Forgot your password?
typodupeerror
Cellphones Security Encryption Privacy Wireless Networking

Hacker Builds $1,500 Cell Phone Tapping Device 109

Posted by Soulskill
from the snoop-on-the-cheap dept.
We previously discussed security researcher Chris Paget's plans to demonstrate practical cell phone interception at DefCon. Paget completed his talk yesterday, and reader suraj.sun points out coverage from Wired. Quoting: "A security researcher created a $1,500 cell phone base station kit (including a laptop and two RF antennas) that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. Most of the price is for the laptop he used to operate the system. The device tricks the phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP. The low-cost, home-brewed device ... mimics more expensive devices already used by intelligence and law enforcement agencies — called IMSI catchers — that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area. Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."
This discussion has been archived. No new comments can be posted.

Hacker Builds $1,500 Cell Phone Tapping Device

Comments Filter:
  • Disabled warning (Score:5, Interesting)

    by maxwell demon (590494) on Sunday August 01, 2010 @11:25AM (#33101236) Journal

    If the GSM spec does specify the warning should be there, does that mean the manufacturers are violating their GSM license when they disable that warning? Or could they be sued for false marketing because the phone you bought does not follow the GSM spec despite being called a GSM phone?

    In short: Could they be (successfully) sued for it?

    • Re: (Score:2, Informative)

      by Anonymous Coward
      No, the SIM Card disables the warning not the phone
      • by commodore64_love (1445365) on Sunday August 01, 2010 @11:50AM (#33101358) Journal

        What's a SIM card? My phone doesn't appear to have one of those.

        • Re: (Score:1, Insightful)

          by Anonymous Coward

          Then your phone isn't GSM.

        • by kidgenius (704962)
          Then you shouldn't worry (yet) as your phone is CDMA not GSM
          • by sznupi (719324)

            Quite a lot of GSM phones nowadays don't sit, most of the time, on what could be strictly called a GSM network, too; they use UMTS (accidentally, also utilising a form of CDMA - why this one consortium insisted on using the name of a basic radio method as their branding?).

            So, what, the setup also jamms UMTS? I don't think a 3G phone will really try to use the GSM/TDMA network, as long as UMTS is present...

            • by ncgnu08 (1307339)

              Lets not forget that GSM will be phased out for UMTS which is already being replaced by LTE...

              • by sznupi (719324)

                Well, TBH I don't expect GSM being phased out anytime soon; UMTS (which mostly turned out to be just an addition to GSM, not a replacement) much sooner, I guess, when practically everything for which it makes a difference will be on LTE. But GSM...that seems to be a case of "good enough", and handy when trying to provide pretty much total coverage.

      • by sirlark (1676276)
        So then, could the carriers who provide those sim cards be sued? Don't they also make claims about GSM compliance, at least those networks who still use GSM?
    • by erroneus (253617) on Sunday August 01, 2010 @11:44AM (#33101334) Homepage

      They would rather violate the license as they would inevitably be protected by the government(s) that demanded things be set as they are.

      A better question would be how can we turn that feature back on?

        • by TheLink (130905)
          I use a phone to communicate with other people. Not to talk to myself and an imaginary friend that uses phonecrypt.
          • +1 insightful

            I barely use my phone at all (which is why it only costs me $5 a month), but I am concerned about the future if I ever decide to get an internet-capable phone. I don't want police spying on me without a warning that the encryption had been turned off.

            • Re: (Score:3, Insightful)

              by bill_mcgonigle (4333) *

              I am concerned about the future if I ever decide to get an internet-capable phone. I don't want police spying on me without a warning that the encryption had been turned off.

              Assume they are - do you encryption at the application layer, or at least with a VPN you control.

          • by Kozz (7764)

            I use a phone to communicate with other people. Not to talk to myself and an imaginary friend that uses phonecrypt.

            And you've also just summed up why people don't use PGP/GPG, for better or worse.

            • by TheLink (130905)
              Yeah it'll be nice if more people used crypto.

              Ubuntu is helping in some ways- they've made it easy for normal users to have their home directory encrypted (so all that talk about Ubuntu not contributing enough is bullshit).

              Even more than 10 years ago I think many email programs actually had support for S/MIME. But that design required CAs and $$$ (yes there could be free CAs or people could set one up themselves, but good luck with getting the public to do that).

