Notifications
Clear all

Huawei Spying

32 Posts
6 Users
0 Likes
3,955 Views
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

If a 'german' subscriber of Telekom is in roaming state in China what is the highest possible international IR.21-based bandwith?

 
Posted : 03/02/2019 3:58 am
(@xandstorm)
Posts: 56
Trusted Member
 

If a 'german' subscriber of Telekom is in roaming state in China what is the highest possible international IR.21-based bandwith?

That could depend on several technical or administrative factors but usually there is no difference between roaming customers and "native" network customers.

If there is a differece you could possibly find that information in the QOS agreement between Deutsche Telekom and the respective Chinese provider.

Maybe you can ask that question to DT yourself or ask a DT customer to ask it on your behalf.
You might be surprised what information you get when you "just ask".

Saludos,
Lex

Rg,
Lex

 
Posted : 03/02/2019 11:46 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

Lex, Gracias

Nation-state initiated industrial espionage is based on best hiding and deception principles. If you are not in this business you still can ask yourself 'how can they spy without being revealed'? As in the past chip-based backdoors were on vogue but no more. The new kid in town's name is Software-Definded Networking e.g. SD-WAN and NFV.

Therefore the manufacturer who MAINTAINS by SLAs the Core Network has all options. Usually the manufacturer is in the best position, but spying hiding principles can cheat the Core Network to believe e.g. a mobile subscriber is in on local-breakout and non-roaming to safe cost (SIM-Fraud, SIM-boxes).

Boring stuff you might think, right. But cryptographic challenges inside this domain e.g. zero-knowledge proof is quite funny at least for me -)

 
Posted : 04/02/2019 9:20 am
(@xandstorm)
Posts: 56
Trusted Member
 

Hello TinyBrain,

Thank you for your feedback

I was in "this business" (COMINT, TSCM and counterintelligence) for 20 years.
May I suggest we continue this conversation through other means?
I think this discussion will go off topic for this forum.

Please send me PM with your contact details.
You can also find mine with a little googling. 8)

Saludos,
Lex

 
Posted : 04/02/2019 12:55 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You can also find mine with a little googling. 8)

Or maybe more simply just looking at your profile on the board? roll
https://www.forensicfocus.com/Your_Account/profile=xandstorm/

jaclaz

 
Posted : 04/02/2019 1:56 pm
(@xandstorm)
Posts: 56
Trusted Member
 

Or maybe more simply just looking at your profile on the board? roll
https://www.forensicfocus.com/Your_Account/profile=xandstorm/
jaclaz

Yes, for example. Multiple options here as you see 😉

Saludos,
Lex

 
Posted : 04/02/2019 2:00 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

Only the cryptographic part of these forensic issues is my profession and the reason I posted to learn from experts here. Please dont see this against you that we got order from my boss to our team to be open but also little cautious about social engineering. Up from this year our team has to advice any collaboration first internally and get approval from above if its outside my main profession. If we meet e.g. at Eurocrypt this is different. Post-quantum crypto we are not allowed over digital in general.

What possibilities has any Mobile Broadband manufacturer like Nokia (Siemens Networks), Ericsson, ZTE and others to misuse their release update process to bring data out without detection. If e.g. an initial authentication handshke process fails the seemingly trusted partner is in real MITM-redirected.

The actually ongoing passive DNS-hijacking is an excellent example in this class of problems.

The forensic question remains. How can this being detected?

 
Posted : 04/02/2019 9:02 pm
(@xandstorm)
Posts: 56
Trusted Member
 

The forensic question remains. How can this being detected?

No offence what so ever taken.

I don't think this is possible in a forensically sound manner.
At least not for us outsiders.

What is agreed upon in a QOS or SLA agreement is one thing, what's on a nation state controlled telco's hidden agenda is another.
In all honesty the only way you might get some answers is to recruit someone wihtin the technical department of the telco in question. Which is a total different ballgame then digital forensics.

Saludos,
Lex

 
Posted : 05/02/2019 1:03 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hello all,

Thoughts on forensic analysis vectors

1. On smartphones, identify which processes are running at the time smartphone evidence is being accessed and converted to an encrypted text file on the smartphone itself by "malware".

2. On smartphones, identify specific folder location and file name the encrypted stolen evidence is being stored on a smartphone.

I saw an excellent SANS video recently wherein the expert analyst was describing how she had to use multiple text decoders to "unmask" the text file data being exfiltrated and to which IP address. The malware authors had used Base64, then Base 32, then some other text conversion method, so basically, what originally appears as nonsense characters in the file are unmasked as plain English text after being converted correctly.

** Has anyone tried one of these tool on a smartphone forensic extraction?

https://cuckoosandbox.org/

https://www.lastline.com/solutions/analyst-malware-code-inspection/

** Has anyone tried placing a smartphone in a "sandbox" environment" Is sandbox software even applicable to smartphones?

 
Posted : 05/02/2019 6:46 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

Lex, you are right somehow but we here think differently.

Spying nowadays is like finding a tiny fish in a data ozean. As long as he swims in open water its hard to find but the gate we look for is where he goes home who he is gona meet.

A large R&D institution with Paul in its name has a huge datacenter and highly protected. Normally after installation no manufacturer support is required and all keys are handed over to the IT guys for security reasons. And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.

For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.

An this SIM is in our lab.

 
Posted : 08/02/2019 3:24 am
Page 1 / 4
Share: