< Return to Video

36C3 ChaosWest: Emergency VPN: Analyzing mobile network traffic to detect digital threats

  • 0:17 - 0:26
    There's a long way from Argentina.
    Argentine, Argentine to Prague to Leipzig.
  • 0:27 - 0:33
    These two young researchers, security
    researchers, the lady and the gentleman,
  • 0:38 - 0:46
    Veronica and Sebastian are here to tell us
    something about Emergency VPNs, virtual
  • 0:46 - 0:54
    private networks, analyzing mobile network
    traffic to detect digital threats. And I'm
  • 0:54 - 0:59
    quite convinced you're going to have a
    good time. You're welcome to have a big
  • 0:59 - 1:09
    hand for Veronica and Sebastian. Thank
    you. Thank you. OK, thank you, everyone
  • 1:09 - 1:15
    for coming here. My name is Veronica
    Valera's. I'm a researcher with the Czech
  • 1:15 - 1:20
    Technical University in Prague. Currently,
    I'm the project leader of the Civilsphere
  • 1:20 - 1:25
    Project, and Sebastian Garcia, the
    director of the Civilsphere Project in the
  • 1:25 - 1:31
    Czech Technical University in Prague. The
    project is is part of the Stratosphere
  • 1:31 - 1:37
    Laboratory in the university. The main
    purpose is to provide free services and
  • 1:37 - 1:43
    tools to help the civil society protect
    them and help me then help them identify
  • 1:44 - 1:55
    targeted digital attacks. So Maati Monjib.
    He's a Moroccan historian. He's the co-
  • 1:55 - 2:03
    founder of the Moroccan Association of
    Independent Journalism. He was denouncing
  • 2:03 - 2:08
    some misbehavior of his government, and
    because of that, he was targeted with
  • 2:08 - 2:21
    spyware. Around 2015. Alberto Nisman was a
    lawyer in Argentina, he - he died. He was
  • 2:21 - 2:27
    until the moment of his death, the lead
    investigator in the terrorist attack of
  • 2:27 - 2:36
    1994 that happened in Buenos Aires. It was
    a sad incident that may have been covered
  • 2:36 - 2:43
    up by the government. And after his death,
    the researchers found traces of a spyware
  • 2:43 - 2:51
    in his mobile phone allegedly installed by
    the government to spy on him. Ahmed
  • 2:51 - 3:03
    Mansoor. He's an activist from the UAE.
    He's also a human rights defendant. He
  • 3:03 - 3:08
    also denounces misbehaviors of his
    government, and because of that, his
  • 3:08 - 3:14
    government targeted him repeatedly with
    different type of spyware from different
  • 3:14 - 3:24
    places. Right now, he's in jail. He he's
    been there for almost two years, and he
  • 3:24 - 3:29
    barely survived there for more than 40
    days hunger strike. He did complain about
  • 3:29 - 3:37
    the prison conditions. Simón Barquera.
    Maybe you can check the slides. They are
  • 3:37 - 3:46
    not. Simón Barquera is a researcher, food
    scientist from Mexico. He is a weird case
  • 3:46 - 3:52
    because it's not very clear why he was
    targeted. The Mexican government targeted
  • 3:52 - 4:01
    him and his colleagues with also spyware.
