networkworld.com — Despite concerns he might be arrested, a hacker went ahead with a demonstration of mobile phone interception at Defcon yesterday. Using several thousand dollars worth of equipment, he was able to intercept phone data on networks used by AT&T and T-Mobile. "As far as your cell phones are concerned I am now indistinguishable from AT&T," he said.
Aug 1, 2010 View in Crawl 4
rogorAug 1, 2010
There goes any pretence SMS banking authorization is secure.
mydiggloginAug 1, 2010
I don't know how exactly that works, but it is possible to implement a secure connection/protocol using non-secure transport.
tsk05Aug 2, 2010
That's logically impossible, hence no, it isn't possible - at least without a major but.
peaceninjaAug 2, 2010
do you have an example? not antagonizing you, just thinking critically here.
QxzkjpAug 2, 2010
@peaceninja: How about SSL? The internet is, after all, a thoroughly insecure transport.
jigorokanoAug 2, 2010
It depends on how early the intercept occurs. If it occurs from the beginning, then no, you have zero security.
onestoneAug 2, 2010
Examples: SSH/TLS, Diffie-Hellman key exchange, ...
QxzkjpAug 2, 2010
Well, technically it requires some form of pre-shared information. The root CA certificate in the case of SSL. But a certified delivery letter would take care of that. Or hell, the private key in your credit/debit card. My bank sent me a card reader that I have to use to authorize certain transactions. Why I don't need it to log in, I don't know.
tsk05Aug 2, 2010
The major but in the case of SSL is the CA, the only way to actually prevent man in the middle attacks.
SSH is vulnerable to man in the middle attacks.
tsk05Aug 2, 2010
Even with CA's, by the way, I've never figured out what prevents a MITM attack where a computer intercepts the public key, decrypts the data, but still forwards the data using the valid public key it intercepted. Without a secure transport, it seems logically impossible to prevent another computer from intercepting data.. And if you can intercept the data, you can take the public key and decrypt all the data as well as send your own commands.
If it is somehow possible, perhaps someone can explain it.Comment is buried, click here to see the rest.
litheonAug 2, 2010
The public key is a key that's meant to be shared. The private key is what is needed to decrypt something encrypted with the public key. See this: http://en.wikipedia.org/wiki/RSA#Operation
tsk05Aug 2, 2010
Ok, reading that link, I see how it's possible. But it's still vulnerable to man in the middle attacks without a CA since the MITM could send a fake public key. In practice that's almost useless since nobody actually uses self signed certificates for anything truly secure but it's still a pretty big but that it's necessary. SSH is also vulnerable. Comment is buried, click here to see the rest.
xinoAug 2, 2010
For those of you that want to know more about SSL or cryptography in general, I highly recommend listening to Security Now episode 31-37. These explain the basics of crypto with the exceptions of 32 and 36 which are Q&A episodes. I still recommend you listen to them because questions get answered from other listeners and I remember some of the answers clarified a couple things about crypto. Also, there is a fun brain teaser question in 32 which they answer in 33. Then listen to episode 185 which is about HMACs which you need to understand SSL and then 195 is about the SSL protocol. Then listen to episode 243 about one way to subvert SSL, but doesn't mean SSL is totally useless. www.grc.com/sn. The great thing about learning it from Security Now is that they don't assume you know any thing about crypto.
joosebuckAug 2, 2010
posting to research later
craftyguyAug 2, 2010
@Qxzkjp
I was in Sweden recently, and learned that type of setup is basically mandatory over there for banking. You use this passcode generator (like a small keyfob) to generate a login to your banking account.
Very cool system and it seems to be very secure. Too bad there's nothing like it in the US..
xixphzAug 4, 2010
Nice
myztryAug 2, 2010
"People connected to Paget's system would get a warning message, but they could dial out as normal, but anyone trying to call them would go straight to voicemail."
Even though the phones are connecting unencrypted to the fake Cell, what is the fake Cell connected to? Wouldn't it needed to authenticate with the network proper? Do the incoming calls goes to messagebank by choice or because the full network doesn't consider them connected? I'm a bit confused as to how the phones can make outgoing calls via the fake Cell. Surely there are infrastructure level protection to stop unauthorised devices joining at that level.
morphAug 2, 2010
He was connecting calls via VoiP via an internet connection on his Verizon phone
myztryAug 2, 2010
Okay. So isn't joining the network he is imitating.
SMS authorization shouldn't be an issue then since the method is incapable of receiving incoming authorization codes.
morphAug 2, 2010
Correct. Though he did throw out some ideas for doing just that. It would involve spoofing the handset to a real tower by either cracking A5/1 (would require some large SSDs with rainbow tables) or negotiating A5/2 (which is fairly trivial to break) with the tower on behalf of the handset. Then it's just a MitM but the handset is always using A5/0 with the rogue base station.
zzzblazAug 1, 2010
Well here I thought buying only Quadband phones was an investment. It makes it easy to swap out the SIM card overseas and switch to another carrier.
lordbenAug 1, 2010
He snooped on the bands the international phones use because it made it somewhat more legal because it corresponded to legal ham radio wavelengths in the usa.
By my understanding it would be no harder for him to intercept the standard usa frequencies that all cell phones in the usa use except it would be illegal as opposed to the quasi questionable legality it was with him doing the european frequencies.
zzzblazAug 2, 2010
Good point. however do we know that someone who would have one of these would have all 4 frequencies?
It just seems to me quadband = 4 times the chance you get spoofed.
nspriggsAug 1, 2010
Now I just need several thousand dollars...
chasebadkidsAug 2, 2010
Except you don't need several thousand dollars, the whole thing cost just shy of 1,500.00 and most of that cost was for the laptop.
helljumper777Aug 1, 2010
Yes... "As far as your cell pones are concerned I am a European radio transmitter."
Notice the use of "pones"
philbertAug 2, 2010
I guess you could say the people in that room got...
Cell pwned.
(sorry I forgot my sunglasses today)
patman21Aug 2, 2010
here, you can borrow mine
ki77erbAug 2, 2010
YEAAAAAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHH!
srs2000Aug 1, 2010
All you need is $1500
Here is a link with video: http://www.pcmag.com/article2/0,2817,2367247,00.asp
tech42erAug 2, 2010
And most of that is the cost of the laptop. So assuming you have a laptop, it's even cheaper.
unic0rnAug 1, 2010
http://www.youtube.com/watch?v=q8JuYh7Km34
geokenAug 2, 2010
Was he wearing heels?
lonewolf01Aug 2, 2010
Yes. http://twitter.com/ChrisPaget/status/6097528589
davidtcAug 1, 2010
$1,500 is not "several thousand dollars"
Wish sites would just report stuff that happen and not make up s**t to make it sound more interesting.
isunktheshipAug 1, 2010
define: sensational news
darkshroudAug 1, 2010
Defcon, scaring the hell out of people since 1992.
wreckageAug 1, 2010
"As far as your cell phones are concerned I am now indistinguishable from AT&T,"
So all he did was drop their calls?
diggwithaforkAug 1, 2010
ohh f**k.
wspnutAug 1, 2010
ZING!
davidtcAug 2, 2010
As far as the phone user is concerned, if the call doesn't drop, they know they aren't connecting to AT&T and are being snooped on.
darkshroudAug 2, 2010
If you're holding the phone wrong Apple will beat him to the punch.
patman21Aug 2, 2010
no.
p8ntballnxjAug 2, 2010
http://instantrimshot.com/
cerebronAug 1, 2010
I hope it helps dispel the horrible state of radio regulation/security in the US.
It's also embarrassing if your 'encrypted' telephone can just be told to turn off encryption, is there a warning displayed for the user? Probably not. When main security tactic you depend on is just passing a law preventing strangers from using your frequency, you are an idiot.
creamycenter200Aug 2, 2010
you do realize this applies to all GSM phones in the world, right? This is not limited to AT&T, or the USA.
cerebronAug 2, 2010
I guess, I just don't really know anything about radio outside of US.
Closed AccountAug 2, 2010
When you receive warnings that the Fed may come after you for a presentation given at BH, it's a good idea to heed that warning. I'm sure Michael Lynn, formerly of ISS, has some thoughts on that subject.
http://www.informationweek.com/news/security/showArticle.jhtml?articleID=166403842
generalobviousAug 2, 2010
That's what publishing findings anonymously/via P2P is for.
xsubmergedAug 2, 2010
This is identical to a method I've tried called a "Man in the middle attack". You can essentially trick computers on your network into thinking you're the router. You can then modify or sniff their packets and either drop them (most effective, since they want to have an internet connection) or drop them. It's scary how well it works. You can even decrypt SSL packets and look for username / password packets.
