Hacker Builds $1,500 Cell Phone Tapping Device 109
We previously discussed security researcher Chris Paget's plans to demonstrate practical cell phone interception at DefCon. Paget completed his talk yesterday, and reader suraj.sun points out coverage from Wired. Quoting:
"A security researcher created a $1,500 cell phone base station kit (including a laptop and two RF antennas) that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. Most of the price is for the laptop he used to operate the system. The device tricks the phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP. The low-cost, home-brewed device ... mimics more expensive devices already used by intelligence and law enforcement agencies — called IMSI catchers — that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area. Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."
Disabled warning (Score:5, Interesting)
If the GSM spec does specify the warning should be there, does that mean the manufacturers are violating their GSM license when they disable that warning? Or could they be sued for false marketing because the phone you bought does not follow the GSM spec despite being called a GSM phone?
In short: Could they be (successfully) sued for it?
Re: (Score:2, Informative)
Re:Disabled warning (Score:4, Funny)
What's a SIM card? My phone doesn't appear to have one of those.
Re: (Score:1, Insightful)
Then your phone isn't GSM.
Re: (Score:2)
Re: (Score:2)
Quite a lot of GSM phones nowadays don't sit, most of the time, on what could be strictly called a GSM network, too; they use UMTS (accidentally, also utilising a form of CDMA - why this one consortium insisted on using the name of a basic radio method as their branding?).
So, what, the setup also jamms UMTS? I don't think a 3G phone will really try to use the GSM/TDMA network, as long as UMTS is present...
Re: (Score:1)
Lets not forget that GSM will be phased out for UMTS which is already being replaced by LTE...
Re: (Score:2)
Well, TBH I don't expect GSM being phased out anytime soon; UMTS (which mostly turned out to be just an addition to GSM, not a replacement) much sooner, I guess, when practically everything for which it makes a difference will be on LTE. But GSM...that seems to be a case of "good enough", and handy when trying to provide pretty much total coverage.
Re: (Score:1)
Re:Disabled warning (Score:5, Insightful)
They would rather violate the license as they would inevitably be protected by the government(s) that demanded things be set as they are.
A better question would be how can we turn that feature back on?
Re: (Score:2)
Re: (Score:2)
Police Scanners have always seemed unlawful to me, our police force know how they are being heard, and they tell each other to ring a cellphone, "ring me on oh two one....", now I suppose those cellphones will ALSO be
A work-around! (Score:2)
http://www.phonecrypt.com/ [phonecrypt.com]
Re: (Score:2)
Re: (Score:2)
+1 insightful
I barely use my phone at all (which is why it only costs me $5 a month), but I am concerned about the future if I ever decide to get an internet-capable phone. I don't want police spying on me without a warning that the encryption had been turned off.
Re: (Score:3, Insightful)
I am concerned about the future if I ever decide to get an internet-capable phone. I don't want police spying on me without a warning that the encryption had been turned off.
Assume they are - do you encryption at the application layer, or at least with a VPN you control.
Re: (Score:2)
I use a phone to communicate with other people. Not to talk to myself and an imaginary friend that uses phonecrypt.
And you've also just summed up why people don't use PGP/GPG, for better or worse.
Re: (Score:2)
Ubuntu is helping in some ways- they've made it easy for normal users to have their home directory encrypted (so all that talk about Ubuntu not contributing enough is bullshit).
Even more than 10 years ago I think many email programs actually had support for S/MIME. But that design required CAs and $$$ (yes there could be free CAs or people could set one up themselves, but good luck with getting the public to do that).
Whereas if the architecture was more like ssh
Re: (Score:1)
> does that mean the manufacturers are violating their GSM license when they disable that warning?
Maybe. Most shops and pubs in the UK breach their agreements with their acquirers when they either surcharge or impose minimum transaction amounts on debit/credit card transactions. The rules are simple - you can't do it. But I'm not aware of any shops which don't. It's a funny old world, isn't it.
Re: (Score:2)
Re: (Score:2)
No, The GP meant they were not aware of any shops that do not impose such a minimum. It was a little ambiguous, but that was the intent of "The rules are simple - you can't do it. But I'm not aware of any shops which don't." In other words, every shop the GP have ever been in has had minimum transaction amounts or surcharges.
Re:Disabled warning (Score:4, Insightful)
Sheesh! Why sue? That's not the answer to everything unless you're looking for a way to make some cash, or living in a litigation-crazy country like the USA.
How about a user-driven pressure group to force a change - after all, if someone does manage to screw big bucks out of this:
1) It'll make some lawyers even more rich.
2) The phone companies will just pass the cost onto the customers somehow
Suing the ass off companies just because they don't do things the way you like is just plain crazy.
Re: (Score:1)
Re: (Score:2)
A relativelly small settlements, as most of them are, don't exactly have a guarantee of impacting bottom lines; especially if the costs are passed on.
Now, if people stopped buying products or services of particular company due to user-driven pressure group...
Re: (Score:2)
Sheesh! Why sue? That's not the answer to everything unless you're looking for a way to make some cash, or living in a litigation-crazy country like the USA.
You do know that it's possible -- sometimes even necessary -- to sue for remedies other than cash, don't you? These remedies include (but are not limited to) enforcing or nullifying contract or license terms. But hey, don't let the facts get in the way of your prejudices...
Re: (Score:1)
I do not care about the typical consumer. I care about the criminal who might get my phone banking credentials.
Re: (Score:2)
Not every lawsuit is about money.
Re: (Score:2)
note the bit about the SIM card. That means its AT&T or T-mobile, not apple or HTC, that is suppressing the message. I suspect its done more to avoid tech support calls wondering why the message keeps showing up all the time, as various generations of towers have differing
Re: (Score:2)
No, they don't violate any license terms by disabling a warning in the GSM spec. No, they could not be succesfully sued for it. The GSM spec is not even a license, it's a set of guidelines for what a phone must be capable of to meet GSM standards. To meet this specification, the phone has to be able to detect it's connected to a tower without an encryption channel, and to display a warning to that effect. All that matters is that the phone is physically able to do this. The standards authority doesn't requi
Re: (Score:1)
That's a very wrong conclusion. I do think suing should be reserved for important issues. But I also do think that silently breaking security is an important issue. Note the part about silently. It's not an issue if the phone is unencrypted and I know it. It's an issue if I can reasonably believe that it is encrypted, but in reality it isn't. If I know it's insecure, I'll not do any sensitive things on it (like phone banking).
Give it a month (Score:4, Insightful)
Re:Give it a month (Score:4, Interesting)
Then there will be another 3 years of court cases and lobbying to make the government pay the cell carriers to upgrade their equipment, although much of the issue is on the phones not properly realizing they're on a bogus tower and not providing the required notification. So everyone will have to upgrade phones if they're on a GSM network.
Of course, we'll be on iPhone 7 by the time AT&T finally concedes to the upgrade, and iPhone 10 by the time its done, and as they're the only GSM carrier of consequence in the US, user upgrades likely won't be an issue 'cause everyone will be clamoring for it while remaining blissfully ignorant of this situation.
But the reality of the situation is probably closer to the fact that the government will just let this whole thing slide under the assumption that the easier it is to do, the cheaper they'll be able to obtain 3rd-party products to conduct intercepts for investigations.
Re:Give it a month (Score:5, Interesting)
actually, what about the prospect of intercepting our own phone calls?
As noted if you can do this on a laptop and then voip a call, couldn't people do this at home as a pseudo-femtocell?
Re: (Score:2)
Yes, but it's entirely likely you'd be violating FCC regulations running an unlicensed station, as well as running it at power levels you're not licensed for.
Re: (Score:2)
again, it's not like I care about FCC regulations. In the worst case what would they do if I could even figure out how to do this, tell me to stop? It's not like I'm going to start a bitter personal battle with the government here.
However, it'd be nice to know if it can be done as that would give people easy options other than the not even remotely adequate ones that our cellular providers have been offering.
I mean have computer + wireless + internet connection = you should have 90% of the capability right
Re: (Score:1)
It quickly becomes a question of whether the radio hardware costs more than a phone that will do VOIP over a Wifi connection.
Re: (Score:2)
Sadly, there aren't many phones that do voip over wifi. RIM products are about the only ones that do, via UMA.
I do agree though.
Re: (Score:2)
My apologies. My post left out the part that the FCC actually aggressively goes after folks who do this on an ongoing basis.
Re: (Score:2)
Citation needed. I fully believe that they would like to do so. I doubt that they have the resources and manpower to do it though. Do you have any evidence to the contrary, any articles or other documentation that proves they "aggressively" go after folks "on an ongoing basis."??
Re: (Score:2)
http://www.fcc.gov/eb/broadcast/bcenf.html [fcc.gov]
Re:Give it a month (Score:4, Informative)
Your post seems to convey that people attempting to essentially illegally "wiretap" a cellphone for presumably malicious purposes are going to give half a care about FCC regulations...
I'd say something about "fail" but I think it goes without saying at this point.
Presumably, if you're interested in a "pseudo-femtocell" as poetmat mentions in the post to which the GP is replying, you're not doing it for malicious purposes so much as providing cell service somewhere that doesn't get proper coverage from the outside network. In certain buildings, certain terrain, neighborhoods with insufficient towers, that sort of thing. The sort of thing that "legitimate" femtocells are used for.
I think you have "failed" to consider that this is the application that TooMuchToDo was referring to, not wiretapping or even necessarily doing anything malicious.
Re: (Score:2)
As noted if you can do this on a laptop and then voip a call, couldn't people do this at home as a pseudo-femtocell?
Yes and there's already software to do it:
http://sourceforge.net/projects/openbootts/ [sourceforge.net]
"deliberate choice" (Score:5, Insightful)
Re: (Score:2)
Re:"deliberate choice" (Score:5, Interesting)
have GSM encryption ever been about end to end encryption? My understanding is that the encryption only covers the radio signal, so that someone with a radio scanner cant just grab the call out of the air. The police can get a warrant and make a call to the telco and have them set up a tap at the base station or some other convenient place.
i suspect the message is not there more out of convenience, as the message would be popping up all the time when going between stations of various generations. Also, we seem to be confusing handset makers (nokia, HTC, apple etc) with the telcos (AT&T, T-mobile). From the summary, its the SIM, not the phone, that says if the message should show or not. That means its the telcos that suppress the message, not the handsets. given the number of involved parties in the mobile phone business, it helps to place the blame where it belongs.
Re: (Score:2)
It's not just about law enforcement. India for example forbids encrypted phone calls completely. If the warning was turned on, phones in India would complain about non encrypted connections with every reconnect to an antenna.
Re: (Score:2)
Re:"deliberate choice" (Score:4, Funny)
Call my a conspiracy nut
Not a problem, I'll get his number from the CIA.
Which SIM card to buy (Score:1, Insightful)
So which manufacturers/service providers leave the encryption warning intact?
Some interesting and troubling points (Score:5, Informative)
Re:Some interesting and troubling points (Score:4, Informative)
GSM blocker is only $30 on dealextreme
http://www.dealextreme.com/details.dx/sku.28714 [dealextreme.com]
if you only screw 3G antenna it will block 2110~2170MHz leaving 930~960MHZ alone
If it is the SIM card disabling the warning?? (Score:4, Insightful)
I am not sure I understand the above text. If it is the SIM card disabling the setting, why is this then labeled a deliberate choice by the cell phone makers?
Also I have seen at least on numerous Nokia mobile phones that an icon in the display notify you at least in some instances when encryption is disabled. (This happen quite frequently in e.g. China).
