Saudi Arabia’s government announced it reached a deal with Research In Motion (RIMM) that will allow the Canadian maker of BlackBerry smartphones to continue operating its service there. Under the agreement, RIM will put a server in the nation that will allow the government to monitor messages to and from Blackberries. All of RIM’s servers have been in Canada until now so the company could guarantee confidentiality for its customers though the encryption process on those servers.
According to several news sources, similar deals will probably be sought by other countries that have voiced concerns about the Blackberry encryption procedures. First among these is the United Arab Emirates, which threatened to shut down RIM’s services there on Oct. 11. India and Indonesia have also said they’re concerned about the RIM confidentiality system and their inability to track information that they claim may not be in the best interests of their governments.
July 29, 2010 | Dean Takahashi
Be prepared to be scared about your cell phone privacy. Two security researchers showed today how they can track down cell phone numbers, identify the person who owns the phone, and then track the whereabouts of that person. And they can do it with technology available to ordinary civilians.
That last part is the shocking part. Government investigators and police can do this. But Don Bailey and Nick DePetrillo (pictured) showed they were able to do it by collecting bits of information and then amassing them into a powerful tool that can invade your privacy. They showed off working code and other proof from Project Carmen Sandiego (named after a computer game where you tracked somebody down as part of a geography lesson) at the Black Hat security conference today in Las Vegas. (See our roundup of all Black Hat and Defcon stories).
“This is intelligence gathering for civilians,” said Bailey, speaking to a roomful of security researchers and hackers. “We can find out where you are, who you talk to, where you are most vulnerable.”
Bailey and DePetrillo joked that they could get actress Megan Fox’s cell phone number and sell it to the highest bidder. But they said the point of doing this isn’t to get the cell phone numbers of celebrities or executives like Apple’s Steve Jobs. They wanted to show how security should be stepped up for cell phones and how shockingly easy it is to do. If they could do it, they reasoned, then the bad guys with evil intent have probably already figured out how to do it. In effect, Bailey and DePetrillo said that they have enough information to put together a White Pages for cell phones, with home numbers for everybody’s cell phone.
Governments can pretty much afford the technology to do this now. But ordinary civilians can’t. One of the tools they exploit is a central database called a Home Location Register, which records the phone number of every SIM (subscriber identity module) authorized to use the cell phone network based on theGSM (Global System for Mobile communications) standard, which is the standard used in about 80 percent of the world’s phones. You can access HLR data through various third-party resources, Bailey said. You can cross reference that with Mobile Switching Centerinformation that determines where you are, generally.
That data tells the researchers what city the user is in. They reverse engineered this data to get more information. In other countries, the MSC data has zip code data embedded in it, making it much easier to find someone’s location. U.S. data isn’t that easy to figure out. But the researchers say that can take a given MSC number and find out its location and its cell phone provider.
“That information should be privileged, but it isn’t,” Bailey said. “I shouldn’t know that you switched from AT&T to T-Mobile.”
You can buy CallerID information from companies such as Targus, which gets data from Verizon and other carriers. They add your name to the CallerID database with phone number data. If you buy a cell phone in the U.S., your name will wind up in a CallerID database. With this data, the researchers were able to reverse engineer the data to create a White Pages for mobile phones, which means they can put a name to a cell phone number. With the name and phone number together, the researchers can assemble other information.
“It’s extremely easy to build your own database,” DePetrillo said.
The databases are more expensive if you want to get the most current data, but older data is cheaper, costing only 0.0024 cents per name looked up. One of the things they can do with names is piece together who your co-workers are, because they will be using company-purchased phones with similar phone numbers.
Some of the techniques they use to glean information include backspoofing. But if you don’t want to do that, you can buy databases from Bulkcname.com for around $100 per 1,000 name lookups. The researchers say they can get 10,000 names identified for just $30. You can verify the data by cross referencing it with HLR data, which tells which carrier is associated with certain phone numbers.
During the talk, the researchers showed slides of text that showed phone numbers, names, locations and company affiliations. They can even make educated guesses about which banks of phone numbers are assigned to prepaid phones, which are phones bought at stores and can generally disguise their owners. The researchers say they can pinpoint people 99 percent of the time. With Google, Facebook and other tools, you can often then put a face to the name. You can find out if there are multiple phone numbers associated with one person.
“Our intent is to get people thinking about their actions and their vulnerabilities,” Bailey said. “You can target people. You can locate private individuals. You can locate groups of individuals. You can track where people are traveling. That’s a lot of information. It can be scary.”