    Karla Salas she's a she's a lawyer from
  • 4:01 - 4:07
    Mexico as well. She's representing and
    investigating the murder of a group of
  • 4:08 - 4:15
    human rights defendants that were murdered
    in Mexico. She and her colleagues were
  • 4:15 - 4:22
    targeted by the Mexican government with
    the NSOs Pegasus spyware. Griselda Triana,
  • 4:22 - 4:27
    she's a widow. Her husband was a
    journalist from Mexico covering drug
  • 4:27 - 4:34
    cartel activities and organized crime in
    Sinaloa, Culiacán, Mexico. She was
  • 4:34 - 4:39
    targeted by the Mexican government with
    spyware. Few days after her husband's
  • 4:39 - 4:47
    death, and we don't understand exactly
    why. His, her husband's computer and
  • 4:47 - 4:54
    laptop were taken away when he was
    murdered, so there was no known reason why
  • 4:54 - 5:02
    she was targeted. Emilio Aristegui, he's
    the son of a lawyer, he is a minor, and he
  • 5:02 - 5:06
    was targeted. His phone was targeted by
    the Mexican government with spyware to spy
  • 5:06 - 5:13
    on his mother and that she was a lawyer
    investigating some cases. So these are
  • 5:13 - 5:21
    only a few cases of the dozens of hundreds
    of cases where government use surveillance
  • 5:21 - 5:26
    technology to spy on people. But not only
    civil society defendants, but also
  • 5:26 - 5:33
    civilians like this kid. And the common
    case among all this is that their mobile
  • 5:33 - 5:38
    phones were targeted. And there is a
    simple explanation for that. We take our
  • 5:38 - 5:42
    mobile phones with us everywhere we use
    them. These we don't take computers
  • 5:42 - 5:47
    anymore. When we are in the front line in
    Syria covering war, we regard the videos
  • 5:47 - 5:52
    with our phones. We send messages that we
    are still alive with our phones. We
  • 5:52 - 5:57
    cannot. When we are working on this field,
    we don't know. We cannot not use the
  • 5:57 - 6:03
    mobile phones. So they have photos, they
    have documents, they have location, they
  • 6:03 - 6:13
    have everything. This is perfect for
    spying on someone. So, it is a fact that
  • 6:13 - 6:17
    governments are using the spyware as a
    surveillance technology not only to
  • 6:17 - 6:25
    surveil, but also to abuse, to imprison,
    to sometimes to kill people. And we know
  • 6:25 - 6:30
    that they are governments because the
    technology that they are using like, for
  • 6:30 - 6:36
    example, the Pegasus software by the
    Israeli company NSO. They can only be
  • 6:36 - 6:44
    purchased by governments. So we know they
    are doing this. So these tools are also
  • 6:44 - 6:50
    cheap, easy to use, cheap for them, right?
    Easy to use. They can be used multiple
  • 6:50 - 6:57
    times all the times they want. Sometimes
    they they cannot be traced back to their
  • 6:57 - 7:01
    sources. It's not that easy. So you find
    an infection and it's hard to know who is
  • 7:01 - 7:10
    behind it. So for them it's a perfect
    tool. So what can what can we do if we
  • 7:10 - 7:15
    think our mobile is compromised? There are
    several things we can do. For instance, we
  • 7:15 - 7:21
    can do, our forensic analysis. It's costly
    because it takes a lot of time. We need to
  • 7:21 - 7:26
    go on the phone to check the files, to try
    to see if there is any sign of infections.
  • 7:27 - 7:34
    And sometimes this also involves like
    sending our phone to somewhere to analyze.
  • 7:34 - 7:39
    And in the meantime, what are we going to
    use? It's not very clear. We can factory
  • 7:39 - 7:45
    reset our phone. It might work sometimes,
    sometimes not. And it's costly. Sometimes
  • 7:45 - 7:51
    we lose data. We can change phones which
    is a simple solution. We just drop it to
  • 7:51 - 7:56
    trash. We pick another one. But how many
    of us can afford to do these, like maybe
  • 7:56 - 8:01
    three or four times a year? It's very
    expensive. But we can also do traffic
  • 8:01 - 8:06
    analysis. That means work on the
    assumption that the malware that is
  • 8:06 - 8:10
    infecting our phones will try to steal
    information from our phones and send it
  • 8:10 - 8:18
    somewhere. The sending of data will happen
    over the internet because that's cheap so
  • 8:18 - 8:25
    that communication we can see and
    hopefully we can identify it. So how can
  • 8:25 - 8:30
    we know? How can we know if our phone
    right now is at risk? Imagine that you're
  • 8:30 - 8:36
    crossing a border. Someone from the police
    takes your phone, then gives back to you.
