Hacker builds $1,500 cell-phone tapping device
LAS VEGAS (AP) – A computer security researcher has built a device for just $1,500 that can intercept some kinds of cell phone calls and record everything that’s said.
The attack Chris Paget showed Saturday illustrates weaknesses in GSM, one of the world’s most widely used cellular communications technologies.
His attack was benign; he showed how he could intercept a few dozen calls made by fellow hackers in the audience for his talk at the DefCon conference here. But it illustrates that criminals could do the same thing for malicious purposes, and that consumers have few options for protecting themselves.
Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken – it’s just plain broken,” he said.
GSM is considered 2G, or “second generation,” cellular technology. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack.
If you’re using an iPhone or other smart phone and the screen shows that your call is going over a 3G network, for example, you are protected. BlackBerry phones apply encryption to calls that foil the attack, Paget pointed out. But if you’re using a type of phone that doesn’t specify which type of network it uses, those phones are often vulnerable, Paget said.
Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it. Paget uses Internet-based calling technology to complete the calls and log everything that’s said.
A caveat is that recipients see numbers on their Caller IDs that are different than the cell numbers of the people calling them. Paget claims it would be easy to upgrade the software to also include the callers’ real numbers.
The device he built is called an “IMSI catcher,” which refers to the unique International Mobile Subscriber Identity numbers that phones use to identify themselves to cellular networks.
Commercial versions of such devices have existed for decades and have mainly been used by law enforcement. Paget’s work shows how cheaply hobbyists can make the devices using equipment found on the Internet.
“That’s a significant change for research – it’s a major breakthrough for everyone,” said Don Bailey, a GSM expert with iSec Partners who wasn’t involved in Paget’s research.
Another security expert, Nicholas DePetrillo, said such devices haven’t been built as cheaply in the past because the hardware makers have closely controlled who they sell to. Only recently has the necessary equipment become available cheaply online.
In the U.S., AT&T Inc. and T-Mobile USA are two cellular operators whose networks include GSM.
There are more than 3 billion GSM users and the technology is used in nearly three quarters of the world’s cell phone markets, according to the GSM Association, an industry trade group.
In a statement, the group emphasized the hurdles to launching an attack like Paget’s, such as the fact an attacker’s base station would need to be physically close to the target and that only outgoing calls can be intercepted. Incoming calls are not vulnerable.
“The overall advice for GSM calls and fixed-line calls is the same: neither has ever offered a guarantee of secure communications,” the group said. “The great majority of users will make calls with no reason to fear that anyone might be listening. However, users with especially high security requirements should consider adding extra, end-to-end security features over the top of both their fixed line calls and their mobile calls.”
A representatives for AT&T had no comment. T-Mobile didn’t immediately respond to e-mails Saturday from The Associated Press.
Paget had been debating dropping the demonstration from his talk, after federal authorities told him it might violate wiretapping laws. He went ahead with it after conferring with lawyers. He said he didn’t believe he had broken any laws.
Hacker Spoofs Cell Phone Tower to Intercept Calls
LAS VEGAS — A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.
The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP.
The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.
“If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said.
Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.
Doing this kind of interception “used to be a million dollars, now you can do it with a thousand times less cost,” Paget said during a press conference after his attack. “If it’s $1,500, it’s just beyond the range that people can start buying them for themselves and listening in on their neighbors.”
Paget’s device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget’s aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.
Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.
“Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers,” Paget said.
The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone’s phone is connected to Paget’s tower.
The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets.
“Any information that goes across a cell phone you can now intercept,” he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget’s system doesn’t currently do this.
His setup included two RF directional antennas about three feet long to amplify his signal in the large conference room, a laptop and open source software. The system emitted only 25 milliwatts, “a hundred times less than your average cell phone,” he said.
Paget received a call from FCC officials on Friday who raised a list of possible regulations his demonstration might violate. To get around legal concerns, he broadcast on a GSM spectrum for HAM radios, 900Mhz, which is the same frequency used by GSM phones and towers in Europe, thus avoiding possible violations of U.S. regulations.
Just turning on the antennas caused two dozen phones in the room to connect to Paget’s tower. He then set it to spoof an AT&T tower to capture calls from customers of that carrier.
