Emergency VPN: Analyzing mobile network traffic to detect digital threats
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 254 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/53027 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
00:00
Computer networkVirtuelles privates NetzwerkDigital signalApproximationComputer animationJSON
00:21
Information securityVirtuelles privates NetzwerkGoodness of fitMobile WebMultiplication signVirtualization
01:03
Computer networkVirtuelles privates NetzwerkDigital signalProjective planeError messageUniverse (mathematics)FreewareCivil engineeringService (economics)MereologySphereInternet service providerSpywareAssociative property
01:53
Source codeIndependence (probability theory)Meeting/Interview
02:11
CASE <Informatik>LaptopCivil engineeringSpywareMoment (mathematics)VideoconferencingLine (geometry)Tracing (software)Incidence algebraMessage passingRight angleType theoryDifferent (Kate Ryan album)Prisoner's dilemmaCondition numberGroup actionSelf-organizationNeuroinformatikSound effectArc (geometry)Office suiteWordMixed realityMetropolitan area networkUsabilityDigital photographySummierbarkeitField (computer science)Uniform resource locatorComputer animation
06:08
CausalityComputer networkMathematical analysisCAN busMobile WebMathematicsVirtuelles privates NetzwerkService (economics)Open sourceFreewareCartesian coordinate systemMultiplication signExpert systemRight angleMathematical analysisAddress spaceSoftwareMoment (mathematics)Civil engineeringSpywareInformationSign (mathematics)Service (economics)Online helpProfil (magazine)Information securityOpen setEmailInternetworkingMalwareTraffic reportingSphereTelecommunicationUniverse (mathematics)Computer fileField (computer science)Maxima and minimaServer (computing)Core dumpOffice suiteDemosceneSource codeInstance (computer science)Arithmetic meanMathematicsEndliche ModelltheorieDisk read-and-write headArchaeological field surveyObservational studyLecture/Conference
11:23
ExplosionMathematical analysisFreewareSineOperations researchEmailTrailInformationCommunications protocolMobile WebLeakUniqueness quantificationTraffic reportingCartesian coordinate systemInformationEmailPoint (geometry)Information securityIdentifiabilityCASE <Informatik>Bus (computing)Position operatorUniform resource locatorProjective planeComputer fileUniverse (mathematics)Open setAddress spacePeer-to-peerDigital rights managementBitMathematical analysisNormal (geometry)View (database)EncryptionMoment (mathematics)Virtuelles privates NetzwerkForm (programming)Machine learningUsabilityTrojanisches Pferd <Informatik>DemosceneMeasurementRight angleMetropolitan area networkVideo gamePlastikkarteVirtual machineNumberInternet service providerCategory of beingPhysical systemOpen sourceReal-time operating systemLecture/Conference
16:38
Trojanisches Pferd <Informatik>Computer fileComputer configurationInformationService (economics)OvalSystem callType theoryDesign by contractCASE <Informatik>Archaeological field surveyMaxima and minimaThermal conductivityMultiplication signOnline helpRight angleNumberThermal radiationEmailComputer animation
18:51
Computer-generated imageryComputer iconSimulationInclusion mapMalwareTablet computerProxy serverNeuroinformatikFerry CorstenDifferent (Kate Ryan album)Field (computer science)Projective planeService (economics)SoftwareMereologyIP addressNichtlineares GleichungssystemSocial classUniverse (mathematics)Mobile appComplete metric spaceGroup actionCurveFamilyExecution unitWebsiteCASE <Informatik>TowerSet (mathematics)Roundness (object)
21:36
Computer animation
Transcript: English(auto-generated)
00:19
way from Argentine to Prague to Leipzig. These two young researchers,
00:30
security researchers, the lady and the gentleman, Veronica and Sebastian, are
00:42
here to tell us something about emergency VPNs, virtual private networks, analyzing mobile network traffic to detect digital threats. And I'm quite convinced you're going to have a ball, good time. You're welcome. Let's have a big hand for Veronica and Sebastian. Thank you, thank you. Okay, thank you everyone
01:09
for coming here. My name is Veronica Valeros. I'm a researcher at the Czech Technical University in Prague. Currently, I'm the project leader of the Civil Sphere project. I'm Sebastian Garcia, director of the Civil Sphere project in
01:25
the Czech Technical University in Prague. The Civil Sphere project is part of the Stratosphere laboratory in the university, and the main purpose is to provide free services and tools to help the civil society protect them
01:41
and help them identify targeted digital attacks. So, Mati Monjib, he's a Moroccan historian. He's the co-founder of the Moroccan Association of Independent Journalism. He was denouncing some misbehaviour of his
02:12
Alberto Nisman was a lawyer in Argentina. He died. He was, until the moment of his
02:22
death, the lead investigator in the terrorist attack of 1994 that happened in Buenos Aires. It was a sad incident that might have been covered up by the
02:41
traces of spyware in his mobile phone, allegedly installed by the government to spy on him. Akhmet Mansour is an activist from the UAE. He is also a human rights defendant, and he also denounced misbehaviours of his