  • 8:36 - 8:41
    Everything is fine. How can you know if
    it's not compromised? So this is where in
  • 8:41 - 8:50
    Civilsphere we start thinking, which is
    the simplest way we can go there and help
  • 8:50 - 8:56
    these people, which is the simplest way we
    can go and check those phones in the field
  • 8:56 - 9:01
    while this is happening and we came up
    with an Emergency VNP. So the Emergency
  • 9:01 - 9:06
    VPN is the service that we are providing
    using OpenVPN, this free tool that you
  • 9:06 - 9:11
    know that you install in your phone. And
    from these, we are sending the traffic
  • 9:11 - 9:16
    from their phones to their university
    servers or the servers are in our office
  • 9:16 - 9:21
    and then to the internet and back. So we
    have normal internet. And we are capturing
  • 9:21 - 9:25
    all your traffic. We store in there. What
    we are doing with these? Well, we have our
  • 9:25 - 9:30
    security analysts looking at this traffic,
    finding infection, finding that out, using
  • 9:30 - 9:34
    our tools, using our expertize threat
    intelligence, threat hunting, handling
  • 9:34 - 9:39
    whatever we can and see everything in
    there and then reporting back to you say,
  • 9:39 - 9:43
    Hey, you're safe, it's OK. Or, Hey, there
    is something going on with your phone,
  • 9:43 - 9:47
    uninstall these applications or actually
    change phones. We are from time to time
  • 9:47 - 9:52
    suggesting stop using that phone right
    now. I don't know what you are doing, but
  • 9:52 - 9:56
    this is something you should stop. So we
    are having experts looking at this
  • 9:56 - 10:00
    traffic. Also, we have the tools and
    everything we do in there is free software
  • 10:00 - 10:05
    because we need these to be open for the
    community. So how does it work? This is a
  • 10:05 - 10:09
    schema of the Emergency VPN. You have your
    phone on in the situation. Like Veronica
  • 10:09 - 10:13
    was saying, you are at risk and you say
    right now I'm crossing the border, I'm
  • 10:13 - 10:18
    going to a country that I don't know. I
    suspect I might be targeted. In that
  • 10:18 - 10:23
    moment, you send an email to a special
    email address that - the address is not
  • 10:23 - 10:27
    here because we cannot afford right now
    everyone using the Emergency VPN, because
  • 10:27 - 10:32
    we have humans checking the traffic. So we
    will give you later the address if you
  • 10:32 - 10:37
    need it, but you send an email to say,
    Hey, help automatically. We check these
  • 10:37 - 10:44
    email, we create an OpenVPN profile for
    you. We open this for you and we send by
  • 10:44 - 10:49
    email the profile. So you click on the
    profile. You have the open VPN installed
  • 10:49 - 10:54
    or you can install the additional one. And
    from that moment, your phone is sending
  • 10:54 - 10:58
    all your traffic to the university to the
    internet maximum three days. We stop it
  • 10:58 - 11:03
    there automatically and then we create the
    PCAP-file where the analysts are going
  • 11:03 - 11:08
    there and checking what's going on with
    your traffic. After this, we create a
  • 11:08 - 11:14
    report that is being sent to you back by
    email. OK, so this is the core operation
  • 11:14 - 11:19
    like 90 percent of the magic of the
    Emergency VPN. So advantages of this
  • 11:19 - 11:25
    approach? Well, the first one is that this
    is giving you an immediate analysis of the
  • 11:25 - 11:30
    traffic of your phone, wherever you are.
    This is in the moment you need it and then
  • 11:30 - 11:35
    you can see what your phone is doing or
    not doing right. Secondly, here is that we
  • 11:35 - 11:39
    have the technology. We have the
    expertize. Our threat hunter, threat
  • 11:39 - 11:43
    intelligence people. We have tools. We are
    doing machine learning also in the
  • 11:43 - 11:47
    university. So we have methods for
    analyzing the behavior of encrypted
  • 11:47 - 11:52
    traffic. We do not open the traffic, but
    we can analyze this also. So we took all
  • 11:52 - 11:57
    the tools we can to help the civil
    society. Then we have the anonymity. We
  • 11:57 - 12:01
    want this to be as anonymous as possible,
    which means we only know one email
  • 12:01 - 12:06
    address, the one used to send us an email.
    And that's it. It doesn't even need to be
  • 12:06 - 12:11
    your real email. We don't care, right?
    Moreover, this email address is only known
  • 12:11 - 12:16
    to the manager of the project. The people
    analyzing the traffic do not have this
  • 12:16 - 12:21
    information. After that, they send the
    report back to the email address and that
  • 12:21 - 12:26
    say we did a pcap, and that's all we know.