              Whereas if the architecture was more like ssh
    • by Threni (635302)

      > does that mean the manufacturers are violating their GSM license when they disable that warning?

      Maybe. Most shops and pubs in the UK breach their agreements with their acquirers when they either surcharge or impose minimum transaction amounts on debit/credit card transactions. The rules are simple - you can't do it. But I'm not aware of any shops which don't. It's a funny old world, isn't it.

      • You're not aware of _any_ shops that don't impose minimum transaction amounts? You need to get out more.
        • by Drgnkght (449916)

          No, The GP meant they were not aware of any shops that do not impose such a minimum. It was a little ambiguous, but that was the intent of "The rules are simple - you can't do it. But I'm not aware of any shops which don't." In other words, every shop the GP have ever been in has had minimum transaction amounts or surcharges.

    • by Anonymous Coward on Sunday August 01, 2010 @12:19PM (#33101492)

      Sheesh! Why sue? That's not the answer to everything unless you're looking for a way to make some cash, or living in a litigation-crazy country like the USA.

      How about a user-driven pressure group to force a change - after all, if someone does manage to screw big bucks out of this:

      1) It'll make some lawyers even more rich.
      2) The phone companies will just pass the cost onto the customers somehow

      Suing the ass off companies just because they don't do things the way you like is just plain crazy.

      • Agreed 100%. I'm sick of people thinking litigation is the answer yo EVERYTHING. Money does not equate to the problem being solves. If anything those that sue would probably end up settling out of court in secret anyway, and the rest of us get nothing, or if its a class-action suit, those who participate would get $30 USD and the lawyers would make millions.
      • Sheesh! Why sue? That's not the answer to everything unless you're looking for a way to make some cash, or living in a litigation-crazy country like the USA.

        You do know that it's possible -- sometimes even necessary -- to sue for remedies other than cash, don't you? These remedies include (but are not limited to) enforcing or nullifying contract or license terms. But hey, don't let the facts get in the way of your prejudices...

      • Not every lawsuit is about money.

    • by hitmark (640295)
      <blockquote>Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.</blockquote>

      note the bit about the SIM card. That means its AT&T or T-mobile, not apple or HTC, that is suppressing the message. I suspect its done more to avoid tech support calls wondering why the message keeps showing up all the time, as various generations of towers have differing
    • by black3d (1648913)

      No, they don't violate any license terms by disabling a warning in the GSM spec. No, they could not be succesfully sued for it. The GSM spec is not even a license, it's a set of guidelines for what a phone must be capable of to meet GSM standards. To meet this specification, the phone has to be able to detect it's connected to a tower without an encryption channel, and to display a warning to that effect. All that matters is that the phone is physically able to do this. The standards authority doesn't requi

      • Sad that folks are always looking for someone to sue.

        That's a very wrong conclusion. I do think suing should be reserved for important issues. But I also do think that silently breaking security is an important issue. Note the part about silently. It's not an issue if the phone is unencrypted and I know it. It's an issue if I can reasonably believe that it is encrypted, but in reality it isn't. If I know it's insecure, I'll not do any sensitive things on it (like phone banking).

  • Give it a month (Score:4, Insightful)

    by sv_libertarian (1317837) on Sunday August 01, 2010 @11:26AM (#33101242) Journal
    The government will mandate better encryption and stronger standards so they maintain their monopoly on being able to intercept phone calls.
    • Re:Give it a month (Score:4, Interesting)

      by bsDaemon (87307) on Sunday August 01, 2010 @11:39AM (#33101316)

      Then there will be another 3 years of court cases and lobbying to make the government pay the cell carriers to upgrade their equipment, although much of the issue is on the phones not properly realizing they're on a bogus tower and not providing the required notification. So everyone will have to upgrade phones if they're on a GSM network.

      Of course, we'll be on iPhone 7 by the time AT&T finally concedes to the upgrade, and iPhone 10 by the time its done, and as they're the only GSM carrier of consequence in the US, user upgrades likely won't be an issue 'cause everyone will be clamoring for it while remaining blissfully ignorant of this situation.

      But the reality of the situation is probably closer to the fact that the government will just let this whole thing slide under the assumption that the easier it is to do, the cheaper they'll be able to obtain 3rd-party products to conduct intercepts for investigations.

    • Re:Give it a month (Score:5, Interesting)

      by poetmatt (793785) on Sunday August 01, 2010 @11:51AM (#33101360) Journal

      actually, what about the prospect of intercepting our own phone calls?

      As noted if you can do this on a laptop and then voip a call, couldn't people do this at home as a pseudo-femtocell?

      • Yes, but it's entirely likely you'd be violating FCC regulations running an unlicensed station, as well as running it at power levels you're not licensed for.

        • by poetmatt (793785)

          again, it's not like I care about FCC regulations. In the worst case what would they do if I could even figure out how to do this, tell me to stop? It's not like I'm going to start a bitter personal battle with the government here.

          However, it'd be nice to know if it can be done as that would give people easy options other than the not even remotely adequate ones that our cellular providers have been offering.

          I mean have computer + wireless + internet connection = you should have 90% of the capability right

          • by maxume (22995)

            It quickly becomes a question of whether the radio hardware costs more than a phone that will do VOIP over a Wifi connection.

            • by poetmatt (793785)

              Sadly, there aren't many phones that do voip over wifi. RIM products are about the only ones that do, via UMA.

              I do agree though.

      • by Stray7Xi (698337)

        As noted if you can do this on a laptop and then voip a call, couldn't people do this at home as a pseudo-femtocell?

        Yes and there's already software to do it:
        http://sourceforge.net/projects/openbootts/ [sourceforge.net]

  • by Manip (656104) on Sunday August 01, 2010 @11:27AM (#33101254)
    So wait, law enforcement use a method to interception that would be compromised if that warning was displayed, and phone manufacturers fail to enable such a warning? Call my a conspiracy nut but perhaps they were asked not to include such a warning for exactly that reason. It wouldn't be the first time the government has asked private industry to make it easier to snoop.
    • Uh, think the NSA got the telecoms to do more than make it easier to snoop.
    • by hitmark (640295) on Sunday August 01, 2010 @12:16PM (#33101482) Journal

      have GSM encryption ever been about end to end encryption? My understanding is that the encryption only covers the radio signal, so that someone with a radio scanner cant just grab the call out of the air. The police can get a warrant and make a call to the telco and have them set up a tap at the base station or some other convenient place.

      i suspect the message is not there more out of convenience, as the message would be popping up all the time when going between stations of various generations. Also, we seem to be confusing handset makers (nokia, HTC, apple etc) with the telcos (AT&T, T-mobile). From the summary, its the SIM, not the phone, that says if the message should show or not. That means its the telcos that suppress the message, not the handsets. given the number of involved parties in the mobile phone business, it helps to place the blame where it belongs.

    • by Sique (173459)

      It's not just about law enforcement. India for example forbids encrypted phone calls completely. If the warning was turned on, phones in India would complain about non encrypted connections with every reconnect to an antenna.

      • by oiron (697563)
        That's end-to-end encryption. Encryption on the radio is still allowed, and probably regularly used. They tap into the signal at the operator's switchboard, not over ether.
    • by Auckerman (223266) on Sunday August 01, 2010 @12:42PM (#33101632)

      Call my a conspiracy nut

      Not a problem, I'll get his number from the CIA.

  • by Anonymous Coward

    So which manufacturers/service providers leave the encryption warning intact?

  • by UnknowingFool (672806) on Sunday August 01, 2010 @11:30AM (#33101268)
    The device works only on 2G GSM. While Chris Paget did not demonstrate it, he noted that he could also set up the device to block 3G signals and thus force all calls through 2G.
  • by Sigurd_Fafnersbane (674740) on Sunday August 01, 2010 @11:31AM (#33101274)
    Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers, Paget said."

    I am not sure I understand the above text. If it is the SIM card disabling the setting, why is this then labeled a deliberate choice by the cell phone makers?

    Also I have seen at least on numerous Nokia mobile phones that an icon in the display notify you at least in some instances when encryption is disabled. (This happen quite frequently in e.g. China).

    • by maxwell demon (590494) on Sunday August 01, 2010 @11:36AM (#33101298) Journal

      I am not sure I understand the above text. If it is the SIM card disabling the setting, why is this then labeled a deliberate choice by the cell phone makers?

      Why can SIM cards disable the warning? Well, clearly because the cell phone allows the SIM card to disable the warning.

      • If that is the case, it must be specified how a SIM card request this blocking from the phone. Otherwise this is not likely to work between different manufacturers of phones and SIM cards. If there is a specified way of doing this it must be within the GSM protocol to do so.

        Alternatively this is a behavior specified by certain network operators who buy phones and SIM cards in bulk and mandate an in-official spec extension from both the SIM card and the phone manufacturer.

        In the latter case I think the pro

        • by hitmark (640295)

          operators in some parts of the world loves to mess with phone firmwares. Thats one reason why symbian phones never made it big in USA, as nokia didnt like them doing so.

      • It's probably part of the GSM and 3G specifications to allow for unencrypted networks.

    • I had an old Sony Ericsson K600i with a European SIM on a couple of trips to China and it would always warn about encryption being disabled.

      There's no need for a the intelligence service of the US or an EU country to do this - they can just tell the telco to do a lawful interception [wikipedia.org] even on an encrypted line because lawful interceptions happen inside the network after the call has been decrypted.

      Whether they disable the warning on Chinese SIMs I've no idea. I actually think most of the Chinese system is bas

  • I find it quite astonishing that it is that easy to intercept GSM calls. And that phonemakers disable this warning is even more astonishing!

    • These guys may be able to intercept cell calls, but I can't even send an SMS message with Wammu on my Ubuntu machine.

      The built-in Sony Ercicsson F3507g modem works for Mobile Broadband through Network Manager, but Wammu cannot use it to send an SMS.

      And it doesn't work with my external phone either. On the rare occasions when Wammu can find the phone, it says it sent the SMS, but in fact it didn't.

      So I sure admire these guys who can intercept calls with a laptop, while I need an XP virtual machine so that I

      • by Y-Crate (540566)

        You know what's going to happen, right? One day some setting will be changed somewhere in your provider's network, and the avalanche of SMS messages floating around in a buffer somewhere are going to finally reach their intended recipients. Very, very, very late. ;)

  • So what are the currently available options for true end-to-end encryption between cell phones anyway?

    • Nothing, to the best of my knowledge, has been standardized(the encryption used to protect the inherently-vulnerable-to-nearby-eavesdropping wireless signals may be better or worse; but the carrier is treated as trusted).

      On the plus side, now that quite powerful phones with general-purpose computer capabilities and fast data connections are available, there isn't anything stopping you from applying any of the technologies used by computers to protect data traveling over the public internet to your phone.
      • by PPH (736903)

        there isn't anything stopping you from applying any of the technologies used by computers to protect data traveling over the public internet to your phone.

        Steve Jobs saying, "That app isn't authorized."

        • I'm operating on the understanding that any iPhone you haven't jailbroken isn't actually your phone, it's just a leased device that you managed to pick up all the financial responsibility for...
          • by PPH (736903)

            And its not really yours even if you jailbreak it. In spite of a recent court ruling allowing users to jailbreak their equipment, there's nothing stopping the vendor or service provider from pushing out updates to re-take the phones.

    • by hitmark (640295)

      sip software with 128-bit or stronger public key encryption that only uses the mobile network as a data carrier?

    • I already posted this further up, just Google Phonecrypt

    • Don't say anything you don't want recorded by the police. Don't have phone turned on or even have battery installed if you don't want location noted by police. Communicate strictly by F2F meetings held in a cone of silence.
    • by kidgenius (704962) on Sunday August 01, 2010 @12:20PM (#33101506)
      Here's the easiest way....have this guy not only publish his results, but his methods too. Put the plans up for free download so anyone can follow his plans and build such a device. When hundreds (or thousands) of these devices start popping up and people are getting spied on by their fellow citizens, there will be an outrage! (silly emphasis). After that, the manufacturers may start including the warnings. Note: using one of these devices probably already violates various cyber-laws, so that threat wouldn't deter many if it's hard to be caught.
      • by Vellmont (569020)


        When hundreds (or thousands) of these devices start popping up and people are getting spied on by their fellow citizens, there will be an outrage! (silly emphasis)

        Heh. Like say the "outrage" of 20 years ago during the analogue era of cell phone when anyone with a scanner could listen in on cell phone calls? This was widely reported at the time. The response? Ban scanner makers from selling devices capable of receive on cell phone frequencies.

