Telenor since basically the dawn of time more or less. And my employer said, you know, just give, give us your name and your phone number. And, you know, we'll take care of porting it to the new provider that we are using
09:02
where we will be paying for your phone subscription period. And I was like, you just need my name and your, my phone number. Yeah, that's it. So I said, well, if it's, and my phone number is dah, dah, dah, dah, dah. And by the way, phone numbers are by default public available to anyone in Norway, unless
09:25
you specifically say, I do not want my number listed or eventually also I want a secret phone number. There's a difference there. And they, my employer just sent an email to their telco saying that we want to transfer
09:45
the subscription for Peir's phone, current phone. This is the name. This is the phone number. And we want to pour that out, out and over to your service. And we want it done as soon as possible by email. And I got handed on use him cotton envelope at work.
10:02
And then I was told that, and this was on a Tuesday and I was told that the port out will happen on a Friday and midday noon. Uh, the porting actually happened on Thursday, one 24 hours before it was supposed to happen. It happened at 12 o'clock.
10:21
So suddenly my phone stopped working and I had to take out the current SIM card and insert a new card from the new provider I had been given at work. And this means that there was a time window of approximately 48 hours, maybe even less where I would have to sort of detect that something is wrong, understand what is actually happening
10:45
right now, and then act before it would be too late. And not only that, but I've also been told without being told the exact, um, timeframes. I have been told that you can ask these telecom operators as well to do a very quick
11:03
port of your number. And then it will probably happen in a few hours. And not only, you know, was this process going faster than expected, it happened in 48 hours or less, but for me to be able to understand, you know, if, if somebody
11:23
initiated that without asking, you're telling me at all, these are the two text messages that I would have to understand and react upon before it was too late. The first text message came from my current provider, which was Telenor in Norwegian says,
11:41
you know, thank you for being a customer with us. It's sorry to see you go. And here's a questionnaire with an HTTP link unencrypted link, where they just want to ask me a single question about, you know, why did I leave or would I like to come back again? And from my new phone provider selected by my employer, I also got a text message.
12:03
Interesting fact, number one, the Sandak number is an invalid phone number. It's not possible to respond back to the number four seven zero five zero five zero. As you can see on the slide. And it says, welcome to Telia, which is the name of the operator. Uh, and your phone number is now transferred to us.
12:22
Have a nice day. Best regards Telia. That's it. And I'm just imagining my own mother receiving these two text messages. And I am very certain that she would not really understand what's happening here. And I'm not sure if she would actually call either of these two operators in time
12:42
to understand what just happened. And one of the things that I did as part of this, because I've been working for several years, looking into, you know, the, this issue of sort of like being able to hijack somebody's phone number in, in, through social engineering and so on,
13:03
do it to do it online in the store and, and so forth. And I talked to the largest financial newspaper in Norway, Dagen's nine sleeve about this when I was sort of ready and said, I have some theories, I have some facts, but I need to be careful not to step over, you know,
13:22
the red line on what is legal and what is illegal to do, but you are a newspaper. So you can sort of defend doing things that might be considered shady because you are sort of working for the public and you should look into this. So they did. And they actually made an agreement with one of the most famous bloggers
13:41
that we have in, in Norway, Sophia Lisa. And they asked her, would it be okay for us to try to sort of hijack your phone number? And she agreed to that. And the newspaper actually has a video online that you can watch for free. It's like three minutes long. We're a female reporter from the newspaper that looks nothing like this
14:03
blogger. She goes out on the street to a couple of sales people from a phone company and she hands over a business card that is fake. Obviously she printed it on her own printer and she says, I'm Sophia Lisa and I would like to port my number over to you.
14:25
And with the fake business card only, they accept that as a valid ID and it initiates the process and the newspaper and of course, Sophia Lisa, they were shocked that, is it that easy? You know, you can a fake business card really.