03:05
government, and because of that, his government targeted him repeatedly with different types of spyware from different places. Right now, he is in jail. He's been there for almost two years, and he barely survived for more
03:25
than 40 days a hunger strike. He did complain about the prison conditions. Simon Barquera, maybe you can check the slides. Simon Barquera is a researcher and food scientist from Mexico. He is a weird case because it's
03:47
not very clear why he was targeted. The Mexican government targeted him and his colleagues with also spyware. Carlos Salas, she's a lawyer from
04:01
Mexico as well. She is representing and investigating the murder of a group of human rights defendants that were murdered in Mexico, and she and her colleagues were targeted by the Mexican government with spyware. Her husband was
04:24
a journalist from Mexico covering drug cartel activities and organised crime in Sinaloa, Mexico. She was targeted by the Mexican government with spyware a few days after her husband's death, and we don't understand exactly why. Her
04:46
husband's computer and laptop were taken away when he was murdered, so there was no reason why she was targeted. Emilio Esteghi is the son of a lawyer, a minor, and he was targeted, his phone was targeted by the Mexican
05:04
government with spyware to spy on his mother. She was a lawyer investigating some cases. So these are only a few cases of the dozens of hundreds of cases where government used surveillance technology to spy on people, but not
05:23
only civil society defendants but also civilians like this kid. And the common case among all these is that their mobile phones were targeted, and there is a simple explanation for that. We take our mobile phones with us everywhere. We use them. We don't take computers anymore. When we are in the front line
05:44
in Syria covering war, we record the videos with our phones. We send messages that we are still alive with our phones. When we are working on our mobile phones, we cannot use the mobile phones. So they have photos,
06:01
they have documents, they have location, they have everything. This is perfect for spying on someone. So it is a fact that government are using spyware as a surveillance technology not only to surveil but also to abuse, to
06:20
imprison, sometimes to kill people. And we know that they are governments because the technology that they are using, like for example the Pegasus software by the Israeli company NCO, they can only be purchased by governments. So we know they are doing this. So these tools are also cheap, easy
06:45
to use. Cheap for them, right? Easy to use. They can be used multiple times, all the times they want. Sometimes, they cannot be traced back to their sources. It's not that easy. So you find an infection and it's hard to know who is
07:01
behind it. So for them, it's a perfect tool. So what can we do if we think our mobile is compromised? There are several things we can do. For example, we need to go on the phone to check the files, to try to see if there is
07:24
any sign of infections. And sometimes this also involves like sending our phone to somewhere, somewhere to analyse, and in the meantime, what are we going to use? It's not very clear. We can factor reset our phone. It might
07:42
work sometimes, sometimes not, and it's costly. Sometimes we might lose data. We can change phones. It's a simple solution. We just drop it to trash, we pick another one, but how many of us can afford to do this like maybe three, four times a year? It's very extensive. But we can also do traffic
08:01
analysis. That means work on the assumption that the malware that is infecting our phones will try to steal information from our phones and send it somewhere. And this sending of data will happen over the internet because that's cheap. So that communication we can see and hopefully we can
08:21
identify it. So how can we know if our phone right now is at risk? Imagine that you're crossing a border, someone from the police takes your phone, then gives it back to you, everything is fine. How can you know it's not compromised? So this is where in Civil Sphere we start thinking which
08:47
is the simplest way we can go there and help these people? Which is the simplest way we can go and check those phones in the field while this is happening? And we came up with Emergency VPN. So the Emergency VPN is the
09:02
service that we are providing using OpenVPN, this free tool that you know that you're installing your phone. And from this we are sending the traffic from your phones to the university servers. So the servers are in our office and then to the internet and back. So you have normal internet and we are capturing all your traffic we store in there. What we're doing with
09:24
this? Well we have our security analyst looking at this traffic, finding infections, finding the attacks, using our tools, using our expertise, threat intelligence, threat hunting, whatever we can, and seeing everything in there and then reporting back to you saying hey, you're safe, it's okay, or hey, there
09:41