    Of course, if your phone is leaking data,
  • 12:26 - 12:31
    which probably is, we see this information
    because this is for the whole purpose of
  • 12:31 - 12:36
    the system, right? Then we have our
    continuous research. We had a university
  • 12:36 - 12:40
    project like almost 30 people here. So we
    are doing new research, new methods, new
  • 12:40 - 12:44
    tools, open source. We are applying,
    checking, researching and publishing
  • 12:44 - 12:49
    research, continually moving at last. This
    is the best way to have a report back to
  • 12:49 - 12:55
    you in your phone saying if you are
    infected or not. OK, so some insights from
  • 12:55 - 13:01
    the Emergency VPN. The first one is this
    is active since mid-2018. We analyzed 111
  • 13:01 - 13:07
    cases, roughly maybe a little bit more 60
    percent of our Android devices here. We
  • 13:07 - 13:12
    can talk about that, but it's well known
    that a lot of people at risk cannot afford
  • 13:12 - 13:17
    very expensive phones, which is also
    impacting their security. Eighty two
  • 13:17 - 13:24
    gigabytes of traffic. 3200 hours of humans
    analyzing this, which is huge and most
  • 13:24 - 13:31
    importantly, 95% of whatever we found
    there. It's because of normal applications
  • 13:31 - 13:37
    like the applications you have right now
    in your phone in this moment. And this is
  • 13:37 - 13:44
    a huge issue. The most common issues,
    right, that we found, and we cannot say
  • 13:44 - 13:51
    this enough. Geolocation is an issue. Like
    only three phones ever were not leaking
  • 13:51 - 13:57
    geolocation. So the rest of the phones are
    leaking like weather applications, like
  • 13:57 - 14:02
    dating applications , to buy staff,
    transport applications like a lot of
  • 14:02 - 14:08
    applications, are leaking these. Most are
    leaking these in encrypted form. A lot of
  • 14:08 - 14:13
    them are leaking these unencrypted, which
    means that not only we can see that, but
  • 14:13 - 14:18
    the people in your WiFi, your government,
    the police, whoever has access to this
  • 14:18 - 14:23
    traffic can see your position almost in
    real time. Which means that if the
  • 14:23 - 14:29
    government wants to know where you are,
    they do not need to infect you. It's much
  • 14:29 - 14:34
    easier to go to a telco provider. They
    look at your traffic and see that you are
  • 14:34 - 14:38
    leaking your location of all over the
    place. We know that this is because of
  • 14:38 - 14:42
    advertising and marketing. The people are
    selling this information a lot. Be very
  • 14:42 - 14:46
    careful with which application you have,
    and this is the third point is secured
  • 14:46 - 14:51
    applications are a real hazard for you.
    Maybe you need two phones like your
  • 14:51 - 14:56
    professional phones and your everyday life
    phone. We don't know what the problem
  • 14:56 - 15:01
    usually comes for the applications that
    you're installing, just because, right,
  • 15:01 - 15:06
    these applications are leaking so much
    data like your email, your name, your
  • 15:06 - 15:11
    phone number, credit cards, user behavior,
    your preferences if you are dating or not.
  • 15:11 - 15:17
    If you are buying and where you're buying,
    which transports you are taking which seat
  • 15:17 - 15:23
    you're taking the bus. So a lot of
    information really, really being believe-I
  • 15:23 - 15:28
    believe us here. Alas, the email and the
    emcee that these two identifiers of the
  • 15:28 - 15:32
    phone are usually leaked by the
    applications. We don't know why. And this
  • 15:32 - 15:37
    is very dangerous because identifies your
    phone uniquely OK. From the point of view
  • 15:37 - 15:43
    of the important cases, there are two
    things that we want to say. The first one
  • 15:43 - 15:48
    is that we found trojans here that are
    infecting your phones, but none of these
  • 15:48 - 15:54
    trojans were actually targeted. Trojans
    like trojans for you. They were like,
  • 15:54 - 15:59
    Let's call normal trojans. So this is a
    thing. And the second one is malicious
  • 15:59 - 16:03
    files. A lot of phones are doing this
    peer-to-peer file sharing thing. Even if
  • 16:03 - 16:07
    you don't know some applications. I'm not
    going to give you names, but they're doing
  • 16:07 - 16:11
    this peer-to-peer file sharing, even if
    you don't know and they were malicious
  • 16:11 - 16:18
    files going over the wire there. However,
    why is it that after a year or something
  • 16:18 - 16:25
    of analysis after 111 cases analyze, we
    did not found any targeted attack? Why?
  • 16:25 - 16:35
    Why this is the case? I mean, the answer?
    The answer is simple. No. Yes. The answer
  • 16:35 - 16:44
    is simple. The Emergency VPN works for
    three days maximum, so it's not about
  • 16:44 - 16:50
    reaching the right people, but reaching
    the right people at the right time. Like,
  • 16:50 - 16:56
    if we take three days before the incident,
    we might not see it. If we check three
  • 16:56 - 17:02
    days later, we might not see it. So right
    now, we we need your help. Reaching the
  • 17:02 - 17:09
    right population is very important because
    we need people to know that these services
  • 17:09 - 17:15
    exist and it's always tricky. If we tell
    you, Hey, connect, here we are going to
  • 17:15 - 17:20
    see all your traffic is like, Are you
    insane? Why? Why would I do that? However,
  • 17:20 - 17:26
    remember that the other options are not
    very cheap or easy or even feasible if you
  • 17:26 - 17:32
    are traveling, for example. And again, as
    Sebastian said. Like, everything that goes
  • 17:32 - 17:38
    encrypted is called, We don't see it. We
    are not doing man in the middle. If we see
  • 17:38 - 17:45
    anything, we see it because it's not
    encrypted. So if you believe that you are
  • 17:45 - 17:51
    a people, a person that is at risk because
    of the work you do or because of the type
  • 17:51 - 17:55
    of information or people that you help,
    please contact us. We are willing to
  • 17:55 - 18:00
    answer all the questions that you might
    have about data retention, how we handle
  • 18:00 - 18:06
    the data, how we store it, how we delete
    it after how long, etc. And if you know
  • 18:06 - 18:13
    people that might be at risk because of
    the work they do, because the people they
  • 18:13 - 18:18
    protect, the people, they represent the
    type of investigation they do, please tell
  • 18:18 - 18:24
    them about the service. We, we can.
    Contact us via email. As we say, the
  • 18:24 - 18:29
    information, how specifically do you see
    it is not publicly available, available
  • 18:29 - 18:34
    because we cannot handle hundreds of cases
    at the same time. However, if you think
  • 18:34 - 18:41
    you are a person at risk, we we will send
    it to you right away. This is the contact
  • 18:41 - 18:47
    phone number we are in Telegram. Wire,
    Signal, WhatsApp, anything that you need
  • 18:47 - 18:52
    to to reach out and we will answer any
    questions. So we need to reach these
  • 18:52 - 18:57
    people. OK, so thank you very much and we
    will be around for the rest of the
  • 18:57 - 19:01
    congress. If you want to stop us, ask
    questions. Tell us something. If you need,
  • 19:01 - 19:05
    tell us about these two other people in
    the field that they needed. Trust is very
  • 19:05 - 19:15
    important here. And let us know. OK? Yes,
    thank you. Thank you. OK. And as usual, we
  • 19:15 - 19:24
    will take questions from the public. There
    are two microphones. Yes, go ahead. Talk
  • 19:24 - 19:29
    into the mick one sentence, please. Just a
    quick. Thanks for your excellent service.
  • 19:29 - 19:35
    My question is how can you be sure that
    all the traffic of a compromised phone is
  • 19:35 - 19:42
    run through your VPN? Mm-Hmm. So of course
    we cannot. We can't say that in our
  • 19:42 - 19:48
    experience, we never found or saw any
    malware that is trying to avoid the VPN in
  • 19:48 - 19:53
    the phone. So we rely on that. No, no
    malware or APT ever that we saw or known
  • 19:53 - 19:58
    about is actually trying to about the VPN
    service in some phones. I'm not sure if
  • 19:58 - 20:03
    you can avoid it. Maybe, yes, I don't
    know. In our experiments on trials with
  • 20:03 - 20:06
    different phones and tablets and
    everything, all the traffic is going
  • 20:06 - 20:12
    through the VPN service, right? Because
    like a proxy in your phone? Yes. So if you
  • 20:12 - 20:19
    if you know, if any case. Yeah, we would
    love to know. We try. We we run a malware
  • 20:19 - 20:24
    laboratory and we run malware on phones
    and computers to try to understand them.
  • 20:24 - 20:29
    And we have not encountered such a case.
    SMS, for example, we are not seeing.
  • 20:29 - 20:33
    Right? Yes. One more question, please.
    Yeah. So you're running the net, you're
  • 20:33 - 20:39
    running the data through your network at
    the university. Do you have a like a lot
  • 20:39 - 20:45
    of exit IP numbers? Because, yes, a
    malware app could maybe identify it is
  • 20:45 - 20:49
    routing through you and decide not to act?
    Yeah. So that's a good question actually.
  • 20:49 - 20:54
    In the university. We have a complete
    class public network. We have, of course,
  • 20:54 - 20:58
    agreements with the university to use part
    of the IPs. So this is part of the
  • 20:58 - 21:06
    equation in the right, like any way we are
    taking precautions. But so far we did not
  • 21:06 - 21:11
    found anyone blocking or checking our IPs.
    So we would say that it's true, right?
  • 21:11 - 21:17
    Yeah, we would say that if that happens,
    we would consider our project very
  • 21:17 - 21:25
    successful. We we haven't we haven't heard
    of such a case yet. Thank you. OK. Let's
  • 21:25 - 21:30
    have a big hand final for Veronica and
    Sebastian. Thank you very much.
  • 21:30 - 22:01
    Subtitles created by many many volunteers and
    the c3subtitles.de team. Join us, and help us!
Title:
36C3 ChaosWest: Emergency VPN: Analyzing mobile network traffic to detect digital threats
Description:

more » « less
Video Language:
English
Duration:
22:01

English subtitles

Incomplete

Revisions Compare revisions