Re:If it is the SIM card disabling the warning?? (Score:5, Insightful)
Why can SIM cards disable the warning? Well, clearly because the cell phone allows the SIM card to disable the warning.
Re: (Score:2)
If that is the case, it must be specified how a SIM card request this blocking from the phone. Otherwise this is not likely to work between different manufacturers of phones and SIM cards. If there is a specified way of doing this it must be within the GSM protocol to do so.
Alternatively this is a behavior specified by certain network operators who buy phones and SIM cards in bulk and mandate an in-official spec extension from both the SIM card and the phone manufacturer.
In the latter case I think the pro
Re: (Score:2)
operators in some parts of the world loves to mess with phone firmwares. Thats one reason why symbian phones never made it big in USA, as nokia didnt like them doing so.
Re: (Score:1)
It's probably part of the GSM and 3G specifications to allow for unencrypted networks.
Re: (Score:1)
I had an old Sony Ericsson K600i with a European SIM on a couple of trips to China and it would always warn about encryption being disabled.
There's no need for a the intelligence service of the US or an EU country to do this - they can just tell the telco to do a lawful interception [wikipedia.org] even on an encrypted line because lawful interceptions happen inside the network after the call has been decrypted.
Whether they disable the warning on Chinese SIMs I've no idea. I actually think most of the Chinese system is bas
That easy? (Score:1)
I find it quite astonishing that it is that easy to intercept GSM calls. And that phonemakers disable this warning is even more astonishing!
GSM doesn't look so easy here (Score:2)
These guys may be able to intercept cell calls, but I can't even send an SMS message with Wammu on my Ubuntu machine.
The built-in Sony Ercicsson F3507g modem works for Mobile Broadband through Network Manager, but Wammu cannot use it to send an SMS.
And it doesn't work with my external phone either. On the rare occasions when Wammu can find the phone, it says it sent the SMS, but in fact it didn't.
So I sure admire these guys who can intercept calls with a laptop, while I need an XP virtual machine so that I
Re: (Score:2)
You know what's going to happen, right? One day some setting will be changed somewhere in your provider's network, and the avalanche of SMS messages floating around in a buffer somewhere are going to finally reach their intended recipients. Very, very, very late. ;)
Ou of interest... (Score:2)
So what are the currently available options for true end-to-end encryption between cell phones anyway?
Re: (Score:2)
On the plus side, now that quite powerful phones with general-purpose computer capabilities and fast data connections are available, there isn't anything stopping you from applying any of the technologies used by computers to protect data traveling over the public internet to your phone.
Re: (Score:2)
there isn't anything stopping you from applying any of the technologies used by computers to protect data traveling over the public internet to your phone.
Steve Jobs saying, "That app isn't authorized."
Re: (Score:2)
Re: (Score:2)
And its not really yours even if you jailbreak it. In spite of a recent court ruling allowing users to jailbreak their equipment, there's nothing stopping the vendor or service provider from pushing out updates to re-take the phones.
Re: (Score:2)
sip software with 128-bit or stronger public key encryption that only uses the mobile network as a data carrier?
Re: (Score:2)
I already posted this further up, just Google Phonecrypt
Re: (Score:2)
how would one reenable this warning setting (Score:2)
Re:how would one reenable this warning setting (Score:4, Insightful)
Re: (Score:2)
When hundreds (or thousands) of these devices start popping up and people are getting spied on by their fellow citizens, there will be an outrage! (silly emphasis)
Heh. Like say the "outrage" of 20 years ago during the analogue era of cell phone when anyone with a scanner could listen in on cell phone calls? This was widely reported at the time. The response? Ban scanner makers from selling devices capable of receive on cell phone frequencies.
This kind of thing has been going on since wireless phones hav
No outrage will happen (Score:1, Troll)
Fact is, the GSM security notification was circumvented so the government(s) could snoop in on your conversations. Re-enabling security notifications would render many operational spy-jobs and much equipment (at the lowest levels) useless. For this reason alone, I'm pretty sure that there will be no outrage and no media circus. Instead the iss
Re: (Score:2)
The government could already snoop in on your GSM conversations.
1) If there's encryption enabled, it ends at the tower. After that they can listen in.
2) GSM encryption was intentionally designed to be weak enough to crack:
http://en.wikipedia.org/wiki/A5/1 [wikipedia.org]
http://groups.google.com/group/uk.telecom/msg/ba76615fef32ba32 [google.com]
The lack of these security notifications just makes snooping even easier than it already is.
Root cause (Score:4, Informative)
The root cause of this weakness is that whereas the 2G network can authenticate the handset (both the SIM and the ME), the handset cannot authenticate the network. It's assumed the 2G network is trustworthy, which in this case, it isn't. There's a stack load of problems with 2G (GSM) security including unilateral authentication, which leads to network impersonation; weak encryption (short keys and broken algorithms); lack of end-to-end or virtually end-to-end encryption; weak confidentiality; no data integrity algorithms; lack of visibility to the user that encryption is on, etc. A lot of these are fixed in 3G. See http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf [3gpp.org] and http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF [arib.or.jp]. In this second PDF, section A.4 Hijacking of services describes this attack.
Re: (Score:2)
well, the GSM standard is nearly 20 years old now. Thats a lot of time in the tech world.
More likely the government? (Score:2)
this is a deliberate choice on the cell phone makers, Paget said.
After having been told to do so by the carriers who were told to do so by the intelligence collecting agencies of various governments via their respective communications ministries no doubt.
Re: (Score:2)
After having been told to do so by the carriers who were told to do so by the intelligence collecting agencies of various governments via their respective communications ministries no doubt.
But it sounds so much nicer to say 'volunteer' after we remove the electrodes from your testicles (or drag your companies tax returns through every conceivable tax audit if you are inside the USA, where we don't do the testicle thing).
Verizon (Score:2)
It'd be funny if Verizon used this as an advertising slam against the iPhone and ATT (though of course they won't). I wonder if something like this could be done against CDMA?
Re: (Score:2)
it would surprise me if not. Tho being a lesser used system, its a less interesting target.
Hak5 (Score:3, Informative)
Re: (Score:2)
It worries me that the USRP gets so much press. I'm sure it is good for ETTUS in the short term, but eventually the FCC is going to do some shit kicking when the masses realize that not only does such a thing exists, but that anyone can purchase it for $700. Lord help HAM radio operators and other RF hobbyist if 60 Minutes does a piece on it. They already have a hard enough time being viewed as whack jobs, adding "potential domestic terrorist" won't help.
Haha (Score:4, Interesting)
I can't even explain how common this thing is, and how many geeks are playing with it.
He didn't actually *build* the hardware, he purchased it - some smart people actually build these things, and hobbyists play with it.
Why this guy felt like he had to take a credit for it is beyond me.
Re: (Score:1)
That's like saying "Oh cell phones are old news, this guy shouldn't take credit for hacking them".
Yes, radio transceivers are old news. No, not many other people use them in this way, and on these frequencies, and for this purpose, which is why this talk even made it to DefCon. Also, not many people understand the GSM spec well enough to circumvent(turn off) the encryption or to force use of the weaker 2G network.
If, as you claim, geeks are constantly doing this:
1. There would be a lot more geeks in Jail
2.
Re: (Score:3, Insightful)
Try using a car analogy.
As clearly linked, Paget is demonstrating . This is the community equivalent of science journal peer review -- it's separating the facts from the FUD. This is Investigative Reporting, the third leg that Democracy stands on.
That is creditable, quite unlike "I can't even explain how common this thing is, and how many geeks are playing
Slashdotters are fixated on "privacy"... (Score:2)
...but if I had a GSM phone (I have no cellphone at all, actually) I'd be a lot more interested in using this to set up my own cell and route my calls over the Net.