“As far as your cell phones are concerned, I am now indistinguishable from AT&T,” he said. “Every AT&T cell phone in the room will gradually start handing over to my network.”
During the demonstration, only about 30 phones were actually connecting to his tower. Paget says it can take time for phones to find the signal and hand off to the tower, but there are methods for speeding up that process.
To address privacy concerns, he set up the system to deliver a recorded message to anyone who tried to make a call from the room while connected to his tower. The message disclosed that their calls were being recorded. All of the data Paget recorded was saved to a USB stick, which he destroyed after the talk.
Customers of carriers that use GSM could try to protect their calls from being intercepted in this manner by switching their phones to 3G mode if it’s an option.
But Paget said he could also capture phones using 3G by sending out jamming noise to block 3G. Phones would then switch to 2G and hook up with his rogue tower. Paget had his jammer and an amplifier on stage but declined to turn them on saying they would “probably knock out all Las Vegas cell phone systems.”
Photo: Dave Bullock
PRACTICAL CELLPHONE SPYING
CHRIS PAGET ETHICAL HACKER
It’s widely accepted that the cryptoscheme in GSM can be broken, but did you know that if you’re within radio range of your target you can intercept all of their cellphone calls by bypassing the cryptoscheme entirely? This talk discusses the practical aspects of operating an “IMSI catcher”, a fake GSM base station designed to trick the target handset into sending you its voice traffic. Band jamming, rolling LACs, Neighbour advertisements and a wide range of radio trickery will be covered, as well as all the RF gear you’ll need to start listening in on your neighbours.
Chris Paget has over a decade of experience as an information security consultant and technical trainer for a wide range of financial, online, and software companies. Chris’ work is increasingly hardware-focused, recently covering technologies such as GSM and RFID at venues such as Defcon and Shmoocon. With a wide range of experience encompassing software, networks, radio, cryptography and electronics, Chris enjoys looking at complex systems in unusual ways to find creative attacks and solutions.
…
Privacy concerns at Defcon
From Chris Paget’s Blog:
I’m planning to give a pretty spectacular demonstration of cellphone insecurity at Defcon, where I will intercept the cellular phone calls of the audience without any action required on their part. As you can imagine, intercepting cellphone calls is a Very Big Deal so I wanted to announce at least some of the plan to reassure everyone of their privacy.
First and foremost – I’m not just making this stuff up. I know when to get advice from a good lawyer, and in this case I’m taking the advice of the very best there is: the EFF. They’ve been kind enough to offer their help and I’m taking it – this is what we’ve worked out.
1. If you’re in an area where your cellphone calls might be intercepted, there will be prominent warning signs about the demo including the time and date as well as a URL for more info. This will be the only time when unknown handsets will be allowed to connect; at all other times only pre-registered handsets will be granted access. You will be clearly warned that by using your cellphone during the demo you are consenting to the interception, and that you should turn your cellphone off during that time if you do not consent. A recorded message with essentially the same info will also be played whenever a call is made from the demo network.
…
Citi Discloses Security Flaw in Its iPhone App
Citigroup Inc. said its free U.S. mobile-banking application for Apple Inc.’s iPhone contained a security flaw and advised its customers to upgrade to a newer version that corrects the problem.
In an incident that highlights the growing security challenges around wireless apps, Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones. The information may also have been saved to a user’s computer if it had been synched with an iPhone.
The issue affected the approximately 117,600 customers who had registered the iPhone app with Citi since its launch in March 2009, a person familiar with the matter said. The bank doesn’t believe any personal data was exposed by the flaw.
“We have no reason to believe that our customers’ personal information has been accessed or used inappropriately by anyone,” Citi said. Apple acknowledged the issue and encouraged users to download the updated app.
…
Surveillance Self Defense (From EFF’s site)
…
Easy interception. Cell phone communications are sent through the air like communications from a walkie-talkie, and encryption is usually inadequate or absent. Although there are substantial legal protections for the privacy of cell phone calls, it’s technologically straightforward to intercept cell phone calls on many cell networks without the cooperation of the carrier, and the technology to do this is only getting cheaper. Such interception without legal process could be a serious violation of privacy laws, but would be immensely difficult to detect. U.S. and foreign intelligence agencies have the technical capacity to intercept unencrypted and weakly encrypted cell phone calls on a routine basis.
…