LAS VEGAS (AP) – A computer security researcher has built a device for just $1,500 that can intercept some kinds of cell phone calls and record everything that’s said.
The attack Chris Paget showed Saturday illustrates weaknesses in GSM, one of the world’s most widely used cellular communications technologies.
His attack was benign; he showed how he could intercept a few dozen calls made by fellow hackers in the audience for his talk at the DefCon conference here. But it illustrates that criminals could do the same thing for malicious purposes, and that consumers have few options for protecting themselves.
Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken – it’s just plain broken,” he said.
GSM is considered 2G, or “second generation,” cellular technology. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack.
If you’re using an iPhone or other smart phone and the screen shows that your call is going over a 3G network, for example, you are protected. BlackBerry phones apply encryption to calls that foil the attack, Paget pointed out. But if you’re using a type of phone that doesn’t specify which type of network it uses, those phones are often vulnerable, Paget said.
Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it. Paget uses Internet-based calling technology to complete the calls and log everything that’s said.
A caveat is that recipients see numbers on their Caller IDs that are different than the cell numbers of the people calling them. Paget claims it would be easy to upgrade the software to also include the callers’ real numbers.
The device he built is called an “IMSI catcher,” which refers to the unique International Mobile Subscriber Identity numbers that phones use to identify themselves to cellular networks.
Commercial versions of such devices have existed for decades and have mainly been used by law enforcement. Paget’s work shows how cheaply hobbyists can make the devices using equipment found on the Internet.
“That’s a significant change for research – it’s a major breakthrough for everyone,” said Don Bailey, a GSM expert with iSec Partners who wasn’t involved in Paget’s research.
Another security expert, Nicholas DePetrillo, said such devices haven’t been built as cheaply in the past because the hardware makers have closely controlled who they sell to. Only recently has the necessary equipment become available cheaply online.
In the U.S., AT&T Inc. and T-Mobile USA are two cellular operators whose networks include GSM.
There are more than 3 billion GSM users and the technology is used in nearly three quarters of the world’s cell phone markets, according to the GSM Association, an industry trade group.
In a statement, the group emphasized the hurdles to launching an attack like Paget’s, such as the fact an attacker’s base station would need to be physically close to the target and that only outgoing calls can be intercepted. Incoming calls are not vulnerable.
“The overall advice for GSM calls and fixed-line calls is the same: neither has ever offered a guarantee of secure communications,” the group said. “The great majority of users will make calls with no reason to fear that anyone might be listening. However, users with especially high security requirements should consider adding extra, end-to-end security features over the top of both their fixed line calls and their mobile calls.”
A representatives for AT&T had no comment. T-Mobile didn’t immediately respond to e-mails Saturday from The Associated Press.
Paget had been debating dropping the demonstration from his talk, after federal authorities told him it might violate wiretapping laws. He went ahead with it after conferring with lawyers. He said he didn’t believe he had broken any laws.
“It’s really interesting to watch a phone number turn into a person’s life,” security researcher Nick DePetrillo told the Los Angeles Times in a report published yesterday. According to Petrillo and fellow expert Don Bailey, the mere digits of your cell phone number can betray your name, your travel itinerary, and your work and home address; it can also allow others to listen in on your voice messages and personal phone calls.
Using “widely available information and existing techniques,” DePetrillo and Bailey reportedly were able to construct detailed files on a cellphone user. Find out how after the break.
As “white hat hackers,” meaning the good guys that hack you to expose security gaps and then figure ways to patch them, DePetrillo and Bailey have learned that by using special software to spoof a call from the target number, tricking the cell phone company into thinking the call is coming from the target’s cell phone: The Caller ID system then identifies the victim’s name for you. As the LA Times points out, a hacker could create their own phonebook of numbers and corresponding identities.
From there, the hacker can then query the cellphone network to discover the location of the phone. Websites such as InstaMapper are openly accessible and free to use. With this, one can hypothetically track and generate a general schedule of your movements.
Moreover, there is always the possibility of malicious applications, which appear to do one thing but in reality can collect private information. For example, security expert Tyler Shields created an application called “TXSBBSPY,” which when installed on a Blackberry, could read text messages, listen to voice mail, and even turn on the phone’s mic at will.
