One of the most tragic things in the world is that your girlfriend is a hacker. Because you never know what she has to monitor you.
Just today, a beautiful female hacker from China proved to the world that she has the means to listen to all the communication data of the designated mobile phone.
360 Unicorn Team Zhang Yiqiao
This beautiful hacker named Zhang Weiqiao, from the 360 ​​Unicorn team. She shared this “sad†study at DEF CON, the world's top hacker conference. The hacker who announced the results with him is a single curiosity from the 360 ​​Unicorn team. (Single Curious had installed a Trojan to monitor her on her computer for her loyalty to her girlfriend. Perhaps this is why Zhang Jianqiao pulled him to study this technology together...囧)
Single Curious (left) and Zhang Weiqiao give a speech at DEF CON
Lies, deception, 4G pseudo base station
In order to intercept the information on the mobile phone, all that is done is to use a "set of lies" to deceive the target mobile phone. This set of lies comes from a wolf in sheep's clothing: a pseudo base station.
You may have heard of the evil stuff of the pseudo base station, which is mainly used by black producers to send and receive spam messages and phishing messages. However, most of the pseudo base stations you are familiar with use the following technical means:
1. Use high-intensity interference signals to shield all 3G and 4G mobile phone signals in an area.
2. Most mobile phones choose to automatically find 2G signals when they cannot connect 3G and 4G signals. At this point, the mobile phone is naturally directed to the 2G signal of the pseudo base station, and then unknowingly receives the fraud information.
The reason why Black Products suppresses signals within 2G without directly attacking 3G and 4G signals is because these communication methods use a more rigorous security mode. However, this pattern of violent shielding signals often causes a large area of ​​the cell phone signal being communicated to be interrupted, and people will perceive the signal abnormality and attempt to leave the pseudo base station area.
4G pseudo base station
And our beauty hackers choose to start directly with 4G LTE signals. she says:
Since the 4G LTE signal uses two-way authentication, it means that the base station needs to verify the identity of the mobile phone, and the mobile phone also needs to verify the identity of the base station. Once mutual authentication is successful, both parties enter the encrypted communication mode, and it is very difficult to attack at this time. So my attack must be implemented before the authentication is completed.
The process of two-way authentication has become a good opportunity for Zhang Weiqiao to black out the mobile phone network. In the speech, she and single curious explained in detail the three steps of the attack:
1. "ID card" that scams the mobile number
IMSI, a word that doesn't sound sexy, is very important for mobile phones, it is the unique identifier for the mobile number on the carrier's server. In other words, what you see is your mobile phone number, and in the carrier's database, your mobile phone number corresponds to an IMSI code. This is like the “ID card†of a mobile phone, and all communication operations are based on the authentication of this ID card.
Capture method of mobile phone number "ID card" IMSI
For an attacker who sets up a pseudo base station, the next step can be attacked by getting the ID card of the mobile phone. However, IMSI is like a pair of underwear for mobile phones: "Everyone has it, but can't just show it."
Generally speaking, for the sake of security, when a mobile phone switches from one base station to another, it will give the other party a TMSI code. This code is temporary and has a short validity period. Generally, the permanent IMSI code will be presented to the base station only when the mobile phone first searches for a signal, such as a shutdown and restart.
This creates a thorny problem: when black people's mobile phones, they generally can't rush to help others restart their mobile phones.
In order to get the IMSI code collected by the attack, she needs to create a 4G pseudo base station. The 4G pseudo base station has no way to directly communicate with the mobile phone because its identity cannot be verified by the mobile phone. However, before the mobile phone verifies the base station, the base station can give the mobile phone a first step:
After the mobile phone presents the "TMSI" code to the pseudo base station, the pseudo base station can send a message to the mobile phone, indicating that I still have no way of judging your identity. According to the communication protocol, the mobile phone must present its IMSI code at this time.
In general, a fake security guard stands at the gate, and in no case will the visitor be allowed to enter unless he shows his identity card. In this way, the pseudo base station finally "scams" the "ID card" of the mobile number.
2. Acting fake security guards
After getting the ID number of the mobile phone number, this "fake security" (pseudo base station) is still not good enough. He will tell the phone: the building is full and can no longer allow you to enter.
At this time, the mobile phone still has no chance to see the identity of the other party's "fake security guard", so he mistakenly thought that the network is full.
Because the signal strength of the pseudo base station is very large, it masks the real signal. So at this time, there is no other available network for mobile phones. In order to save power, the phone will enter a shutdown signal until the next time you restart your phone.
At this time, the aggressive mobile phone tends to be in a no-signal state for a long time until the owner notices and restarts manually. This creates a "denial of service attack" (DoS).