is something going on with your phone, and install these applications or actually change phones. We are from time to time suggesting stop using that phone right now. I don't know what you're doing but this is something you should stop. So we are having experts looking at this traffic, also we have the tools and everything we do in there is free software because we need
10:01
this to be open for the community. So how does it work? This is an schema of the merchant CBPN. You have your phone and in the situation like Veronica was saying, you're at risk, and you say right now I'm crossing the border, I'm going to a country that I don't know, I suspect I might be target. In that moment you send an email to a special email address. That address is
10:22
not here because we cannot afford right now everyone using the merchant CBPN because we have humans checking the traffic. So we will give you later the address if you need it, but you send an email saying, hey, help. Automatically we check this email, we create an open VPN profile for you, we
10:41
open this for you, and we send by email the profile. So you click on the profile, you have the open VPN installed, or you can install the original one, and from that moment your phone is sending all your traffic to the university, to the internet. Maximum three days, we stop in there automatically, and then we create the pickup file where the analysts are
11:03
going there and checking what's going on with your traffic. After this, we create a report that is being sent to you back by email, okay? So this is the core operation, like 90% automatic of the merchant CBPN. So advantages of this approach. Well, the first one is that this is giving you an immediate
11:24
analysis of the traffic of your phone wherever you are. This is in the moment you need it, and then you can see what your phone is doing or not doing, right? Secondly here is that we have the technology, we have the expertise, our threat hunter, threat intelligence people, we have tools, we are doing machine
11:42
learning also in the university, so we have methods for analyzing the behavior of encrypted traffic. We do not open the traffic, but we can analyze this also, so we took all the tools we can to help the civil society. Then we have the anonymity. We want this to be as anonymous as possible, which means we only know one email address, the one you use to send us an email, and
12:04
that's it. It doesn't have to be even your real email address, we don't care, right? Moreover, this email address is only known to the manager of the project. The people analyzing the traffic do not have this information. After that, they send a report back to the email address, and that's it. We delete
12:20
the pickup, and that's all we know. Of course, if your phone is leaking data, which probably is, we see this information, because this is all the whole purpose of the system, right? Then we have our continuous research. We are a university project, like almost 30 people here, so we are doing new research, new methods, new tools, open source, we are applying, checking,
12:42
researching, publishing, so it's continually moving. And last, this is the best way to have a report back to you in your phone saying if you're infected or not, okay? So, some insights from the emergency VPN. The first one is this is active since mid-2018. We analyzed 111 cases roughly, maybe a
13:03
little bit more. 60% are Android devices in here. We can talk about that, but it's well known that a lot of people at risk cannot afford very expensive phones, which is also impacting their security. 82 gigabytes of traffic, 3,200 hours of humans analyzing this, which is huge, and most importantly, 95% of
13:27
whatever we found there, it's because of normal applications, like the applications you have right now in your phone in this moment, and this is a huge issue. The most common issues, right, that we found, and we cannot say
13:44
this enough, geolocation, it's an issue. Like, only three phones ever were not leaking geolocations out. The rest of the phones are leaking, like weather applications, like dating applications, to buy stuff, transport
14:00
applications, like a lot of applications are leaking this. Most are leaking this in encrypted form. A lot of them are leaking this unencrypted, which means that not only we can see that, but the people in your Wi-Fi, your government, the police, whoever has access to this traffic can see your position almost in real time, which means that if the government
14:24
wants to know where you are, they do not need to infect you. It's much easier. They go to the telco provider, they look at your traffic, and that's it. You are leaking your location all over the place. We know that this is because of advertising and marketing. The people selling this information
14:40
a lot. Be very careful with which application you have, and this is the other point. Insecure applications are a real hazard for you. Maybe you need two phones, like your professional phones and your everyday life phone. We don't know, but the problem usually comes for the application that you're installing just because, right? These applications
15:02
are leaking so much data, like your mail, your name, your phone number, credit cards, user behavior, your preferences, if you are dating or not, if you are buying and where you are buying, which transports you are taking, which seat you are taking in the bus. So a lot of information, right? Really, really believe us here. And last, the