14:42
This was scary and was scary to me, was scary to newspaper. It was scary, scaring to, to very scary to, to everyone to be precise. Now for SIM swap, I know that SIM swap is the standard term to use, especially in the U S on these things. And I wanted to make a difference between what I call mobile hijacking and,
15:03
and SIM swap attacks or ports out and SIM swap attacks here. SIM swap to me is the same as in the U S you, uh, will get new SIM cards for a specific subscription for a specific phone number. Uh, I don't know if you can do this in the U S I don't know if you can do this in Sweden or Denmark for that matter, but at least in Norway,
15:24
as part of your current service with your phone company, you can get the new SIM card and you don't need any sort of valid reason. You can just say, I want a new SIM card and you will get one. You can also get the twin SIM card so you can have two phones that are essentially the same. So if somebody calls you,
15:41
it will ring in both phones and you can also get a data SIM card that of, you know, given the name, you can not use it for making or accepting phone calls in or out, but you can use it for data traffic only. And you can get a specific data SIM card for your existing, uh,
16:00
service subscription with all the operators to the best of my knowledge. And the same thing applies here. Fake ID, um, will probably get you one of the SIM calls that will also, um, given the circumstances, you will also be able to do sort of full or at least limited sort of
16:22
surveillance of whatever victim you are targeting. So it became very obvious to us that we have a problem with identifying people. And we also have a problem in a business to business relationship and in general, uh, with authorization,
16:41
if you are not ordering or changing a phone subscription, uh, for yourself, but for somebody else, how do we identify and how do we find out whether you're authorized to make those changes on behalf of another person? Obviously there was a problem with this.
17:01
One of the revelations made by the newspaper, Dorian's 9th live was that the telecom operator Telia, which is, uh, working out of many different countries. It's, uh, it's a home basis in Sweden. Um, they found out that in Sweden, the government requires Telia to ask for
17:24
proper ID when you are setting up terminating or changing or moving a phone subscription, uh, like passport or something, uh, digital ID, which is government approved. Now tell you also operates in Norway, and we also have digital identities in Norway called bank ID.
17:44
And in Sweden they are using bank ID to identify their customers. So it was a pretty easy question. Are you using bank ID or something similar in Norway as well? And tell you, they responded, no, we don't do that. And when the question came up, why don't you do that? The question,
18:05
the answer, the question with saying that we do as we are required to do by the government in Norway. And the answer to that again is the government in Norway didn't require the telephone operators to ask for, you know,
18:21
any kind of solid ID being it on paper, like passport or driver's license or a digital version of a digital ID. Again, a big surprise. So I looked to the federal trade commission in the U S uh, more specifically to Lori Crainer, who is, uh, um,
18:41
normally a professor at Carnegie Mellon university. And she wrote several articles on the federal trade commission website, one where she talks about how she got her phone hijacked through a SIM swap attack. It's an interesting article. It's definitely worth reading. And one of the things she did was to ask all the major mobile carriers in
19:02
the U S what consumers could do to protect themselves from a mobile account takeover. One of the most important steps you can take is to establish a password, a pin that is required before making changes to your mobile account. Each of the carriers offers this feature to the customers in a slightly
19:21
different way. And this was sort of good. I mean, social engineering, uh, pin guessing and so on, can probably still get past this, but at least it's one more speed bump for the bad actors to try to hijack your number and do a SIM swap attack. But interestingly,
19:41
none of the providers in Norway had any feature like this at all in place. And to the best of my knowledge, they are still working on figuring out how to do this in Norway. So as a result of this, or one of the many results out of this process, which, you know, culminated in the, in the spring of 2019,
20:04
that means last year is our minister of digitalization at the time, Nikolai Astrup, he instructed the Norwegian communications authority and com to implement security functions in order to prevent mobile hijacking in cooperation with the telecom sector.
20:22
That is a pretty serious move to do when you instruct them to work on this immediately. And not only that, but also in September 20th, 2019, the government also released a hearing named
20:41
actions to prevent mobile hijacking as a direct consequence of the stories made by Doug and Slang and by me earlier in the spring, this came out and there was a hearing process until December, 2019, where, you know, everybody,
21:00
government organizations and private people could then give their input on the proposal for changing changes to the existing law. Now this hasn't passed into law yet, but we are sort of waiting for the results from the hearings to see what's going to happen next.
21:21
And also while working with this on my own and together with Doug and Slang, I was not aware that our news website for the IT and security industry in Denmark, we're also looking into the same thing more or less in, in, in, in Denmark with different providers, simply social engineering into stores,
21:43
selling SIM cards, making replacement SIM cards and so on. And they succeeded many, many times. And, you know, they posted this article among many others saying that after multiple multiple failures, telcos are actually considering to completely stop handing
22:03
out SIM cards in physical stores. Now Norway is next to Sweden, next to Denmark and next to Finland. They are neighbors. And we are very much alike in society and law and language and so on. But one of the things that has been fascinating to me is to see the
22:24
different reactions from the telcos, from newspapers, from, you know, normal people like you and me on the streets and from politicians on how they have reacted to these stories in the media, because stopping completely to hand out SIM cards in
22:44
physical stores haven't even been mentioned by anyone in Norway or in Sweden at all, but it is pretty much the same operators working in these three countries. So it's kind of like, are you people not even talking to each other internally in the same company or
23:05
what is happening here? So to sort of more better and better exemplify the problem of spoofing, I say, what if I could be you as a bad actor? Now this is crypto privacy village. You know,
23:23
we have had lots of talks on this. You are most probably watching at EFF closely. You are watching what is happening in your country right now in terms of privacy. It doesn't look good quite a few places all over the world. Now in Norway, we do consider ourselves, you know,
23:41
a very safe solid democratic country with a government that, you know, well, we trust our government believe it or not, but still there are cases where things are happening. Now, this one is an article or serious articles that were released in the
24:03
fall of 2019 chasing max. And, uh, this is about a guy that has been caught by the police and he is charged for hacking the accounts of approximately 50 different random women around the country,
24:22
extracting pictures, videos, contact details, harvesting usernames and passwords, gaining access to Instagram, Facebook, and so on 50 women randomly all over Norway. And the newspaper told us a story about Nina.
24:43
Nina was smart. Nina was using two factor authentication, SMS based two factor authentication for her phone accounts for Facebook, for Google, for Apple, and so on. And she woke up one morning with a picture like this,
25:03
where she had received authorization codes from different services like Microsoft, like Google, like Apple in order to do a password reset. And she had lost access to a lot of her accounts and she really couldn't understand how did this happen because I was using two factor
25:24
authentication. And lots of people say that, well, if you have two factor authentication, you're secure, right? Wrong. What they actually found out in this particular case is that Nina was using, uh, um, Telia,
25:42
one of the telecom providers in Norway, and they had a service called SMS copy. You could log on to their webpage, like, you know, my page and you could configure the SMS copy service, which is essentially a message service. So that if you receive a text message to your phone,
26:03
Telia will also silently forward that text message either to another phone number or send it to an email address. And what could possibly go wrong with this? And in order to get access to the,
26:21
my page at Telia, you needed a username and a password, and they did not offer any kind of two factor authentication at all. So what this bad guy did, who is now being prosecuted by the police, he went to that page and tried to log in, uh,
26:40
with a lot of different usernames and passwords. And as we know, people are reusing passwords. And I suspect that he got in through credential stuffing or online password spraying. And by getting in there, he could configure the SMS copy service. He could order a password reset from different services.
27:00
And although Nina received the messages, she received them in the middle of the night when she was sleeping and he was up and he received the same messages. And by that, he gained access to all the accounts of these women. And that I think serves as a really
27:22
hard and scary example of what the possible consequences can be. If you don't have secured your entire chain with two factor application or something else, two factor application can be bypassed in so
27:42
many different settings and scenarios. Now this was about hijacking your phone number and receiving your text messages and so on. But I also been looking into voicemail hacking and this goes back again to the title of, of Paris Hilton,
28:02
because all the way back in 20, uh, 2006, sorry. Um, there was a lot of articles around the world saying that, you know, um, um, uh, uh, Paris Hilton and Lindsay Lohan had got into a sort of a disagreement and they were trying to hack each other's, uh, phone numbers, uh,
28:23
spread them online and also gain access to each other's voicemail boxes. And the story is to the best of my knowledge is that Paris Hilton gained access to the voicemail box of Lindsay Lohan. And in even mainstream Norwegian media, this was mentioned on August 27, 2006.