Today, smartphones including the iPhone, Blackberry, and Android devices comprise about 21% of the cell phone market, and often contain sensitive information like other phone numbers, e-mails, and banking information. Nielsen Co. estimates the smartphone to become the new standard by 2011. However, as the smartphone is a recent development, Shields says that we are only living in the “late ’90s” when it comes to mobile security.
The obvious solutions, of course, are to 1) keep your cell phone number private; 2) shield your number with services like Google Voice; 3) use common sense – don’t access suspicious software and links.
cnet – A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.
Samy Kamkar, who created a worm that garnered him a million friends on MySpace overnight in 2005, said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a “man-in-the-middle” attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name “attwifi.”
Typically, an iPhone will look for a specific MAC address–the unique identifier for the router–to verify that the wireless network is a device a user agreed to join previously. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has “AT&T Wifi” attached, Kamkar said.
“The iPhone joins the network by name with no other form of authentication,” he said.
Kamkar said he made this discovery recently when he was at a Starbucks and disconnected from the AT&T Wi-Fi network.
“I went into the settings to disconnect and the prompt was different from normal,” he said. “I went home and had my computer pretend to be an AT&T hot spot just by the name and my iPhone continued to connect to it. I saw one or two other iPhones hop onto the network, too, going through my laptop computer. I could redirect them, steal credentials as they go to Web sites,” among other stealth moves, if he had wanted to.
To prove that a hijack is possible, Kamkar wrote a program that displays messages and can make other modifications when someone is attempting to use the Google Maps program on an iPhone that has been intercepted. He will be releasing his hijacking program via his Twitter account: http://twitter.com/samykamkar.
Kamkar hasn’t attempted the hijack on an iPod Touch, but plans to determine whether it has the same vulnerability.
iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.
Asked for comment an Apple spokeswoman said: “iPhone performs properly as a Wi-Fi device to automatically join known networks. Customers can also choose to select to ‘Forget This Network’ after using a hot spot so the iPhone doesn’t join another network of the same name automatically.”
Kamkar, an independent researcher based in Los Angeles, first made a name for himself by launching what was called the “Samy” worm on MySpace in order to see how quickly he could get friends on the social-networking site. The cross-site scripting (XSS) worm displayed the words “Samy is my hero” on a victim’s profile and when others viewed the page they were infected.
He served three years of probation under a plea agreement reached in early 2007 for releasing the worm.
Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim’s physical location via smartphone’s GPS.
Tyler Shields, senior researcher for Veracode’s Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim’s BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS. The spyware sits on the victim’s smartphone, and an attacker can remotely use the app to dump the user’s contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. “This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself,” Shields says.{hwdvideoshare}id=23|width=|height={/hwdvideoshare}Smartphones are expected to become the next big target as they get more functionality and applications, yet remain notoriously unprotected, with only 23 percent of its users deploying security on these devices. And smartphone vendors for the most part have been lax in how they vet applications written for their products, security experts say.
“Personal information is traveling from the PC to the smartphone. The same data they are attacking on the PC is now on a lower-security form factor where security is less mature,” Shields says. “It makes sense that [attackers] will follow the money to that new device.”
His spyware app, TXSBBSpy, could be plugged into an innocuous-looking video game or other application that a user would download. Then the bad guys could harvest contacts they could sell for spamming purposes, for instance, he says. Although Shields’ spyware app is only a blueprint for writing a spyware app, writing one of these apps is simple, he says.
“If we try to tell ourselves that the bad guys don’t already know how to do this, we’re lying. This is trivial to create,” he says. Shields has posted a video demo of his BlackBerry spyware tool.
Indeed, smartphone apps were a hot topic last week: A researcher at Black Hat DC demonstrated his own spyware app for iPhones, SpyPhone, which can harvest email addresses as well as information from the user’s Safari searches and his or her keyboard cache. Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences, says Apple iPhone’s review process for apps doesn’t stop these types of malicious apps from being downloaded to iPhone users.
Veracode’s Shields says app stores such as BlackBerry’s, where users download free or fee-based applications for their phones, can be misleading to users. “The app store makes the problem worse by giving customers a sense of security, so they don’t necessarily screen for this ‘trust’ button,” Shields says.