        This kind of thing has been going on since wireless phones hav

      • When hundreds (or thousands) of these devices start popping up and people are getting spied on by their fellow citizens, there will be an outrage! (silly emphasis).

        Fact is, the GSM security notification was circumvented so the government(s) could snoop in on your conversations. Re-enabling security notifications would render many operational spy-jobs and much equipment (at the lowest levels) useless. For this reason alone, I'm pretty sure that there will be no outrage and no media circus. Instead the iss

  • Root cause (Score:4, Informative)

    by cliffjumper222 (229876) on Sunday August 01, 2010 @12:06PM (#33101418)

    The root cause of this weakness is that whereas the 2G network can authenticate the handset (both the SIM and the ME), the handset cannot authenticate the network. It's assumed the 2G network is trustworthy, which in this case, it isn't. There's a stack load of problems with 2G (GSM) security including unilateral authentication, which leads to network impersonation; weak encryption (short keys and broken algorithms); lack of end-to-end or virtually end-to-end encryption; weak confidentiality; no data integrity algorithms; lack of visibility to the user that encryption is on, etc. A lot of these are fixed in 3G. See http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf [3gpp.org] and http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF [arib.or.jp]. In this second PDF, section A.4 Hijacking of services describes this attack.

    • by hitmark (640295)

      well, the GSM standard is nearly 20 years old now. Thats a lot of time in the tech world.

  • this is a deliberate choice on the cell phone makers, Paget said.

    After having been told to do so by the carriers who were told to do so by the intelligence collecting agencies of various governments via their respective communications ministries no doubt.

    • by PPH (736903)

      After having been told to do so by the carriers who were told to do so by the intelligence collecting agencies of various governments via their respective communications ministries no doubt.

      But it sounds so much nicer to say 'volunteer' after we remove the electrodes from your testicles (or drag your companies tax returns through every conceivable tax audit if you are inside the USA, where we don't do the testicle thing).

  • It'd be funny if Verizon used this as an advertising slam against the iPhone and ATT (though of course they won't). I wonder if something like this could be done against CDMA?

    • by hitmark (640295)

      it would surprise me if not. Tho being a lesser used system, its a less interesting target.

  • Hak5 (Score:3, Informative)

    by doronbc (1434117) on Sunday August 01, 2010 @12:09PM (#33101444)
    He actually gave a talk [revision3.com] about this on Hak5. It seemed it could be accomplished using an USRP [ettus.com] and OpenBootTS [sourceforge.net]
    • It worries me that the USRP gets so much press. I'm sure it is good for ETTUS in the short term, but eventually the FCC is going to do some shit kicking when the masses realize that not only does such a thing exists, but that anyone can purchase it for $700. Lord help HAM radio operators and other RF hobbyist if 60 Minutes does a piece on it. They already have a hard enough time being viewed as whack jobs, adding "potential domestic terrorist" won't help.

  • Haha (Score:4, Interesting)

    by X.25 (255792) on Sunday August 01, 2010 @01:09PM (#33101778)

    I can't even explain how common this thing is, and how many geeks are playing with it.

    He didn't actually *build* the hardware, he purchased it - some smart people actually build these things, and hobbyists play with it.

    Why this guy felt like he had to take a credit for it is beyond me.

    • That's like saying "Oh cell phones are old news, this guy shouldn't take credit for hacking them".

      Yes, radio transceivers are old news. No, not many other people use them in this way, and on these frequencies, and for this purpose, which is why this talk even made it to DefCon. Also, not many people understand the GSM spec well enough to circumvent(turn off) the encryption or to force use of the weaker 2G network.

      If, as you claim, geeks are constantly doing this:

      1. There would be a lot more geeks in Jail
      2.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I can't even explain how common this thing is, and how many geeks are playing with it.

      Try using a car analogy.

      Why this guy felt like he had to take a credit for it is beyond me.

      As clearly linked, Paget is demonstrating . This is the community equivalent of science journal peer review -- it's separating the facts from the FUD. This is Investigative Reporting, the third leg that Democracy stands on.

      That is creditable, quite unlike "I can't even explain how common this thing is, and how many geeks are playing

  • ...but if I had a GSM phone (I have no cellphone at all, actually) I'd be a lot more interested in using this to set up my own cell and route my calls over the Net.

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.

Working...