Join Us!

Notifications
Clear all

Huawei Spying  

Page 1 / 3
  RSS
TinyBrain
(@tinybrain)
Active Member

If a 'german' subscriber of Telekom is in roaming state in China what is the highest possible international IR.21-based bandwith?

Quote
Posted : 03/02/2019 3:58 am
xandstorm
(@xandstorm)
Member

If a 'german' subscriber of Telekom is in roaming state in China what is the highest possible international IR.21-based bandwith?

That could depend on several technical or administrative factors but usually there is no difference between roaming customers and "native" network customers.

If there is a differece you could possibly find that information in the QOS agreement between Deutsche Telekom and the respective Chinese provider.

Maybe you can ask that question to DT yourself or ask a DT customer to ask it on your behalf.
You might be surprised what information you get when you "just ask".

Saludos,
Lex

Rg,
Lex

ReplyQuote
Posted : 03/02/2019 11:46 pm
TinyBrain
(@tinybrain)
Active Member

Lex, Gracias

Nation-state initiated industrial espionage is based on best hiding and deception principles. If you are not in this business you still can ask yourself 'how can they spy without being revealed'? As in the past chip-based backdoors were on vogue but no more. The new kid in town's name is Software-Definded Networking e.g. SD-WAN and NFV.

Therefore the manufacturer who MAINTAINS by SLAs the Core Network has all options. Usually the manufacturer is in the best position, but spying hiding principles can cheat the Core Network to believe e.g. a mobile subscriber is in on local-breakout and non-roaming to safe cost (SIM-Fraud, SIM-boxes).

Boring stuff you might think, right. But cryptographic challenges inside this domain e.g. zero-knowledge proof is quite funny at least for me -)

ReplyQuote
Posted : 04/02/2019 9:20 am
xandstorm
(@xandstorm)
Member

Hello TinyBrain,

Thank you for your feedback

I was in "this business" (COMINT, TSCM and counterintelligence) for 20 years.
May I suggest we continue this conversation through other means?
I think this discussion will go off topic for this forum.

Please send me PM with your contact details.
You can also find mine with a little googling. 8)

Saludos,
Lex

ReplyQuote
Posted : 04/02/2019 12:55 pm
jaclaz
(@jaclaz)
Community Legend

You can also find mine with a little googling. 8)

Or maybe more simply just looking at your profile on the board? roll
https://www.forensicfocus.com/Your_Account/profile=xandstorm/

jaclaz

ReplyQuote
Posted : 04/02/2019 1:56 pm
xandstorm
(@xandstorm)
Member

Or maybe more simply just looking at your profile on the board? roll
https://www.forensicfocus.com/Your_Account/profile=xandstorm/
jaclaz

Yes, for example. Multiple options here as you see 😉

Saludos,
Lex

ReplyQuote
Posted : 04/02/2019 2:00 pm
TinyBrain
(@tinybrain)
Active Member

Only the cryptographic part of these forensic issues is my profession and the reason I posted to learn from experts here. Please dont see this against you that we got order from my boss to our team to be open but also little cautious about social engineering. Up from this year our team has to advice any collaboration first internally and get approval from above if its outside my main profession. If we meet e.g. at Eurocrypt this is different. Post-quantum crypto we are not allowed over digital in general.

What possibilities has any Mobile Broadband manufacturer like Nokia (Siemens Networks), Ericsson, ZTE and others to misuse their release update process to bring data out without detection. If e.g. an initial authentication handshke process fails the seemingly trusted partner is in real MITM-redirected.

The actually ongoing passive DNS-hijacking is an excellent example in this class of problems.

The forensic question remains. How can this being detected?

ReplyQuote
Posted : 04/02/2019 9:02 pm
xandstorm
(@xandstorm)
Member

The forensic question remains. How can this being detected?

No offence what so ever taken.

I don't think this is possible in a forensically sound manner.
At least not for us outsiders.

What is agreed upon in a QOS or SLA agreement is one thing, what's on a nation state controlled telco's hidden agenda is another.
In all honesty the only way you might get some answers is to recruit someone wihtin the technical department of the telco in question. Which is a total different ballgame then digital forensics.

Saludos,
Lex

ReplyQuote
Posted : 05/02/2019 1:03 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Hello all,

Thoughts on forensic analysis vectors

1. On smartphones, identify which processes are running at the time smartphone evidence is being accessed and converted to an encrypted text file on the smartphone itself by "malware".

2. On smartphones, identify specific folder location and file name the encrypted stolen evidence is being stored on a smartphone.

I saw an excellent SANS video recently wherein the expert analyst was describing how she had to use multiple text decoders to "unmask" the text file data being exfiltrated and to which IP address. The malware authors had used Base64, then Base 32, then some other text conversion method, so basically, what originally appears as nonsense characters in the file are unmasked as plain English text after being converted correctly.

** Has anyone tried one of these tool on a smartphone forensic extraction?

https://cuckoosandbox.org/

https://www.lastline.com/solutions/analyst-malware-code-inspection/

** Has anyone tried placing a smartphone in a "sandbox" environment" Is sandbox software even applicable to smartphones?

ReplyQuote
Posted : 05/02/2019 6:46 pm
TinyBrain
(@tinybrain)
Active Member

Lex, you are right somehow but we here think differently.

Spying nowadays is like finding a tiny fish in a data ozean. As long as he swims in open water its hard to find but the gate we look for is where he goes home who he is gona meet.

A large R&D institution with Paul in its name has a huge datacenter and highly protected. Normally after installation no manufacturer support is required and all keys are handed over to the IT guys for security reasons. And there we got involved. Employess are free by BYOD and running OWA for UCC. The device in question was a Huawei P20 Pro.

For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.

