4G and CDMA Reportedly Hacked At DEFCON

An anonymous reader writes "At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it's real or not."

And that ladies is geeks...

[The Pirou]

And that ladies is geeks...Is why you only gamble at Harrah's!

Re:

[San-LC]

And that ladies is geeks...Is why you only gamble at Harrah's!

Sorry to burst your bubble, but Caesar's Entertainment owns both Harrah's and the Rio. Hope your Faraday cage fits ar the Blackjack table.

Re:

[The Pirou]

Thanks, but I could have looked at the back of my Total Rewards Card if I forgot. This was a joke about getting points on that very same card through the same hotel chain while being in a different physical location than where a notorious security convention is going down. Sorry to burst your bubble.

Re:And that ladies is geeks...

[Sancho]

For what it's worth, I still can't parse what your original post said, nor do I get the joke even after explanation.

Re:

[hxnwix]

DEFCON is at one casino, so this guy was like, "hurr you should go to a different casino if you are joe sixpack otherwise these hackers will get you." (no disrespect, I'm sure the OP was being comical)

And they said I was crazy

[ArhcAngel]

for sticking with my RAZR! BWAHAHAHAH...

Good to know

[Phaeilo]

that I'm not alone out there ;)

Re:

[jon3k]

That's the same reason I don't use a computer. And those "security experts" called me a luddite! Ha! Jokes on them!

Re:

[__aazsst3756]

Me too, but not because I like the Razr. There is a stack of defective ones on my dresser. My wife's Razr looks like it has gone through a war zone (she doesn't regularly kill them like I do).

The cost of data plans and silly 2 year contracts is keeping us away. Waiting for a prepaid App-phone that I like on a prepaid plan less than $30 a month for each phone. Where getting close....

Re:

[ibpooks]

Waiting for a prepaid App-phone that I like on a prepaid plan less than $30 a month for each phone.

LG Optimus or Samsung Intercept on Virgin Mobile is $25/mo. with no contract. Not bad at all.

Re:

[plover]

for sticking with my RAZR! BWAHAHAHAH...

Psht. Last year a guy at DEFCON demoed a fully functional GSM MITM. That meant he is certainly capable of hijacking your puny RAZR's voice calls.

Re:

[antdude]

Yep, they still work for my queen ant and me. :)

Can you hear me now!?

[LinuxGeek]

This will be interesting if it is true. Maybe this will delay the rollout of smartphones to combat soldiers...

Re:

[pnewhook]

That's why I use a blackberry. Secure encrypted communication..

Re:

[Anonymous Coward]

What good is encryption when they just hand it over to the government:

http://www.guardian.co.uk/uk/2011/aug/08/london-riots-blackberry-messenger-looting

http://www.bloomberg.com/news/2010-08-30/rim-averts-india-blackberry-ban-as-government-tests-security-modification.html

At least the hack above requires them to do something...

Re:

[b0bby]

What good is encryption when they just hand it over to the government:

Well, the fact that it's still encrypted? FTA you linked:

"RIM can be legally ordered to hand over details to police of users suspected of unlawful activity. However, the Canadian company would be likely to resist those demands and the content of users' inflammatory messages would be encrypted. The manufacturer has previously insisted that even it cannot unscramble users' messages when sent on the devices."

If you're using your phone provider's BB Server, then they have access to your messages, but that's not

Re:

[LordLimecat]

What good is encryption when they just hand it over to the government:

What, without my BES server's AES-256 key? Good luck with that.

Re:

[QuantumRiff]

Why would that matter, if they can get to the other host that you are communicating with? (ie, your cell phone companies BES server) Kind of like saying SSH is secure, when the bad guy is running as root on the other end :)

Re:

[LordLimecat]

I suppose there could be. Are you sure there isnt some network command that will cause your PC to start listening on port 22 for assembly instructions to execute?

Just asking the question doesnt make it a significant concern.

Re:

[DrXym]

The blackberry story looks like so much bullshit. How many people own blackberry devices compared to other kinds of phones. I imagine most rioters if they communicated at all would have done so through sms, twitter and so on.

Re:

[Spad]

A lot more than you'd expect; estimates put it at almost 40% of teenagers in the UK who have a Blackberry, mostly for the BBM functionality.

Re:

[pnewhook]

The blackberry is the ONLY smartphone that is secure, which is why companies love them and RIM will always have a market share for corporations, ones that care about security anyway.

Re:

[SleazyRidr]

Here's your whoosh.

Re:

[wolrahnaes]

That's why I use a VPN and/or SSL encrypted connections on my Android and iPhone. Secure encrypted communication, and I'm not stuck dealing with an e-mail device that's been bodged in to trying to be a smartphone which pointlessly runs everything through RIM's servers. How many times has a server outage disabled functionality on every Blackberry again?

Re:

[hxnwix]

That's why I use a blackberry. Secure encrypted communication..

Predictably, this snark generated a whoosh, touching off a flame war.

Re:

[taiwanjohn]

I was thinking the same thing. Kinda ties in with the previous /. story about Why The US Will Lose a Cyber War [slashdot.org].

It's tempting to deploy every new gadget that looks useful, but the military (rather, the gov't in general) has a spotty record in new-tech security.

Re:

[DrgnDancer]

It probably will have no affect what-so-ever. Why? Well you probably don't remember, but when the story about using smartphones for soldier to soldier communication came out, I said that the final version would no doubt use a portable military infrastructure for radios and towers. I got a rash of shit from people who a) thought I was right and were convinced the military would be wasting money, or b) thought I was wrong. The general argument went: "every nation on Earth has a cellular infrastructure in

Re:

[GooberToo]

"every nation on Earth has a cellular infrastructure in place, why not just use that?"

Because you can be traced/tracked by those outside the battlefield, basically making it an intelligence coo.

Re:

[compro01]

I believe the word you're looking for is "coup".

Re:

[bennomatic]

No, I'm pretty sure the GP poster was suggesting that enemy intelligence forces communicate with bird calls. "Coo coo!"

Re:

[GooberToo]

You are of course correct.

The fact you've bothered to correct a post which took about three seconds to create, while still fully comprehensible, IMOHO, is the greater travesty.

Seriously, look at my posts. I long gave up on caring about typos and spelling errors on /. posts. Most people on /. are beneath contempt. As such, my posts tend to reflect this fact. Basically it boils down to, I don't give a shit for 99% of my posts.

Re:

[charlesj68]

"every nation on Earth has a cellular infrastructure in place, why not just use that?"

Because you can be traced/tracked by those outside the battlefield, basically making it an intelligence coo.

And then, God help us when the pigeon Air Force attacks ...

Re:

[plover]

With a Cell Phone Cannon [youtube.com], of course.

Relation between MITM and rootkit

[Bromskloss]

Achieving MITM status is a very different thing from installing a rootkit, in my mind. The summary left out how the two could be connected but the article mention something about it:

Coderman’s report suggests that, like Wi-Fi MITM, which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device.

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Re:

[Infiniti2000]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Well, the bug is that the on-screen prompt occurred at all. That's the part needs to be stopped. Surely, no one would consciously run the rootkit, but I can see the case where the prompt accidentally gets clicked if it pops up during another high-click-count application.

Re:

[nschubach]

Or just a simple button on the screen that get's pushed by a pocket dialer.

I've accidentally put my phone in my pocket only to pull it out later and I was one click away from sending my friend a text full of gibberish.

Re:

[gbjbaanb]

depends what the on-screen prompt says. I really doubt it'll say "click here to install virus".

Re:

[shugah]

Button labelled "p0rn"

Re:

[jesseck]

To make it simple, how about "Network busy: error code 2343" with an "OK" button. In an urban environment, it wouldn't be hard to fathom the network was busy. My Sprint service does that occasionally when I place phone calls, and I have to click "OK" to terminate the call. The MITM attack could cause the appearance of network problems, with the "forced" installation of accepting there were problems, so try again. Who doesn't click "OK" when the network tells them it is busy and to try again later? Of c

Re:

[gbjbaanb]

there's only 1 way to be safe, put the phone down and stick to stiff paper letters. sealed with wax stamped with a high-intricacy authentication symbol, delivered by armed guards.

Re:

[EvilStein]

And we all know how end users love to click on stuff... this is exactly how the existing Android rootkits have been getting installed.

Re:

[LordLimecat]

Well, the bug is that the on-screen prompt occurred at all. That's the part needs to be stopped.

This can be done in plaintext open wifi connections to laptops. You request www.google.com, i send you www.InfectMeWithARootkit.com, which requests permission to download and run executable code. If you agree, you will be rootkitted.

Or on a blackberry, you send a link to a malicious .jad file, and it asks if you want to download, and later run, the content.

Re:

[hitmark]

Could be that what we see as a bug was originally intended as a feature, used by the carriers to prompt the handset user about something.

I would that the security-thru-obscurity mentality is still rampant in telcos and related organizations to this day, even tho AT&T and others got bitten by leaving open modems behind unlisted numbers on their switches.

Re:

[ByOhTek]

I believe you have to fill out form AK-47 or M-16, and file it with the appropriate user.

Re:

[Baloroth]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

With nature. The bug is already fixed in some new generations of humans, but unfortunately the widespread deployment of the old version and it's tenacity, combined with the fact that most people have updates turned off, prevents a rapid fix of the problem.

However, a long-term plan is currently in effect. A few more earthquakes and hurricanes should do the trick.

Re:

[Anonymous Coward]

The injected rootkits were specific to different android builds and phones. On some no prompt was needed, on others if a prompt was accepted we saw the phones get completely destroyed by the rootkits or have the microphones turned on. The WiMax in particular discussion is not LTE, but it is likely that LTE was compromised as well because the hardware required to MiTM WiMax would be software defined radio systems which could just as easily be programmed for 4G as 4G LTE emulation. No upgrades or installs or

Re:Relation between MITM and rootkit

[tlhIngan]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

The user is the biggest vulnerability. It's called the Dancing Pigs [wikipedia.org] problem and it's extremely difficult to protect. In fact, popping up additional dialogs hurt security because of it (that Android permissions screen? Utterly useless - even if you make it so they have to check off every item then hit install).

Hell, the age of the Honor System Virus [wikipedia.org] is actually around. Facebook viruses and spam and such [msdn.com] often rely on such odd techniques as well (click here and here and here, paste this URL, etc...).

A simple popup like "Low battery" might be easily dismissed by anyone and no one is the wiser.

Re:

[dissy]

So, to install the rootkit, you also need to exploit a bug in the user.

The user is no doubt the best thing to exploit, as it is the weakest link in the chain.

But you are assuming there are no exploits (Which there are, some Android phones installed the app with no prompt)

You also assume the Over-the-Air updates are signed somehow.

Define "4G"

[russlar]

Which "4G" technology are we talking? WiMAX? LTE? AT&T&Tmobile's HSPA cranked up to 11?

G is like san Re:Define "4G"

[140Mandak262Jamuna]

Most Asian languages use a suffix to indicate respectful reference. Japanese uses -san as in Suzuki-san or Yamomoto-san or Admiral Nakudo-san. Similarly Hindi uses ji. As in Obama-ji met the Senator Liberman-ji.

Most cell phone companies use the suffix G to add respectability to what is otherwise a meaningless number.

Re:

[orthancstone]

Long way to get to that, but I'll say it was worth it.

Re:

[TubeSteak]

WiMAX, LTE, and AT&T&Tmobile's HSPA do not meet the speed requirements of 4G.

4G was supposed to be ultra-highspeed* wireless, based on the next Generation of hardware
In the meantime, telcos were all rolling out stuff that could best be described as 3.5G or 3.75G, but were advertising it as 4G.

The standards committee caved and now, for all intents and purposes, 3.5/3.75G is the new 4G and,
because marketing droids can't help themselves, true 4G will be called 4.5G or 5G.
WiMAX-advanced and LTE-advanced

le sigh

[TheBeardIsRed]

Let me take a moment to point out that using the wifi or atms at the hotel as well as making software updates during DEF CON all are squarely in the category of "babytown frolics".

Re:le sigh

[DrgnDancer]

My technology plan for BlackHat:

1) Put phone on airplane mode
2) Once a day, drive to the middle of the desert to check e-mail/voice mail/text messages.
3) Put phone back on airplane mode.
4) Hope some enterprising asshole hasn't put up some crap in the middle of the desert.

Probably a little over paranoid, but not much. In reality I'd probably be a bit less paranoid than that, but I'd definitely move a few hotels down to do anything more serious than checking text messages.

Re:

[ewanm89]

I suggest learning where the power button is, then take out the battery and sim card ;)

Re:

[RobertLTux]

"Probably a little over paranoid, but not much. In reality I'd probably be a bit less paranoid than that, but I'd definitely move a few hotels down to do anything more serious than checking text messages."

actually given that this is DEFCON we are talking about you might be just being "safe" given the mix of TLAs and "interested parties" you might be on to something.

Don't take electronics, maybe?

[Beardydog]

Why in god's name would anyone be willing to go to that with electronics? For god's sake, just take a pad and pencil! Even if you manage not to become part of a hilarious proof-of-concept hack to startle the audience into realizing how easy it is to X and Y someone's Z by forging an A with a malformed B, and avoid being targeted by some Russian mobster who's thrown out a dragnet for data on -other- people's new techniques ( and sure, credit card numbers and personal info, as long as were in there already, the place is still probably surrounded by black vans full of studious FBI, NSA, DHS, and CIA ( east AND west ) agents, all trying to hack, monitor, and watchlist you on completely separate orders and agendas. It's got to be just... a shitstorm. Am I wrong?

Re:

[Anonymous Coward]

Two types of people take electronics (near) there:

1. Those who don't know
2. Those who have honeypots running on their smartphones to collect all the wonderful exploits that others have developed.

Re:

[LordLimecat]

Or just disable your data ports and adapters (ethernet, bluetooth, wifi), and your usb ports. Good luck hacking that; I dont care if youre an NSA agent with Charles Babbage as a lifeline, I doubt you have a hack that can exploit an unpowered wifi adapter.

Re:

[ftobin]

Consider attacks involving remove screen capturing and remote keystroke-capturing technology.

I wouldn't want to be viewing or enter any privileged data at such a conference. Simply typing a passphrase could expose you.

Re:

[sexconker]

Consider attacks involving remove screen capturing and remote keystroke-capturing technology.

I wouldn't want to be viewing or enter any privileged data at such a conference. Simply typing a passphrase could expose you.

Such attacks are academic at best. Up there with "able to read deleted data unless you overwrite it at least a dozen times". And then you posit performing such an attack during a tech convention? I'd be more worried about contracting the hantavirus from rat shit in the hotel walls.

Re:

[treeves]

Legionnaire's disease FTW.

Re:

[LordLimecat]

What, exactly, am i logging into without wireless? Why would I care about keystroke capturing if I have no connectivity? Why am I opening Top Secret documents @ DEFCON?

Seems to me I would be listening to music and taking notes.

Re:

[ftobin]

You might be using the same passphrase to unlock your device as your email account. Or even if it's not the exact same passphrase, it could provide knowledge on your passphrase methodology, which, combined with other data, would reduce the amount of entropy in your secret.

If the loss of your secret would not in any way assist an attack on another vector, sure, you might be fine. But people are human and can only manage so much.

Also, you wouldn't even need to be opening "top secret" documents. If your dev

Re:

[LordLimecat]

Having a windows login password on a personal laptop is, unless you use EFS or truecrypt, a bad idea.

A) someone with Ophcrack (or who sneaks SamDump onto your computer and grabs the hash) can recover your plaintext password quite quickly (10 minutes for 10char passwords with ophcrack), with no trace. As you pointed out, learning this password likely reveals info about your other passwords.

B) Windows has for the longest time refused to allow remote connections to accounts with a blank password, regardless o

Re:

[AC-x]

Why in god's name would anyone be willing to go to that with electronics?

Or stick that device in flight mode

You do know what DEFCON is, right?

[gosand]

I can't even come up with a sufficient analogy to describe how wrong your comment is.

Like entering a bicycle in a Formula 1 race because you don't like going fast?

Re:

[bill_mcgonigle]

Why in god's name would anyone be willing to go to that with electronics?

Sometimes playing the game is more fun than perfect security. Plus, people can get ahold of you still, so you might actually get invited to parties and such.

It would be bad form to permanently destroy the phone via an exploit, and I'm sure most attendees know how to wipe their phones blank when they get home.

Re:

[sempernoctis]

You need to adjust your tin foil hat. I took my droid, my tablet, and my laptop, and there really isn't that much to worry about if you follow basic security practices, like not sending any plaintext passwords, closing any ports or services you don't need, and not doing financial transactions or other very confidential things there. And I'm sure the assorted 3-letter agencies already know all about anyone they are interested in.

Re:

[russotto]

and not doing financial transactions or other very confidential things there

I went to DefCon, logged into my bank, logged out, logged in from a different machine, took out the max advance on all my credit cards, transferred the money into a series of other accounts, then withdrew those as gambling chips, had a lot of fun gambling it all away, then claimed I got hacked.

Re:

[bsDaemon]

You must be joking because anyone capable of coming up with such an elaborate plan would be smart enough to post a confession on a public forum. At least, I like to think so.

Re:

[russotto]

You must be joking because anyone capable of coming up with such an elaborate plan would be smart enough to post a confession on a public forum. At least, I like to think so.

Hey! The hacker who maxed out my credit cards got my slashdot account too! Good thing he didn't change the password!

Re:

[bsDaemon]

I left my laptop in my hotel (did not stay at the Rio), only used the hardwire network while in my room, and used the VPN to do anything remotely important by way of my office. To the conference, I only brought a pen and a pad to take notes (most of the talks were total ass this year, although I did enjoy the asian apt tactics talk) and made no calls that weren't just trying to locate co-workers in the crowds between sessions, otherwise BBM only, and I would turn the thing off when I wasn't actually planni

Really surprised... not.

[ewanm89]

This is DEFCON, it's like putting every army and mercenary group in the world in one room without disarming them first. There is a reason why the DEFCON wireless network is described as the most hostile network on earth, it's more hostile than the internet itself.

Re:

[tgd]

This is DEFCON, it's like putting every army and mercenary group in the world in one room without disarming them first.
There is a reason why the DEFCON wireless network is described as the most hostile network on earth, it's more hostile than the internet itself.

I smell next years' big summer Hollywood blockbuster!

What's Michael Bay up to?

Re:

[antdude]

That is why I avoid Sin City during that week so my old school bone conduction analog hearing aid, CASIO Data Bank 150 calculator watch, body, etc. won't get hacked/exploited. :P

Re:

[cjb658]

I went to Defcon 16 and brought my laptop. I set up Wireshark on it and connected to the unprotected Wifi (I think the SSID was Warzone). A few minutes passed. Then an hour. Nothing happened. I didn't see so much as an arp flood, port scan, or even an attempt to connect to my Samba shares. I even enabled the guest account so people could download stuff from me without a password.

I was sorely disappointed.

Re:

[bobbozzo]

Every user of the (real) DC WiFi is on their own VLAN. You shouldn't see anything.

If you give a mouse a cookie...

[Oswald McWeany]

If you put candy in a bowl in a room full of children- they will eat it. If you put whiskey in a room full of frat-boys- they will drink it. If you put technology in a room full of hackers- they will hack it. If you put Michael Jackson in a room full of children- he will behave admirably. I don't see much surprise here.

Re:

[morgosmaci]

If you put Michael Jackson in a room full of children- he will behave admirably.

You mean sit in the corner and add a lovely decomposition smell to the room?

Re:

[Oswald McWeany]

Decomposing plastic has no odor.

Re:

[PIBM]

I guess you could say he wouldn`t do a thing..

Re:

[jemtallon]

Michael Jackson behaving admirably... http://i.imgur.com/Okk86.jpg [imgur.com]

For once, helps to be Canadian!

[thejaded1]

... or any other country with atrocious data package rates.

I shut my Android's data option off before arrived, primarily for costs reasons, but also for security reasons. I'm sure there were plenty other foreign travelers who had there data disabled for duration of their stay.

Fucking Steve Jobs!

[bennomatic]

I'm sure he's responsible for this somehow. Probably because he can't innovate!!

We need Authentication/Encryption NOW

[Gyorg_Lavode]

This points that the last bastion of security (secure transport layers provided by the transporter) is no longer viable. MITM is apperently practical on most wireless networks, even the adnvaced cellular ones. In that case, you MUST authenticate every location every app goes to. This means EVERYONE needs certs. I wish there was more info on Moxie's new tool [convergence.io] because it may be an absolute necessity in the very near future. (Unless the CAs are going to start giving out free certs.)

Re:

[DDLKermit007]

You make it out to be way worse than it is. If you go over cellular, should just SSH back to your home connection. The wireless insecurity isn't much to worry about at that point. WiMax is a huge joke security-wise anyways. WiMax was cracked last year already in this regard. Seems he spent the year building better tools.

Re:

[citizenr]

Its worse than that. Last year GSM presentation revolved around taking over GSM codec part of the phone, and ALL android phones run codec in same memory space as main CPU.

FYI

[DDLKermit007]

It's WiMax that's fallen. It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Re:

[YoopDaDum]

It's WiMax that's fallen.

Could you point to a reference for this? The disclosure email doesn't mention WiMAX at all. I'd be surprised if they'd get a MITM attack on WiMAX (see below from more discussion). If it's WiMAX, more likely they owned a specific device. But breaking a specific device is a very different thing than breaking a protocol.

It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Following you comment I tried to find more info on that "crack" and found this [securitytube.net] WiMAX hacking Defcon presentation at last year Defcon 18. There's no cracking of WiMAX there, just sniffing into s

Don't worry

[ThatsNotPudding]

the carriers will fix this by rolling out... 5G!!!

Re:

[TeknoHog]

the carriers will fix this by rolling out... 5G!!!

That will probably just be a research project, and the real action will be with 6G. Then, 20 years after the invention of 6G, we will still be suffering from 4G's address space limit.

I heard about this

[dave562]

People were talking about this at the pool on Saturday night. FWIW someone mentioned that the Verizon network had the same IPSEC key for all of their towers. The attack vector was probably along those lines.

As a Verizon user with a Blackberry I wasn't particularly concerned. If someone is interested in my SMS messages, more power to them. The only other app running on my phone besides email is Gmail, and that uses SSL. I suppose they could capture the login session and crack it at their leisure, but I

Re:

[synthesizerpatel]

No, it is bullshit.

If this were true someone would have posted captured conversations or some sort of proof. Why just make the claim without any evidence to back it up?

This is just a sad attempt at instilling fear.

No proof, no hack.

Re:

[Khyber]

Spoken like someone that truly has zero clue.

Man can make it, man can break it, it's just that simple.

Re:

[synthesizerpatel]

My first defcon was defcon 3.

No proof, no hack.

Re:

[Khyber]

Keep it secret, pwn everyone quietly.

First rule of hacking - you don't say shit.

DEFCON is for poseurs.

Re:

[bleh-of-the-huns]

And this is what is wrong with people.. no proof no hack.. talk about a false sense of security..

There are various kinds of hackers.. those who do it for fun and bragging rights, and those who do it for nefarious purposes..

Those who do it for nefarious purposes.. generally do not brag, and go all out trying to hide what they did, otherwise the methods they use tend to get closed rather quickly.

It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last

Re:

[synthesizerpatel]

http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Paget [defcon.org]

GSM != ( CDMA || 4G )

I'm underwhelmed.

Re:

[_Sprocket_]

It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last year during blackhat and defcon.

I highlighted the important part that you should have been paying attention to.