Added DePetrillo, “This is simple stuff to understand. I have information I shouldn’t have. I didn’t do any crazy, insane hacker tricks. It requires very little intelligence.”
July 29, 2010
ispyPhone … Is your smartphone watching you? Graphic: Liam Phillips
Australian security experts, consumer advocates and privacy campaigners have sounded the alarm over the hundreds of thousands of free smartphone applications that spy on their users.
Lookout, a smartphone security firm based in San Francisco, scanned nearly 300,000 free applications for Apple’s iPhone and phones built around Google’s Android software. It found that many of them secretly pull sensitive data off users’ phones and ship them off to third parties without notification.
That’s a major concern that has been bubbling up in privacy and security circles.
The information is used by companies to target ads and learn more about their users. The danger, though, is that the data can become vulnerable to hacking and used in identity theft if the third party isn’t careful about securing the information.
Lookout found that nearly a quarter of the iPhone apps and almost half the Android apps contained software code that contained those capabilities.
The code had been written by the third parties and inserted into the applications by the developers, usually for a specific purpose, such as allowing the applications to run ads. But the code winds up forcing the application to collect more data on users than even the developers may realise, Lookout executives said.
“We found that, not only users, but developers as well, don’t know what’s happening in their apps, even in their own apps, which is fascinating,” said John Hering, chief executive of Lookout.
Part of the problem is that smartphones don’t alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations.
And, while Android phones offer robust warnings when applications are first installed, many people breeze through the warnings for the gratification of using the apps quickly.
Australian online users’ lobby group Electronic Frontiers Australia spokesman Colin Jacobs said the issue of applications spying on their users “was something that everybody needs to be aware of”.
Jacobs said that many did not think of their phone as a computer.
“Mobiles contain as much personal information as people’s everyday computers do,” he said.
“Ironically, Apple’s model of a very locked down app store which has caused a lot of controversy may provide more protection to users because each application is so carefully reviewed, but it has its downsides as well.”
Intelligent Business Research Services analyst Joe Sweeney said that many users had installed firewalls on their PCs, but weren’t doing so on their mobiles.
In many cases this is because they can’t. Apple, for example, doesn’t offer a firewall product on its iPhone.
“If the numbers in this report are correct, then obviously this is an issue,” Sweeney said.
“We may need to see firewall-type software on phones.”
However, he said that education of users had to come first.
“There are other ways of addressing this issue that doesn’t require a firewall.”
Sweeney said network providers, such as Telstra and Optus, could help out. Apple could as well, he said.
Choice spokesman Christopher Zinn questioned whether some of the apps using the code broke Australian privacy laws.
“One would ask whether it is a possible breach of some of our privacy laws,” Zinn said.
He said that, although Apple and some of the apps might stipulate in their contracts that they collect data and send it to third parties, “How many of us actually read the contracts and the small print that come with them?
“We know that people don’t read them. You just press OK,” he said.
“We know that, especially with Apple contracts – they’re so long – nobody reads them; you probably need a law degree to understand them.”
Zinn said that if something as significant as some of the data that was revealed in the report was being sent to a third party, it “shouldn’t be in small print”.
It should be something that a user has to consent to and be in “big print”, Zinn said.
Apple and Google did not respond to requests from the Associated Press for comment on Lookout’s research.
– with AP
On July 26th, the US copyright office modified it rules to now make it legal to unlock your devices from a carrier. So what?! This does not change anything when it concerns your agreement with Apple, AT&T or anyone else. They are not forbidden to honor the device warranty, continue service, not update your phones software if you do jailbreak your device.
So the question remains, “should I do it?” The answer is “depends.” If you NEED to have the function of a jailbroken phone for your personal or business use and you gain a greater value (money or satisfaction) from it, then “yes”. If you want to be the “cool” kid that has a jailbroken phone, then “don’t be an idiot.”
Many of my Sigillu clients NEED and gain a greater value from jailbreaking an iPhone or any other device for that matter. They will use the multi-tasking feature available to keep Gold Lock running in the background. Additionally, the 3G Unrestrictor -Tricks their iPhone into thinking that it is on a wifi network so they can use 3G or edge without restrictions. This lets them use Skype over 3G and also download files larger than 10MB on the AppStore. Finally, they can use their iPhone on different networks if necessary. For more discussion on pros and cons see http://limitededitioniphone.com/why-you-should-jailbreak-your-iphone-3gs-3g-and-2g/
They use these features for convenience but additionally for doing business that makes it worth the effort to jailbreak their iPhone. Of course the phones can be reverted when they need to be taken in for repairs and what not, so what is the difference? That is up to you to decide.