An this SIM is in our lab.

ReplyQuote
Posted : 08/02/2019 3:24 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

On a smartphone, are there equivalents of computer Ports?

On smartphones are there the equivalents of Windows processes?

I saw one SANS video wherein the malware used a basic Windows process to send data to a specific IP address. The malware code was obscured by multiple layers of text encoding, but a well crafted PERL script was able to turn the malware to plain text thus unmasking the Windows Powershell conmand and remote unfriendly IP server address.

Question could one use a Harris Corporation Stingray device to trick your Huawei phone and SIM card into thinking the phone was pinging a Chinese cell tower.

I have never personally done it before but I bet I could dissect a Cellebrite extraction of your Huawei phone and compare a timeline of phone activity to data being captured by the Stingray to match specific transmissions to specific time points to specific file activity on the phone. Perhaps a chip off extraction performed as well to see if there are any embedded systems on a chip located on the phone’s motherboard that might bypass Android or iOS.

ReplyQuote
Posted : 08/02/2019 4:02 am
TinyBrain
(@tinybrain)
Active Member

Good questions, really. I am just cryptographer.

Its a plain sight problem and the risk of searching too far away the biggest problem.

ReplyQuote
Posted : 08/02/2019 4:29 am
xandstorm
(@xandstorm)
Member

For good reasons an engineer travelled to P.R.C. to join a conference. Mysteriously as she was in P.R.C. during night times her device did not charge properly. So long so good she thought about a broken charger, but was not broken. This woman is blessed by sleeping well but the third night she woke unexpected at 0200h local time and recognised that her device was very hot. She had a T-Mobile SIM card in roaming state with unlimited data plan. In P.R.C she was connected to China Mobile in roaming state.

An this SIM is in our lab.

I know us techies have a tendency to exclusively assess matters from our technical fields of expertise and solve our puzzels like that. We need to however take into consideration that technology was and still is, just a supportive matter when it comes to spying on an emphatically targeted single person.

There are many non technical factors in this specific scenario that we should take into consideration as well.

From the defensive perspective, the primary question here could be, how plausible is it to specifically target this particular person for espionage purposes. The next question would be does the country she is traveling to, have both the capabilities and intentions to acquire the data we are trying to protect. There is a big difference between targeting 1 specific person and acquiring general phone usage related data for big data analysis by retail organizations following their customers based on phone usage.

On the offensive side, the alleged agressor(s) will have asked themselves the same question. Will it pay off to specifically target this person. You can have all the technology and data acquistion means in the world, spy on everything and everyone, however the big dilemma is, you need to process and analyse all that acquired data. When it comes to targetting a specific person, determining the intrinsic value of what you actually acquired is still a manual process.

What I am trying to say here is that in the event the agressors have determined your engineer is worth it to be spied upon, there are most likely more efforts pending or already executed to "bring her home" then just trying to get into her phone. The phone issue is just 1 of probably multiple efforts / actions to acquire the confidential data she has under her control.

From the technical perspective, were you able to determine if the charging related malfunctioning and heat issues could be related to anything else then an offensive attempt to acquire data from and / or access to, the device in question? This could in essence be nothing more then an ordinary battery malfunction issue.

On a more general note, if your customer, by the nature of their business, could be the target of nation state initiated economic espionage, my advise would be to contact the responsible intelligence or security service. For your country that would probably be the FIS.

Saludos,
Lex

ReplyQuote
Posted : 09/02/2019 1:27 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

A better question perhaps is why your client did not travel to PRC with burner phones and computers?

I have been told to assume one's electronic devices will be compromised and copied upon entry to the PRC in an automated fashion.

A very capable Android smartphone and laptop computer can both be purchased for a total of US$300.00 (banggood dot com or gearbest dot com).

What if your client's Huawei phone has a chip built in, that once connected to the PRC domestic Internet, generates a mobile backup automatically?

To assume your client was singled out by the PRC, without any supporting evidence, is a bit weak, in my opinion.

An even better question would be what specific Intellectual Property (IP) your client took to the PRC on their laptop and Huawei phone?

IP can be defined as something which the IP owner takes reasonable steps to protect such as future prototype CAD drawing files.

"Not-IP" can be defined as the company's founder's mother's chocolate chip recipe that the company gives out for free to customers.

Personally, I would be much more concerned to find out my company's future business prototype was exfiltrated.

If you use Oxygen/Cellebrite/XRY/BlackLight to collect your client's Huawei phone, you should look at both human generated and system generated file system activities, logs, SQLite database files, data transmission logs UP 3.5 kb / DOWN 4.5 kb for the night your client was in her hotel room in the PRC.

If your client's phone held a 500mb AutoCad .DWG file of the company's future product, then examine that file and any interaction which may have taken place with that file on the phone the nights in the PRC hotel.

** I know next to nothing about Cryptography - what should members here at Forensicfocus.com know about Cryptography forensics?

ReplyQuote
Posted : 09/02/2019 2:30 am
TinyBrain
(@tinybrain)
Active Member

Lex, Larry good points and worth considering aspects.

You may see my initial post and think a long time about it. For some reasons I cannot reveal more details about the engineer and instituion she works for. As its an ongoing investigation it came out, that at the hot-device-night a large data amount - consisting of research enrichted science was downloaded from the home datacenter to the Huawei mobile.

The engineer did not initiate this large data download over roaming. But she was definitively out of her team the most legitmate looking person to request the data. For me it looks like this was professional spying in the shadow of a person, no one would detect it as espionage. It hat to look that she needed that data for the conference - but was not the case.

The mobile was just the bridge, it was not about data ON the mobile.

ReplyQuote
Posted : 09/02/2019 5:52 am
Page 1 / 3
Share: