Cell Phone Interception At Def Con

ChrisPaget writes "I'm planning a pretty significant demonstration of GSM insecurity at Defcon next week, where I'll intercept and record cellular calls made by my attendees, live on-stage, no user-input required. As you can imagine, intercepting cellphones is a Very Big Deal in the eyes of the law; this blog post is an attempt to reassure everyone that their privacy is being taken seriously despite the nature of the demo. I'm not just making it up either — the EFF have helped significantly with the details."

Verizon

[Anarki2004]

Does this mean Verizon will start advertising that they are CDMA?

Re:

[Shakrai]

AT&T and T-Mobile will both be CDMA once they complete the transition to UMTS.

Re:Verizon

[sznupi]

Generally it's all a clusterfuck of confusion stemming from one group choosing, for its marketing, a name of basic radio method they use...and not only them; also the group most commonly seen as "GSM association", just not in its oldest standard.

If anything, "CDMA" (in whatever form) is going out; LTE & FDMA is revving up. And considering that various "3G" technologies don't really have a universal uptake, with majority of people on 2G TDMA networks - I wouldn't be too surprised if they jump directly to LTE, at some point in the future, more often than not.

Re:

[Hylandr]

Those companies that have been struggling to push the technology that would prevent interception would have lots to gain by funding or sponsoring this demo.

Interesting times we live in...

- Dan.

Re:

[deverox]

I have it on good authority (I've worked at my fair share of cell phone operators globally) that all of the Major networks around the world will be going to LTE.. If they are on CDMA now (like Verizon) they will go straight to LET, if they are on GSM / wCDMA / UMTS they will go to LTE next..

Its not a question of if but when..

Re:

[x102output]

I have it on good authority (I've worked at my fair share of cell phone operators globally) that all of the Major networks around the world will be going to LTE.. If they are on CDMA now (like Verizon) they will go straight to LET, if they are on GSM / wCDMA / UMTS they will go to LTE next..

Its not a question of if but when..

Both parent and GP are confusing the terminology. LTE *is* UMTS.

Think of this way: There is GSM, the standard for wireless telephony all around the world. Then there was a bolt-on standard called GPRS, which basically was an add-on to GSM to allow it to support data packet delivery for web, MMS, voicemail alerts, email, etc etc. It was pretty slowwwww. The GPRS add-on, then was improved and they called it EDGE. EDGE was simply GPRS, but with enhancements to error correction and other minor

Re:

[bill_mcgonigle]

LTE doesn't use CDMA modulation, but regardless of how it works or what modulation it does use, it is STILL a data packet add-on to the UMTS standard. It is NOT a replacement to UMTS. Verizon is the one finally switching to UMTS

If I understand it correctly, with Verizon on LTE, they won't actually use the UMTS part, just the LTE part, and route all voice traffic over IP. And, yeah, I forget the modulation name, but it's an advance beyond CDMA or WCDMA.

Re:

[sznupi]

Talk about confusion...

GSM part of the story is fine, not exactly with UMTS and beyond - while it was meant to & can smoothly interoperate with GSM infrastructure (and is indeed standardised by basically the same association), it doesn't depend on it. There are places with, essentially, UMTS networks which never had "classic" GSM (certainly where "GSM" phones can roam...only if they are also UMTS though, only on that access method). And it is from the beginning CDMA, WCDMA to be exact; extensions giving

Re:

[sznupi]

Yup, though I wouldn't be surprised if GSM is here to stay for a long, long time - even when many of networks throughout the world, which are now purely GSM, will go to LTE (mostly skipping UMTS, because it will simply make sense regarding infrastructure / new phones will have LTE); or even when UMTS starts to get neglected and switched off at some point. GSM just seems like a "good enough" tech, to assure wide coverage.

Will there be any GSM calls with "no user-input"?

[sznupi]

Is jamming UMTS network also planned? (yes, lots of folks still don't have handsets with UMTS; but at Defcon...)

Re:

[deverox]

You can set your phone to GSM only.. (which lots of people do as it increases battery life and generally gives a better call quality) .. Or just put a few phones doing data connections on UMTS at the time of the demo.. It will take up most of the connection (used to be max of 7 per cell).. then everyone else will be diverted to GSM

Re:

[sznupi]

...hence not with "no user-input", requiring deviation from defaults.

Few data connections? It's primarily a telephony network, with QoS geared heavily towards that goal.

Feds in audience

[AnonymousClown]

Reading the second link, I had this image of them capturing a Fed in the audience phoning in a report.

Isn't this the show that the "Spot the Fed" game?

Re:

[Anonymous Coward]

Is that why defcon attendees are unable to utilize even rudimentary tools to identify the source of a poisoned W.A.P.? Or how about the fact that they flail around with iptables when goatse is replacing all the pics on *everyone's* loading pages?

Am I trolling? Yeah. But some people do consider defcon to be detrimental at this point. HoPE at least maintains a sense of humor and is balanced by the sense that creative works without utility value may still be recognized as inherently valuable by certain obs

Re:Feds in audience

[_Sprocket_]

[Nokia ringtone] [youtube.com]

"HELLO?! WHAT?! YEAH! I'M AT DEFCON. Yeah. Some guy is giving some demo now. No, it's rubbish. What? No. Nobody know's I'm a Fed. Right. OK. Got to go."

(Imagine that in all caps 'cause the /. filter doesn't like loud literary voice)

Navy boys ?

[johnjones]

they have been listening to you all for a while

Just be careful

[Sycraft-fu]

It is illegal to intercept cellphone communications. Doesn't matter if it is a "security demonstration" what you call it is not relevant. You probably need waivers from everyone you plan on intercepting.

Get a lawyer who know that area of law, and not from the EFF. I like their ideals and all, but their track record is as idealists and they don't seem to do so good in terms of actual law, especially in the court.

Not saying don't give your talk, GSM security is serious and the phone companies need to get with it and fix that shit. However make sure you aren't breaking the law.

Re:

[Facegarden]

It is illegal to intercept cellphone communications. Doesn't matter if it is a "security demonstration" what you call it is not relevant. You probably need waivers from everyone you plan on intercepting.

Get a lawyer who know that area of law, and not from the EFF. I like their ideals and all, but their track record is as idealists and they don't seem to do so good in terms of actual law, especially in the court.

Not saying don't give your talk, GSM security is serious and the phone companies need to get with it and fix that shit. However make sure you aren't breaking the law.

Yeah. Now that they've announced this to reassure everyone, they'll probably get shut down somehow. :-/
-Taylor

Re:

[Itninja]

Are you sure just intercepting is illegal? I have had police scanners in the past that would pick up cell phone (and nearby cordless phone) conversations all time. My understanding at the time was the law was violated only if I recorded and/or distributed the information. This was years ago, so the laws may have changed....or maybe it was illegal all along and I am a huge criminal.

Re:

[dcw3]

The Federal Communications Commission (www.fcc.gov) ruled that as of April 1994 no radio scanners may be manufactured or imported into the U.S. that can pick up frequencies used by cellular telephones, or that can be readily altered to receive such frequencies. (47 CFR Part 15.37(f)) The law rarely deters the determined eavesdropper, however.

Another federal law, the Counterfeit Access Device Law, was amended to make it illegal to use a radio scanner "knowingly and with the intent to defraud" to eavesdrop on

Re:

[Shakrai]

It's also likely to be illegal under State law as well. NYS Penal Law 250.02:

A person is guilty of eavesdropping when he unlawfully engages in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.

Re:

[dcw3]

Interesting. Control of the airwaves used to be completely under the purview of the FCC, and state/local laws prohibited. That was one of the arguments used against states banning radar detectors way back. Times have changed though.

Re:

[Shakrai]

Some of the states do ban radar detectors......

Re:

[dcw3]

Yes, I live in one of them. I was just pointing out that that was one of the original legal arguments used against those bans...that the state had no right to prohibit them. This is similar to how some homeowners associations have attempted to regulate their members with regards to satellite dishes...they legally can't. Mine tried to do that, and found themselves on the wrong side of the law.

Re:

[bill_mcgonigle]

This is similar to how some homeowners associations have attempted to regulate their members with regards to satellite dishes...they legally can't

That's actually pretty crummy law, with a positive benefit. Congress shouldn't be interfering with private contracts (and HOA members shouldn't be signing crummy contracts).

Re:Just be careful

[TomXP411]

You're almost right. You can intercept non-encrypted, non-cellular communications.

Actually, the FCC has specific laws in place regarding phone calls on cellular networks. You cannot, under any circumstances, listen in to a cell phone conversation without permission. That is why all radio scanners sold in the United States are required to block the AMPS cellular phone frequencies.

Aside from cell phones, it's legal to intercept any open transmission you can receive, as long as it's not encrypted. I would assume you need permission of one or both parties to decrypt encrypted communications.

From what I can tell, the OP is going to be using a femtocell modified base station that will basically act as a cellular tower. For the duration of the presentation, anyone within range of the base station will have their calls routed through his base station, rather than their regular cellular carrier. The legality of this is dubious, but it is a security seminar and presentation. It would be far safer (but less dramatic) if they staged the call, rather than actually pulling up the conversations of random people at the convention.

Re:

[Anonymous Coward]

More than just this, it is taken very seriously. All scanners have to be build not just to block the cell frequencies, but also to not be easily modifiable to intercept them (ie: the cell bands may be different or not blocked for interception in Europe, and often two radios will be sold in different countries and just have jumpers switched to disable/enable bands for transmission/reception...can't do this for scanners on cellphone frequencies. You have to have a separate model that cannot be modified in a

Re:

[steelfood]

(IANAL)

The legality of interception depends on juristiction. Wiretapping laws may or may not apply, as wiretapping is usually with respect to landlines.

I think there's also an expectation of privacy in play. I wouldn't expect privacy at a black hat convention unless I crashed it while drunk thinking it was E3 or something.

If the EFF says it's ok, they've probably checked the local laws already. And, there's probably fine print in the contract that attendees have to sign that makes it all legal.

Re:

[Skuld-Chan]

Only in America too - seriously - buy a scanner - there's a US version (that cannot tune 800 MHz freq's) and the everyone else version. Same with ham radio equipment - my Icom 706 is a special revision only sold in the US that cannot tune cell frequencies - never mind its incapable of decoding any of that stuff anyhow.

Re:Just be careful

[SETIGuy]

It's not just potentially illegal because you're "wiretapping" but it's actually illegal to own a radio receiver capable of receiving on the frequencies used by cell phones.

Damn! I carry a radio transceiver capable of transmitting and receiving on those frequencies in my pocket every day!

Re:

[phyrexianshaw.ca]

Illegal != people won't do it.

I'm sick and fucking tired of all the "it's illegal, so nobody would do it!" arguments.
if somebody want's to listen to a wireless broadcast, and has the means to do so, a "law" is not going to stop that person.

the point of the demo is NOT "hey, look what I can do legally!" it's a demo to show that it can be some.

when will people learn, security through obscurity doesn't work.

Re:

[dgcaste]

Well, during DEFCON I will be intercepting US Postal mail to show how the chain of trust fails at the mailbox. But I'm white hat, so I should be safe from the law!

Iphone 4 is protected against this nonsense.

[Anonymous Coward]

Just press lightly against the bottom left!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Pieroxy]

And you thought Steve was out of his mind... An airplane mode so readily avilable right before Defcon. Genius! He's a Genius!

Encryption is the future

[carp3_noct3m]

In this age, where more and more people and institutions are trying to control, and intercept, the flow of information, encryption is the future. Anyone with some knowledge in the area knows that LE et al have the ability to intercept all kinds of comm, emails, phone calls, etc. Just as you should automatically assume that any email you send to anyone is compromised and therefore public knowledge, the same for phone conversations. The only way around this is to encrypt if at all possible, though the demand has to rise for things to be more pragmatic and easily accessed. It is still an interesting method, but much like the internet, phone systems were not designed with security as a main priority.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Shakrai]

Thankfully we have a 2nd amendment right [xkcd.com] to possess encryption ;)

Doubt it

[downhole]

Somehow, I doubt that anyone will ever be able to implement encryption that is actually secure while being used by large segments of the population that really don't care that much. The only people who use high-quality encryption for pretty much any kind of communications are paranoid/curious geeks and people who have (or think they have) very good reasons for keeping their communications secret, e.g. some criminals, spies, the military, etc, and I don't expect that to change anytime soon. The best we're li

Re:Encryption is the future

[DigitAl56K]

GSM has various encryption standards that are supposed to protect calls. But some are weak, and phones using stronger algorithms can be tricked into falling back to the weaker ones. With a fake tower you can probably turn it off completely.

The problem with encrypting cell conversations is many-fold:
* Can you rely on the GSM encryption?
* Can you trust third-party implementations?
* Even if you run an encrypted VOIP app, can you trust the handset manufacturer? (e.g. not to allow the government to steal your keys from device memory via privileged access)
* If you can trust the manufacturer, is your device security from nearby wireless attacks? There have been exploits for bluetooth and wifi stacks.
* Can someone clone your phone?
* Do you know through systems like CALEA and IP monitoring what details of your conversation will be private vs which will be public and whether that suits your needs? Data mining can probably reveal a lot about who knows who and sequences of events.
* Instead of expending the effort to break your encryption isn't it easier for someone to bug places you frequently call from?
* Can you trust the guy on the other end of the line to have been as careful as you have? If not, everything you've done to protect yourself is useless.

IMO if you have something you need to say to someone in secret a cell phone is a particularly bad way to go about it.

Re:

[mcgrew]

* Can someone clone your phone?

I'd like to be able to clone my own phone. The one I have is small enough to fit into a pocket comfortably, but I'd like to have one with a full keyboard and bigger screen, too. I saw one from my carrier at the store yesterday, but it has no SIM card. It would be nice to be able to use one or the other without doubling my phone bill, especially if I could have the same number on both phones.

Re:

[guruevi]

The solution is for the end users to encrypt with their own personal keys between two trusted parties. Cell phones in most instances are already encrypted over the air (albeit weakly) as well as most WiFi connections these days. However it's the hardwired stations in between two parties that are always going to be suspect and susceptible to attack.

In this world, anyone with any type of money or any type of electronics/soldering skills and a computer can intercept any form of communication that is not encryp

Re:

[religious freak]

Evidently, you haven't been to too many attorneys because those are the same exact responses you would get from them! Though they'd use bigger words and charge you $350 for an opinion.

Re:

[Yvanhoe]

It doesn't ask for advice (apparently he got some from the EFF) he is just making advertisement for his talk on /.
Which is totally on-topic if this is really what the summary says it is about.

Smart phone hacks?

[religious freak]

I was planning on going to defcon (but everyone bailed on me and I don't know very many hard-core computer nerds - ugh!)... but I do wonder about smart cell phones there. I was hesitant to even bring my G1 there because as a computer it certainly can be hacked by some of the evil geniuses which inhabit that place. Is anyone else not going to bring the smart phone at all because of this - or am I just very paranoid?

I was planning on digging up an old crappy phone which basically just makes calls. (But

Re:

[dave562]

Just figure whatever you have will be compromised. We were snarfing ESN/MIN pairs at Defcon 1 and it hasn't slowed down since.

Re:

[RebootKid]

I leave the hard drive out of my laptop, boot off of read-only media. I write back to flash drives for data that needs saving. I leave my phone in airplane mode. Never had a problem, but have been called "paranoid" ;)

Re:

[RichiH]

My plan is to buy & bring a Nokia 1616 or similar to 27C3 for exactly that reason.

It's cheap enough that tossing it away after using it there and/or keeping it as a dedicated conference phone won't hurt me.

oooh boy

[Lord Ender]

For fear of wifi trickery, I decided to bring an iPad 3G to defcon. I was to use the 3G connection exclusively while there. Oops.

Re:

[RichiH]

Use Wi-Fi, but only with OpenVPN or a SSH tunnel.

Of course, that means you will not be able to use an iPad.

Type of attack ..

[Idimmu Xul]

The article suggests he's doing a MITM style attack, is he spoofing a cell tower?!

Re:

[cheros]

is he spoofing a cell tower

Yup, but without the altitude :-). What I'm more interested in is how one defends against that. What can be done to make cellphone calls more secure.

Re:

[HumanEmulator]

It sounds like he's going to use a modified Femtocell. Since you can actually go out and buy these and they route phone calls over public networks, there any many potential points of attack. Considering if someone wants to listen to your cell phone calls and asks ATT nicely ATT will happily given them a room [arstechnica.com], or anybody with a radio scanner can listen to cordless phone calls and WiFi WPA2 has been cracked [pcmag.com] in several different ways, no one should be assuming privacy on anything wireless.

Re:

[RichiH]

I saw the talk at 26c3, though unfortunately, they could not whip up a demo system for Fosdem.

Creating their own femto-cells has been done time and time again, as is the case for decrypting saved frequency dumps.

As far as I understand things, this is the first time that they want to decrypt intercepted phone calls live and in real-time.

Faraday cage?

[maxrate]

Is there anyway to setup a faraday cage with a cell phone inside it with some passive antenna repeater? That way you could isolate the testing to a small group of phones. Just an idea.

Love that Patriot Act! So moist!

[DominatorDan]

So, for the NSA to listen in on all cell conversations with Echelon is ok under the Patriot Act, but its not ok for the average citizen....? Gotta love Amerika!

Re:

[Locke2005]

It's perfectly legal for the cops to photograph you in order to issue traffic citations, but if you photograph the cops doing their job, you are hauled in for "interfering with arrest". Likewise, they can have audio/videotape recorders in their squad cars (with tapes that are conveniently "lost" when they are accused of wrongdoing), but if you put a videocamera on your helmet, you are illegally wiretapping them.

And the point is?

[couchslug]

What's the point of mooning the Man (unless that IS the point) when you could publish the information offshore without attribution?

Analog "encryption"

[ben_kelley]

Pffft! Such interception is easily defeated with complex analog encryption strategies such as Arp Language [urbandictionary.com].

Somebody call 911!!

[Cathoderoytube]

From the blog post...

"It is unlikely that any 911 service can be provided, however a best effort will be made to connect any emergency calls to a suitable local destination."

Well let's hope your best effort doesn't result in someone's death. That generally doesn't bode well for tech demos.

Re:

[account_deleted]

Comment removed based on user account deletion

Try reading the article first

[cheros]

Wow, violence. Yeah, that will solve everything. Did you actually read any part of the articles linked?

First off, the area will be marked, secondly it's announced and thirdly you should expect stuff like this to happen at a hacker conference. If you can't handle that, stay away. This is demonstrated to provide proof of a flaw so it can be addressed.

I can remember the last Access All Areas in London where people wandered in off the street and started checking their email on the computers we had installed

Re:

[Unequivocal]

Yeah really. And what about those basement hotel conferences where there is NO cell phone reception at all. The perils!

Jeez - GP should lighten up. Thanks for setting him straight.

Re:

[RichiH]

Tough words from a tough guy. On the other hand, if you enter a talk with a big fat tagline of "we will now intercept your calls", it might make sense to either avoid that or live with it.

That's not as much fun as armchair-bullying from your mom's basement, though ;)

Re:

[mcgrew]

I would hope you had bail money in your pocket for the battery charge, and a good lawyer when they sued you for medical damages. Plus whatever the anger management classes the judge would order you to take after you paid your fine (or served your jail time).

As Isaac Asimov's Salvor Hardin said in the Foundation, "Violence is the last refuge of the incompetent."

Re:

[account_deleted]

Comment removed based on user account deletion

@Chris Paget

[radialblur]

Foon you kill me man.. shout me, been a long time! :D