I believe that you also think that the security guards who have not lost their identity can do further bad things.
3, falling into the trap
In the 4G LTE communication protocol, there is a wonderful regulation:
When a base station considers that its load is too large, it can direct the incoming mobile phone to the designated base station. So we can use the 4G pseudo base station to direct the phone to a 2G pseudo base station.
Go back to the security example. This is equivalent to the fake security telling the visitor that there is a small building next to the building, where you can also handle your business.
That's right, that small building is simply a fake environment built by hackers - 2G pseudo base stations.
So, after such a large circle, the poor mobile phone finally fell to the claws of the 2G pseudo base station. Since the mobile phone does not have the right to judge the authenticity of the base station in the 2G network, the information is handed over to the pseudo base station without reservation. The pseudo base station can even hand over the communication information to the real base station as a "middleman". In the user's opinion, there is no problem with his communication, but the actual situation is that all his communication content has been eavesdropped by this "middleman".
3GPP calendar year specified communication protocol
Where does the strange rule come from?
Maybe you will ask, why does the mobile phone have to follow the instructions of the base station to jump to the designated new base station?
Zhang Yiqiao said that this defect is not a loophole to some extent. As early as 2005, experts within the 3GPP protocol development agency 3GPP have realized that this rule may theoretically lead to attacks. But the agreement did not block this rule.
Because in the event of an emergency such as an earthquake or fire, it is likely that all mobile phones will be connected to the same base station at the same time. This will cause the base station to overload and crash. Mobile phones are very "stupid" and often only search for the base station with the strongest signal nearby. At this time, the mobile phone is required to obey the command, and the base station is connected to the designated other base station.
And without the communication protocol changing, all mobile phones are in the possibility of being attacked like this.
Kind hacker
For Zhang Weiqiao, she has no interest in monitoring her boyfriend's communication record. Rather, as a white hat hacker, she has a strict bottom line and values.
Her research on cracking 4G LTE technology is to find a way to protect the mobile phone network and prevent such attacks from being exploited by real bad guys.
At present, it seems that it is difficult to completely avoid such an attack without modifying the international 4G LTE protocol. The only thing that can be improved in this area is the mobile phone manufacturer. E.g:
1. Since the attack will eventually go to the 2G pseudo base station, and the 2G pseudo base station has some characteristics of its own. If some identification conditions are added to the mobile phone, most of the pseudo base stations can be identified, and the user can be alerted. Or simply refuse to connect.
2. For the 4G pseudo base station's denial of service attack, the mobile phone can automatically reconnect the network every half an hour or even less in this state, and will not cause a long time disconnection.
Zhang Weiqiao said that many of the underlying logic constructions of the 4G LTE crack research are mainly due to the wireless communication expert Huang Lin of the Unicorn team. These two suggestions have been submitted by the team to their own Qikuo phone, and the corresponding resolution rules should be being written.
Although in real life, there is no evidence that such attacks have taken place. But Zhang Weiqiao and a single curious study tell people that the security of 4G networks is not a child's play. This kind of attack is hard to detect and has a huge lethality. When such attacks really start to happen on a large scale, the price people pay will be hard to estimate.
PS Zhang Qiqiao special thanks: teammates single curious, Unicorn team communication big Niu Huanglin, unicorn team chief hacker Yang Qing. The research results were completed by the team.
Attached, the scene of Zhang Siqiao’s "siege" after the end of the speech
1) YC, YCL, YL series heavy-duty 1 phase motors are totally enclosed fan cooling type. It is cast iron housing high starting torque motors.
2) JY series single phase capacitor start induction motor is suitable for any placeds where a larger starting torque and the starting current to be limited. This series motors have three frame sizes, 09, 1 and 2 of totally enclosed fan cooled type. The frame is cast iron.
3) ML, MY, MC series single phase aluminum housing induction motor conforms to the IEC standard. The motor is with removable feet. User can fit according to their needs.
4) Y & Y2 series motor is totally enclosed and fan cooled 3 phase squirrel cage induction motor. It is newly designed in conformity with the relevant rules of IEC&DIN42673 standards.
5) MS series motor which adopting the latest design and high quality meterial is conformed to the IEC Standard. The efficiency of motor meets Eff2 standard in Europe and Eff1 standard if request. The motor with removable feet is made of aluminum alloy die casting. User could mount it with various mounting type. The housing is aluminum.
Ac Motors,Electric Motor,Small Electric Motor,1 Hp Electric Motor
FUZHOU LANDTOP CO., LTD , https://www.landtopco.com