15:25
email and the IMSI that these two identifiers of the phone are usually leaked by the applications. We don't know why, and this is very dangerous because it identifies your phone uniquely, okay? From the point of view of the important cases, there are two things that we want to say. The first one is that we found
15:43
Trojans in here that are infecting your phones, but none of these Trojans were actually targeted Trojans, like Trojans for you. They were like, let's call normal Trojans. So this is a dangerous thing. And the second one is malicious files. A lot of phones are doing this peer-to-peer file sharing thing, even if
16:03
you don't know. Some applications, I'm not going to give names, but they're doing this peer-to-peer file sharing, even if you don't know. And there were malicious files going over the wire there. However, why is it that after a year or something of analysis, after hundred and eleven cases analyzed, we did not
16:22
find any targeted attack? Why this is the case? The answer is simple. The emergency VPN works for three
16:41
days, right? Maximum. So it's not about reaching the right people, but reaching the right people at the right time. If we check three days before the incident, we might not see it. If we check three days later, we might not see it. So right now, we need your help. Reaching the right population
17:04
is very important, because we need people to know that this service exists. We know it's tricky if we tell you, hey, connect here, we are going to see all your traffic. It's like, are you insane? Why would I do that? However, remember
17:21
that the other options are not very cheap, or easy, or even feasible if you are travelling, for example. Again, as Sebastian said, everything that goes encrypted is cool. We don't see it. We are not doing money in the middle. If we see anything, it's because it's not encrypted.
17:42
So, if you believe that you are a people, a person that is at risk because of the work you do, or because of the type of information, or people that you help, please contact us. We are willing to answer all the questions that you might have about data retention, how we handle
18:00
the data, how we store it, how we delete it after how long, et cetera. And if you know people that might be at risk because of the work they do, because the people they protect, the people they represent, the type of investigation they do, please tell them about this service. We can contact us via email. As we say, the
18:24
information how specifically to use this is not publicly available, because we cannot handle hundreds of cases at the same time. However, if you think you are a person at risk, we will send it to you right away. This is the contact phone number. We are in Telegram,
18:43
Wire, Signal, WhatsApp, anything that you need to reach out, and we will answer any questions. So, we need to reach these people, okay? Yes. So, thank you very much, and we will be around for the rest of the Congress if you want to talk to us. Stop us, ask questions, tell us something if you need.
19:00
Tell us about this to other people in the field that they need it. Trust is very important here. Let us know, okay? Yes. Thank you. Thank you. Okay. And as usual, we will take questions from the
19:21
public. There are two lit microphones. Yes, go ahead, talk into the mic. One sentence, please. Just a question. Thanks for your excellent service. My question is, how can you be sure that all the traffic of a compromised phone is run through your VPN? So, of course, we cannot. We can say that in our experience, we never found or
19:44
saw any malware that is trying to avoid the VPN in the phone. So, we relate that no malware or APT ever that we saw or known about is actually trying to avoid the VPN service. In some phones, I am not sure if you can avoid it. Maybe yes, I do not know. In our experiments
20:02
and trials with different phones and tablets and everything, all the traffic is going through the VPN service, right? Because it is like a proxy in your phone. Yes. So, if you know of any case, we would love to know. We try, we run a malware laboratory and
20:20
we run malware on phones and computers to try to understand them and we have not encountered such a case. SMS, for example, we are not seeing, right? Yes. One more question, please. So, you are running the data through your network at the university. Do you have like a lot of exit IP numbers? Because a malware app could maybe identify
20:44
it is routing through you and then decide not to act? Yeah. So, that is a good question. Actually, in the university, we have a complete big class public network. We have, of course, agreements with the university to use part of these IPs. So, this is part of the equation in there, right? Like, anyway,
21:02
we are taking precautions, but so far we did not found anyone blocking or checking our IPs. So, we will see. But it is true, right? Yeah. We would say that if that happens, we would consider our project very successful. We haven't heard of such
21:20
a case yet. Thank you. Okay. Let's have a big hand final for Veronica and Sebastian. Thank you very much.