The problem is that mobile spyware is “trivial” to create, and the security model of most mobile platforms is inadequate because no one uses the security features and sandboxing methods that protect user data, he says.
Shields recommends that enterprises using BlackBerry Enterprise Server set policies that restrict users from downloading third-party applications or whitelist the ones that are vetted and acceptable.
Users can also configure their default app permissions so that when an app tries to access a user’s email or contact list, the OS prompts the user for permission. Shields says to avoid setting an app to “trusted application status.”
As for app store owners like BlackBerry AppWorld, Apple iTunes, and Google Android Marketplace, Shields recommends the vendors check the security of all applications in these stores. That way, apps would undergo a rigorous vetting process before they hit the stores. “Some are [doing this], but I’m not sure to what degree,” he says. “Regardless of what they are catching or not, they are not telling us what they are looking for.”
Shields’ TXSBBSpy spyware, meanwhile, isn’t the first such tool for the BlackBerry. There’s the controversial tool FlexiSPY, aimed at tracking employees, children, or cheating spouses, but considered by anti-malware companies as malicious code. And there has been at least one documented case of a major spyware infiltration on the BlackBerry: Users in the United Erab Emirates last year were sent a spyware-laden update to their BlackBerrys on the Etisalat network.
With traditional identity theft channels now closing, fraudsters are increasingly targeting unprotected voice conversations to obtain confidential insider information, passwords and PIN codes without detection. Voice correspondence is almost always uncharted territory for business security armour under the false assumption that phone hacking is a highly sophisticated and expensive means of attack.
The days of phone fraud involving thousands of pounds of equipment and an extensive army of technology experts are long gone. Only in December it was revealed that a computer engineer had broken the algorithm used to encrypt the majority of the world’s digital mobile phone calls online, and published his method…
Two researchers say they have found a way to exploit weaknesses in the mobile telecom system to legally spy on people by figuring out the private cell phone number of anyone they want, tracking their whereabouts, and listening to their voice mail.
Independent security researcher Nick DePetrillo and Don Bailey, a security consultant with iSec Partners, planned to provide details in a talk entitled “We Found Carmen San Diego” at the Source Boston security conference on Wednesday.
“There are a lot of fragile eggs in the telecom industry and they can be broken,” Bailey said in an interview with CNET. “We assume the telecom industry protects our privacy. But we’ve been able to crack the eggs and piece them together.”
The first part of the operation involves getting a target’s cell phone number from a public database that links names to numbers for caller ID purposes. DePetrillo used open-source PBX software to spoof the outgoing caller ID and then automated phone calls to himself, triggering the system to force a name lookup.
“We log that information and associate it with a phone number in a (caller ID) database,” DePetrillo said. “We created software that iterates through these numbers and can crawl the entire phone database in the U.S. within a couple of weeks… We have done whole cities and pulled thousands of records.”
“It’s not illegal, nor is it a breach of terms of service,” Bailey said.
Next up is matching the phone number with a geographic location. The SS7 (Signaling System) public switched network routes calls around the world and uses what’s called the Home Location Register to log the whereabouts of numbers so networks can hand calls off to one another, DePetrillo said. Individual phones are registered to mobile switching centers within specific geographic regions and they are logged in to that main register, he said.
Only telecom providers are supposed to have access to the location register, but small telcos in the EU are offering online access to it for a fee, mostly to companies using it for marketing data and cost projections, according to DePetrillo.
“Using previous research on the subject as a starting point, we’ve developed a way to map these mobile switching center numbers to caller ID information to determine what city and even what part of a city a phone number is in” at any given moment, he said. “I can watch a phone number travel to different mobile switching centers. If I know your phone number, I can track your whereabouts globally.”
For instance, the researchers were able to track a German journalist talking to a confidential informant in Serbia and follow his travels back to Germany, as well as obtain the informant’s phone number, Bailey said.
Bailey said he had contacted telecom providers with the information on how industry outsiders were able to get to information believed to be privileged to the providers, but said the hands of GSM providers in the U.S. are tied.
“The attack is based on the assumption of how the networks work worldwide,” he said. “For interoperability and peer sake, the larger providers in the U.S. have to hand out the information to other providers.”