Douglas Haskins, 8/2/2010
By Tony Bradley, PC World
A researcher at the Def Con security conference in Las Vegas demonstrated that he couldimpersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area–the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it’s possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren’t my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained “Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers.”
What wireless provider networks are affected?
Good news for Sprint and Verizon customers–those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile–as well as most major carriers outside of the United States–rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier–equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
Should I be worried that my mobile phone calls are being tapped?
Yes and no. The hack demonstration at Def Con proves it can be done, but it doesn’t mean that it’s in widespread use. $1500 is a relatively low investment, but it’s still enough to be out of range of most casual hackers that just want to experiment.
Now that the information is out there, though, hackers with the financial resources to put the IMSI catcher together could start intercepting calls. But, as noted earlier–if you are a Sprint or Verizon customer you don’t need to worry.
If you are on a GSM network like AT&T and T-Mobile, though, it is possible that an attacker could intercept and record your calls. The range of the IMSI catcher is relatively small, so the odds of your phone connecting to a random IMSI catcher are almost negligible, and it would only be an issue as long as you stayed in close proximity to the IMSI catcher.
However, if a user is specifically targeted, the rogue GSM tower could be an effective means of intercepting calls. The IMSI catcher could be used by corporate spies to target specific high profile individuals in a company to gain corporate secrets or other sensitive information.
LAS VEGAS (AP) – A computer security researcher has built a device for just $1,500 that can intercept some kinds of cell phone calls and record everything that’s said.
The attack Chris Paget showed Saturday illustrates weaknesses in GSM, one of the world’s most widely used cellular communications technologies.
His attack was benign; he showed how he could intercept a few dozen calls made by fellow hackers in the audience for his talk at the DefCon conference here. But it illustrates that criminals could do the same thing for malicious purposes, and that consumers have few options for protecting themselves.
Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken – it’s just plain broken,” he said.
GSM is considered 2G, or “second generation,” cellular technology. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack.
If you’re using an iPhone or other smart phone and the screen shows that your call is going over a 3G network, for example, you are protected. BlackBerry phones apply encryption to calls that foil the attack, Paget pointed out. But if you’re using a type of phone that doesn’t specify which type of network it uses, those phones are often vulnerable, Paget said.
Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it. Paget uses Internet-based calling technology to complete the calls and log everything that’s said.
A caveat is that recipients see numbers on their Caller IDs that are different than the cell numbers of the people calling them. Paget claims it would be easy to upgrade the software to also include the callers’ real numbers.
The device he built is called an “IMSI catcher,” which refers to the unique International Mobile Subscriber Identity numbers that phones use to identify themselves to cellular networks.
Commercial versions of such devices have existed for decades and have mainly been used by law enforcement. Paget’s work shows how cheaply hobbyists can make the devices using equipment found on the Internet.
“That’s a significant change for research – it’s a major breakthrough for everyone,” said Don Bailey, a GSM expert with iSec Partners who wasn’t involved in Paget’s research.
Another security expert, Nicholas DePetrillo, said such devices haven’t been built as cheaply in the past because the hardware makers have closely controlled who they sell to. Only recently has the necessary equipment become available cheaply online.
In the U.S., AT&T Inc. and T-Mobile USA are two cellular operators whose networks include GSM.
There are more than 3 billion GSM users and the technology is used in nearly three quarters of the world’s cell phone markets, according to the GSM Association, an industry trade group.
In a statement, the group emphasized the hurdles to launching an attack like Paget’s, such as the fact an attacker’s base station would need to be physically close to the target and that only outgoing calls can be intercepted. Incoming calls are not vulnerable.
“The overall advice for GSM calls and fixed-line calls is the same: neither has ever offered a guarantee of secure communications,” the group said. “The great majority of users will make calls with no reason to fear that anyone might be listening. However, users with especially high security requirements should consider adding extra, end-to-end security features over the top of both their fixed line calls and their mobile calls.”
A representatives for AT&T had no comment. T-Mobile didn’t immediately respond to e-mails Saturday from The Associated Press.
Paget had been debating dropping the demonstration from his talk, after federal authorities told him it might violate wiretapping laws. He went ahead with it after conferring with lawyers. He said he didn’t believe he had broken any laws.
LAS VEGAS — A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.
The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP.
The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.
“If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said.
Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.