28:41
And not only did they mention this happening, they also actually mentioned the specific service that Paris Hilton had been using to do this. Now, you know, if you Google voicemail hacking, you will find interesting results. One of them is a talk that has been presented at Def Con before that also
29:04
includes a tool that you can use for some services with voicemail, where you can try to basically brute force the pin code to get into the voicemail boxes. Some voicemail boxes will have a four digit pin, three digits, five, six digits that are randomly selected and provided by the teleco to the
29:25
user. Other users, uh, sorry. Other telecom providers may allow you to select your own pin. One of the things we know from pin code research is that as soon as you allow users to select their own pin code, those pin codes are not going to be any good at all in pretty much all
29:44
cases. And there was also, uh, back in, um, 10 years ago, there was also a large scandal with news of the world, uh, in the UK where the British Royal family got their phones and their voicemail hacked by reporters that were able to extract messages that were,
30:04
you know, most definitely not meant for the public to listen into. This was a big scandal. And also in this case, and the suspicion was targeted against the same service as Paris Hilton had been using several years earlier.
30:22
Now this is probably a picture that you have seen before, uh, in order to do a password reset at Microsoft, you have several different options. You can have an email sent to you with a link that you need to click to gain access, or you can also ask to use an authentication app. If you have a TTP app installed, uh,
30:42
and you can also have an SMS sent to you. So there, you know, with SMS, you already see one problem with the SMS copy service, but there are also services where, you know, to do a password reset and so on. Uh, you can also ask the service provider to give you a robot called and
31:01
to read the pin code for you out loud. So one of the things I was curious about is, Hmm, can I initiate a password reset for someone online and ask that service to make a phone call and just, well, go directly to voicemail and enter that, uh,
31:22
pin code into the voicemail box. So I can get access afterwards, listen to the code and use it to get access to an account. Interesting experiment. So, you know, let's hack and what I did, I used the same service as Paris Hilton from 2006, which is called spoof card.
31:41
They are still operational today and they are still doing their fancy little tricks today. But of course they do say that this service is to protect your privacy and you should of course not use this for any kind of legal purposes. So I did, and the case number one was Telenor, the biggest telco in Norway.
32:04
I managed to get access to people's voicemail. Of course, I did this and our responsible disclosure. And I also talked to my potential victims, friends, family, and others coworkers and asked them, can I try this? And if you want to listen in, you can do that.
32:20
I showed them how I gained, how I could very easily use spoof card to get access to their voicemail, listen to the messages, delete them and also change the welcoming message for the voicemail. I told Telenor about this on a Tuesday on and on the first day they had fixed it. So in less than 48 hours, which is really, really good.
32:44
They also, of course, after, you know, fixing this, uh, there was a media article and they said that they were sorry for this. And they acknowledged that this vulnerability had probably been available for use and abuse for 13 years or
33:02
more, you know, dating all the way back to the Paris Hilton incident, 13 years. An interesting thing is this specific service spoof card was mentioned all the way back in 2006 in Norwegian mainstream media.
33:22
But when Telenor was informed about this in November, 2019, they said, never heard of it, which is, well, I mean, you don't have to read mainstream media, do you? But in this case, I was a bit, well, surprised.
33:45
And as a consequence of my findings in this, the, Norwegian government agency that are overseeing the telecom industry in Norway, they chose to issue a fine of 1.5 million Norwegian krona.
34:00
That is equivalent of 165,000 us dollars today as a fine because they didn't have sufficient security for the voicemail system. And depending on the country you're in, if you're in the US, I would guess a fine of 165,000 us dollars doesn't sound much in Norway, you know, to the company it's,
34:23
it's pocket change, not even that, but it is very, very rare that any company is being given any fine at all by this government agency. So that sort of underlines the seriousness of this security breach.
34:41
And also our Norwegian data protection agency, they also issued a reprimand to Telenor saying that this is really not good. And you have basically violated two different GDPR articles on this, but since you have already been fined once, we are not going to slap another fine on top of that.
35:03
That's usually not how it's being done here in Norway. And there's case number two, because I asked friends in, in other countries as well, can I try to hack your voicemail box? So with Telia in Denmark, um, um, you know, the version two news website in Denmark,
35:24
they tried this out on my behalf and they found that this works. I approved it for them. I talked directly to Telia, they fixed it. And they also ended up in news saying that, you know, this is a big scandal and it's not, not just in Denmark. It also applies to another provider, you know,
35:42
other providers in Norway and in Sweden. And kind of fascinating that, you know, version two even have an article saying that Telia is now considering better voicemail security. So I was sort of waiting to see what's going to happen there,
36:01
but hopefully it has already improved. Case number three is Telia two, which is the third provider and that I found vulnerable in this based in Sweden. They operate in eight different countries. I tested against voicemail boxes of people in Sweden. I found them to be vulnerable. I got access to their voicemail.