Asked what cell phone users can do to protect themselves, Bailey said, “people are just going to have to be made aware of the threat.”
It’s also relatively easy to access other people’s voice mail, a service that’s been around for years from providers like SlyDial. They operate by making two nearly simultaneous calls to a target number, one of which disconnects before it is picked up and another that goes straight into voice mail because of the earlier call. This enables the caller to go directly to voice mail without the phone ringing. DePetrillo and Bailey re-created that functionality for purposes of their legal spying scenario.
“If I want to find Brad Pitt, I find his number using the caller ID database, use Home Location Register access to figure out what provider he has. T-Mobile is vulnerable to voice mail spoofing so I get into his voice mail and listen to his messages,” said DePetrillo. “But I can also have the system tell me the numbers of the callers and I can take those numbers and look them up in the caller ID database and use the Home Location Register system to find their providers and break into their voice mail, and so on.”
This can allow someone to make a social web of people, their cell numbers, the context of their voice mail, and their relationships to others, he said.
“These attack scenarios are applicable to corporations and individual users alike,” DePetrillo said. “Corporations specifically should start to take a look at their security policies for executives as this can impact a business very hard, with insider trading, tracking of executives, etc.”
Gold Lock is proud to announce that Douglas Haskins, Channel Manager-North America, is scheduled to be interviewed by Federal News Radio AM1500 in Washington, DC, Monday 12/14/09 at 8:30am (eastern time). Federal News Radio contacted Gold Lock to schedule the radio interview to discuss the Gold Lock Hacker Challenge: a $250,00o prize to anyone who can hack a 10 minute encrypted conversation.
Would be hackers are free to use any tools or technology at their disposal. This contest is open to anyone, anywhere, unless your participation is specifically prohibited by law.
Hackers have until 12:00 AM (GMT/UTC + 02:00 hours) on February 1st 2010 to provide us with the transcript. Read the contest rules for complete details and restrictions. Be sure to complete the entry form on that page before you start trying to grab the gold.
If the bad guys in your jurisdiction use pagers to conduct their business, you need The Beeper BusterTM. With The Beeper BusterTM, you can sit in the privacy of your own office and monitor every message sent to any pager. You do not need the cooperation of the paging system operator, nor will the user of the pager know you are monitoring all his messages. The Beeper BusterTM can capture all messages sent to a target pager, capture all messages containing a particular “search string” (such as the phone number of a suspect location, pay phone), or any combination of the above. Special techniques are used to determine the unique address (the “capcode”) of the pager, meaning you do not need access to the target pager to capture its messages. It’s very simple. And, the The Beeper BusterTM is affordable. Unlike rival units, The Beeper BusterTMactually operates faster than the paging system. This means no missed pages, for any format at any speed. Persons using other less capable pager intercept systems are well aware of the problems of missed pages. The high speed and perfect accuracy of The Beeper BusterTM is due to our extensive use of custom designed high speed hardware. If you need to use captured messages as evidence in court, the specially designed features of The Beeper BusterTMguarantee the integrity of the data.
With traditional identity theft channels now closing, fraudsters are increasingly targeting unprotected voice conversations to obtain confidential insider information, passwords and PIN codes without detection. Voice correspondence is almost always uncharted territory for business security armour under the false assumption that phone hacking is a highly sophisticated and expensive means of attack.
of the pager know you are monitoring all his messages. The Beeper BusterTM can capture all messages sent to a target pager, capture all messages containing a particular “search string” (such as the phone number of a suspect location, pay phone), or any combination of the above. Special techniques are used to determine the unique address (the “capcode”) of the pager, meaning you do not need access to the target pager to capture its messages. It’s very simple. And, the The Beeper BusterTM is affordable. Unlike rival units, The Beeper BusterTMactually operates faster than the paging system. This means no missed pages, for any format at any speed. Persons using other less capable pager intercept systems are well aware of the problems of missed pages. The high speed and perfect accuracy of The Beeper BusterTM is due to our extensive use of custom designed high speed hardware. If you need to use captured messages as evidence in court, the specially designed features of The Beeper BusterTMguarantee the integrity of the data.
Sigillu 