Doing this kind of interception “used to be a million dollars, now you can do it with a thousand times less cost,” Paget said during a press conference after his attack. “If it’s $1,500, it’s just beyond the range that people can start buying them for themselves and listening in on their neighbors.”
Paget’s device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget’s aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.
Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.
“Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers,” Paget said.
The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone’s phone is connected to Paget’s tower.
The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets.
“Any information that goes across a cell phone you can now intercept,” he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget’s system doesn’t currently do this.
His setup included two RF directional antennas about three feet long to amplify his signal in the large conference room, a laptop and open source software. The system emitted only 25 milliwatts, “a hundred times less than your average cell phone,” he said.
Paget received a call from FCC officials on Friday who raised a list of possible regulations his demonstration might violate. To get around legal concerns, he broadcast on a GSM spectrum for HAM radios, 900Mhz, which is the same frequency used by GSM phones and towers in Europe, thus avoiding possible violations of U.S. regulations.
Just turning on the antennas caused two dozen phones in the room to connect to Paget’s tower. He then set it to spoof an AT&T tower to capture calls from customers of that carrier.
“As far as your cell phones are concerned, I am now indistinguishable from AT&T,” he said. “Every AT&T cell phone in the room will gradually start handing over to my network.”
During the demonstration, only about 30 phones were actually connecting to his tower. Paget says it can take time for phones to find the signal and hand off to the tower, but there are methods for speeding up that process.
To address privacy concerns, he set up the system to deliver a recorded message to anyone who tried to make a call from the room while connected to his tower. The message disclosed that their calls were being recorded. All of the data Paget recorded was saved to a USB stick, which he destroyed after the talk.
Customers of carriers that use GSM could try to protect their calls from being intercepted in this manner by switching their phones to 3G mode if it’s an option.
But Paget said he could also capture phones using 3G by sending out jamming noise to block 3G. Phones would then switch to 2G and hook up with his rogue tower. Paget had his jammer and an amplifier on stage but declined to turn them on saying they would “probably knock out all Las Vegas cell phone systems.”
Photo: Dave Bullock
Black Hat Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world’s most widely deployed mobile technology.
“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor’s Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”
The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption schemeprotecting DVDs.
GSM insecurity is largely the result of widely known weaknesses in A5/1, the algorithm used to decrypt calls in most of the developed world. Years ago, mobile operators devised A5/3, which requires some quintillion more mathematical operations to be cracked. It has yet to be adopted as mobile operators fret that the change will be expensive and won’t work on older handsets. Many countries continue to use A5/0, which uses no meaningful encryption at all.
CHRIS PAGET ETHICAL HACKER
It’s widely accepted that the cryptoscheme in GSM can be broken, but did you know that if you’re within radio range of your target you can intercept all of their cellphone calls by bypassing the cryptoscheme entirely? This talk discusses the practical aspects of operating an “IMSI catcher”, a fake GSM base station designed to trick the target handset into sending you its voice traffic. Band jamming, rolling LACs, Neighbour advertisements and a wide range of radio trickery will be covered, as well as all the RF gear you’ll need to start listening in on your neighbours.
Chris Paget has over a decade of experience as an information security consultant and technical trainer for a wide range of financial, online, and software companies. Chris’ work is increasingly hardware-focused, recently covering technologies such as GSM and RFID at venues such as Defcon and Shmoocon. With a wide range of experience encompassing software, networks, radio, cryptography and electronics, Chris enjoys looking at complex systems in unusual ways to find creative attacks and solutions.
From Chris Paget’s Blog:
I’m planning to give a pretty spectacular demonstration of cellphone insecurity at Defcon, where I will intercept the cellular phone calls of the audience without any action required on their part. As you can imagine, intercepting cellphone calls is a Very Big Deal so I wanted to announce at least some of the plan to reassure everyone of their privacy.
First and foremost – I’m not just making this stuff up. I know when to get advice from a good lawyer, and in this case I’m taking the advice of the very best there is: the EFF. They’ve been kind enough to offer their help and I’m taking it – this is what we’ve worked out.
1. If you’re in an area where your cellphone calls might be intercepted, there will be prominent warning signs about the demo including the time and date as well as a URL for more info. This will be the only time when unknown handsets will be allowed to connect; at all other times only pre-registered handsets will be granted access. You will be clearly warned that by using your cellphone during the demo you are consenting to the interception, and that you should turn your cellphone off during that time if you do not consent. A recorded message with essentially the same info will also be played whenever a call is made from the demo network.