As for myself, I wont be telling anything private over my cell phone or giving out my CC number...
therealricoAug 2, 2010
So does this mean if they start converting cell phones to be able to basically use them like Debit cards like the Japanese do means someone could easily steal that?
alienmushroomAug 2, 2010
WTF are you talking about?
therealricoAug 2, 2010
OK, it wasn't the best structured sentence int he world, but it is a legitimate question, douche
alienmushroomAug 2, 2010
It's certainly not the best structure sentence, as it's one of the worst.
shinzenAug 2, 2010
Kind of like missing the tense on your main subject, isn't it?
socokoolaidAug 2, 2010
Oh, you mean like the Internet. Well, of course, they can and do!
morphAug 2, 2010
During the talk he said that the GSM spec requires that carriers warn you if the phone is connecting using A5/0 (no encryption) but the spec also allows for turning that off via a bit on the SIM card, which all carriers set so that you don't get a warning.
cerberus047Aug 2, 2010
So is it possible that he can do the same with cdma phones? Is it easier to do with gsm? Sorry I'm not a phone spectrum expert so if someone put it in laymans....
lonewolf01Aug 2, 2010
There was much more theory and how-to at CCC last year, should you want to try it yourself.
www.youtube.com/watch?v=rl5uq7EzVYQ (Part 1 of 7)
joosebuckAug 2, 2010
bookmarking
mercedes383Aug 2, 2010
This account has been closed by the user
salimmkAug 2, 2010
I would switch my phone to 3G only mode but it would eat up all my battery and I would be out of signal most of the day. I guess all my phone conversaions are now unsecure.
nicoladimariaAug 2, 2010
This is pretty interesting. I'm a hacker too and I coded this cool Flash chat that records user's IPs and stuff. Check it out at http://www.flashchatdeluxe.com
/fake hacker
Comment is buried, click here to see the rest.
yunusAug 2, 2010
"His IMSI catcher can get around cell phone encryption by simply telling the connecting phones to drop encryption. "
Wouldn't a software patch to cell phones giving the user the option to only connect if encryption is enabled solve this issue?
cyclonusripAug 2, 2010
He would still be able to act as a tower and intercept the data I think, but likely wouldn't be able to decrypt it.
socokoolaidAug 2, 2010
Why wouldn't he be able to decrypt it? Seems like that is just another layer of effort.
cyclonusripAug 2, 2010
Because the encryption is done end-to-end not by the network. I'm not an expert on cellular protocols, but I'm sure they use the asymmetric encryption scheme to establish a symmetric encryption strategy between the two end devices. Without knowledge of the keys used, decrypting the data would rely on a flaw in the encryption scheme (probably not gonna happen) or a brute force approach. Depending on the type of information you were trying to obtain the time it takes decrypt using the brute force approach could possibly render the data useless.
lucyimhomeAug 2, 2010
In one of Chris Paget's videos, a reporter asked if the RFID protection sleeves helped. He said they usually don't.
Are the RFID blocking wallets (such as the ones sold by ThinkGeek) good enough to protect your RFID'd cards from being sniffed?
MicealOcorraAug 2, 2010
$1500 to spy on 13 year olds yapping all day?!!?! NO THANX ;) 123 - = Y = - la!
theplopAug 2, 2010
I was at the demo when they did this, there were warnings all over the place along with a heavy disclaimer before the talk that the phones would be intercepted. He mentioned that he had some long talks with the FBI and FCC before this all began.
my fave quote: "If your on AT&T, your f**ked"
and the warning posters: http://twitpic.com/2aivj4
Good times :)
mikes1Aug 2, 2010
Except that hams are not authorized to communicate with non-hams (simply put), so still illegal. I won't be surprised if the FCC yanks his license.Comment is buried, click here to see the rest.
nastri83Aug 2, 2010
What a hambone
bipolarruledoutAug 2, 2010
The only reason they found him was that AT&T customers were reporting vastly improved service.