36:22
I do not know about, uh, uh, you know, hackability of Telia two voicemail boxes in other countries where they operate because I didn't test, uh, but tell the two says, nope, they are not vulnerable. So hopefully that's true.
36:40
At least again, this also led to media attention in Sweden. Again, back to, you know, my fascination of the different ways of how this was handled or wasn't handled at all in different countries. In Norway, there was a lot of media attention on this. Mainstream media picked it up.
37:00
There have been issued a fine that had been issued a reprimand by the data protection agency of Norway in Denmark. There have been a little bit of media attention, but politicians have said, well, the problem is fixed. So there's nothing left for us to do. And we'll just leave it to the telecom providers to, you know, they have to talk to each other and figure out what to do. And that's it.
37:23
And in Sweden, pretty much nothing has happened at all. So far. In fact, there were one, or I think it was two or three articles in total about this, and then went completely quiet. But all in all,
37:41
I found that several million people across Norway, Sweden and Denmark were affected by this and have most probably been affected for 13 years or more at the same time, the telecom providers, they have logs that maybe go, go back, uh, two, three or four weeks in time.
38:01
So proving or disproving that this haven't been hacked and abused by anyone for the past 13 years is completely impossible. So they have concluded that, well, since we haven't heard anyone complain about it, nobody had probably been hacked and there's nothing we can do
38:22
about that. So I just want to say that, you know, this is sort of still a work in progress, but I would really, really, uh, you know, recommend you to listen in on the talk from Kelly Robinson on Sunday here at the crypto and privacy village,
38:41
where she will be talking about stir shaken, not saying anything more than that, just listening to that talk. And by that we have reached the end and I say, thank you. And I am ready for your questions now, or you can contact me later. You have my cryptic, uh, contact details here on screen.
39:01
Thank you.
39:23
Just listening to that talk. And by that, we have reached the end and I say, thank you. Now I'm ready for your questions now, or you can contact me later. That was the talk hacking like Paris Hilton, 14 years later and still winning by pair. Uh,
39:45
we have them here for our live Q and a, so please put your questions in the discord, a CPB Q and a channel. Uh, so pair, uh, one of the first questions we have is in the USA, many carriers use the phone number as a default pin. So if you spoof the number and calls voicemail,
40:02
you can access it using the phone number as default pin. If the user didn't change it in a lot of people don't, is that the same outside the U S of other carriers? Well, I can say for sure that at least that's not what we have. Uh, that's not what we have here in Norway. I haven't seen this in, in Sweden or Denmark,
40:22
but I really can't answer for all telecom providers in all the countries outside the U S that's impossible to do, but I do have my suspicions that you will find a lot of bad security connected to both, uh, voicemail accounts and also in general,
40:42
the accounts where you can log in on your telco, um, homepage for in any way, administrating your subscription with that. Awesome. Thank you so much for that. Um, and your ideal world, uh, what would you like to see exist in place of the current available options that we do have?
41:01
Well, there are many facets to this. And one of the things that I pointed out early in my presentation and presentation is starting with whenever you go into a shop and say that you want a new, uh, uh, SIM card or if you want a data SIM card or a twin SIM card, if you want a new subscription, if you want to change it,
41:23
if you want to end it, to move it to, to another telco, and then you have the issues of logging onto your telco provider to administer your, uh, subscription there, like, you know, this SMS copy service, which is now, uh, of course, uh,
41:40
turn off, uh, and options like that. And then you also have the stuff like, um, doing the, the voicemail hacking using spoofed numbers. Now, some of the issues are sort of, um, um, you know, they are specific to each telecom provider, like, you know, the absence of two factor application for, uh,
42:03
administrating your account. And then you have the security awareness training for staff on help desk, online chats and installs, but there are also problems with the basic, uh, telco networks worldwide for mobile communication using the SS seven as a seven protocol and stuff like that. And that is,
42:23
I'm not going to say it's an unsolvable problem, but it's not up to a single telecom provider to fix it. It's not up to a single country to fix it. And basically you need, you know, if you are to fix the fundamental security issues that we have in the
42:40
GSM networks today, all providers and makers of phones of networking equipment, all the telcos, they have to come up with solutions and you have to replace all the handsets in the world. And we can't do that. That's just impossible to expect that to basically ever happen. So one of the things that are coming now, which is very interesting,
43:03
of course, as I said, Kelly Robinson will be talking about, uh, stir shaking. Uh, so, you know, I'm not going to spoil that anymore, but you know, that's, uh, that's a talk that I really hope people will listen into. And one of the things that I'm doing as well as trying to, you know, to the extent I can, I'm trying to pressure the Norwegian government and also the governments in
43:25
Sweden and Denmark as well, together with other people to ask the telcos to at least look into stir shaking and eventually also consider, can it be implemented? And how can we make the rest of the world implemented as well? So long answer to a short question.
43:42
Wow. That was a really great, thorough answer. Thank you so much. Um, so another question we have is, should we just disable our voicemails then at that point? Yeah. Oh yeah. Disable voicemail now. I mean, there's absolutely no point. I can't really understand why people are using voicemail at all.
44:01
And I, I was in, in Czech Republic, um, last year I think. And I was surprised to hear from friends in the Czech Republic that voicemail, nah, no, they don't have that with, with their phone subscriptions. And I asked around and they couldn't think of any friends or family who
44:23
have voicemail in Norway. We have, uh, uh, three companies that are providing a physical infrastructure for mobile mobile communications. And then we have lots of virtual operators as well. And all of them, absolutely all of them by default,
44:40
provide voicemail as a part of the service. And there actually is no option to say, I don't want voicemail. They do have options to turn it off. So, uh, one of the things that I would like to see is that, you know, well, I just don't need voicemail at all. And I actually,
45:03
well, I just don't pay for it either because I can turn it off, but I'm sort of still paying for it. Yeah. That's actually really, huh. I did not realize I was an option in other places like that. Thank you. Um,
45:20
I, you kind of answered some of this question already, but someone asked as a regular user, what can I do to protect myself, if anything, or is it completely out of my hands? Well, to protect yourself, you know, I'm, I'm working as a chief security officer for a large hotel chain. And of course I've been asking my colleagues and friends about this
45:42
as well. You know, what do you think about this? And of course, uh, I can say, I have truly scared a lot of people by being able to sort of hack into their voicemail using a spoofed phone call and also making phone calls that appears to be coming from your mom or your dad or your brother or whoever
46:00
this, um, and they are really surprised to see that I can do that. So there are some things you can do. And the very simple thing that you can do is that, uh, whatever text message you are receiving or the phone number or the name that you see in the display on your phone, when somebody's calling you, do not trust it because it is exceptionally
46:24
easy to spoof. And I don't know how, you know, I don't know, you know, you're in the US, so I don't know how much people in the US in general know about phone spoofing, you know, number spoofing and, and text message spoofing,
46:41
but to people here in Norway, the vast majority of people in the IT security industry were absolutely clueless about this existing at all. When I started working with this, and when I did my initial presentations last year, people were shocked that this was possible. So as an end user, first and foremost,
47:01
do not trust that the number you see or the name you see in your display are correct. No matter who calls or texts you do not trust it. As a millennial who does not pick up any phone calls at all, that's really fascinating to know about. Oh yeah. You youngsters. Yeah. Well, yeah. I mean, you,
47:25
you have a completely different sort of way to protect yourself in this area, but I know again, robocalls, as far as I know, it's a very big problem in the US. It, it, it almost doesn't exist over here yet, except for the operation on Microsoft is calling you to say,
47:43
you have a computer virus on your, on your system. That's, that's the only robocalls we get. And when I got one last year, I was like, yes, finally. So there you go. That is a very different reaction that I have, I think, along with other people. Oh gosh. With that said, thank you so much again,
48:01
Per, for all of your answers to this Q&A and for your talk today. Please take care and enjoy the rest of your DEFCON. I hope you have fun. Thank you so much again.