Sigillu

Secure Communications

Cell phone eavesdropping enters script-kiddie phase

Black Hat Independent researchers have made good on a promise to release a comprehensive set of tools needed to eavesdrop on cell phone calls that use the world’s most widely deployed mobile technology.

“The whole topic of GSM hacking now enters the script-kiddie stage, similar to Wi-Fi hacking a couple years ago, where people started cracking the neighbor’s Wi-Fi,” said Karsten Nohl, a cryptographer with the Security Research Labs in Berlin who helped spearhead the project. “Just as with Wi-Fi, where they changed the encryption to WPA, hopefully that will happen with GSM, too.”

The suite of applications now includes Kraken, software being released at the Black Hat security conference on Thursday that can deduce the secret key encrypting SMS messages and voice conversations in as little as 30 seconds. It was developed by Frank A. Stevenson, the same Norwegian programmer who almost a decade ago developed software that cracked the CSS encryption schemeprotecting DVDs.

GSM insecurity is largely the result of widely known weaknesses in A5/1, the algorithm used to decrypt calls in most of the developed world. Years ago, mobile operators devised A5/3, which requires some quintillion more mathematical operations to be cracked. It has yet to be adopted as mobile operators fret that the change will be expensive and won’t work on older handsets. Many countries continue to use A5/0, which uses no meaningful encryption at all.

Link

July 30, 2010 Posted by | eavesdrop, encryption, phone tap, privacy, security, tap, technology, wireless | Leave a comment

Privacy concerns at Defcon

From Chris Paget’s Blog:

I’m planning to give a pretty spectacular demonstration of cellphone insecurity at Defcon, where I will intercept the cellular phone calls of the audience without any action required on their part. As you can imagine, intercepting cellphone calls is a Very Big Deal so I wanted to announce at least some of the plan to reassure everyone of their privacy.

First and foremost – I’m not just making this stuff up. I know when to get advice from a good lawyer, and in this case I’m taking the advice of the very best there is: the EFF. They’ve been kind enough to offer their help and I’m taking it – this is what we’ve worked out.

1. If you’re in an area where your cellphone calls might be intercepted, there will be prominent warning signs about the demo including the time and date as well as a URL for more info. This will be the only time when unknown handsets will be allowed to connect; at all other times only pre-registered handsets will be granted access. You will be clearly warned that by using your cellphone during the demo you are consenting to the interception, and that you should turn your cellphone off during that time if you do not consent. A recorded message with essentially the same info will also be played whenever a call is made from the demo network.

Link

July 27, 2010 Posted by | cellular phone, encryption, illegal, mobile, phone tap, privacy, security, tap, technology, wireless | Leave a comment

Sigillu Contact Us Page

July 23, 2010 Posted by | Android, BlackBerry, bugging devices, Canada, cellular phone, contraespionaje, correo electronico, countersurveillance, criptografia, dispositivos de escucha, eavesdrop, email, email, encryption, escuchas telefonicas, espionage, espionaje, ilegal, illegal, inalambrico, intercepcion, Iphone, mensajes de texto, mobile, Nextel, Nokia, PBX, phone tap, privacidad, privacy, security, seguridad, Skype, SMS, spy, surveillance, tap, technology, tecnologia, telefonia celular, text message, USA, Windows, Windows Mobile, wireless, wiretap | Leave a comment

On iPhone, beware of that AT&T Wi-Fi hot spot

cnet – A security researcher has discovered that any wireless network can pretend to be an AT&T Wi-Fi hot spot and thus lure unsuspecting iPhone users to an untrusted network connection.

Samy Kamkar, who created a worm that garnered him a million friends on MySpace overnight in 2005, said in an interview this week that he can hijack any iPhone within Wi-Fi range in what is often dubbed a “man-in-the-middle” attack because of the way the devices are configured to recognize AT&T Wi-Fi connections merely by the name “attwifi.”

Typically, an iPhone will look for a specific MAC address–the unique identifier for the router–to verify that the wireless network is a device a user agreed to join previously. However, if the iPhone has previously connected to any one of the numerous free AT&T Wi-Fi hot spots (offered at virtually every Starbucks in the U.S., for example) the device will ignore what the MAC address says and simply connect to the network if it has “AT&T Wifi” attached, Kamkar said.

“The iPhone joins the network by name with no other form of authentication,” he said.

Kamkar said he made this discovery recently when he was at a Starbucks and disconnected from the AT&T Wi-Fi network.

“I went into the settings to disconnect and the prompt was different from normal,” he said. “I went home and had my computer pretend to be an AT&T hot spot just by the name and my iPhone continued to connect to it. I saw one or two other iPhones hop onto the network, too, going through my laptop computer. I could redirect them, steal credentials as they go to Web sites,” among other stealth moves, if he had wanted to.

To prove that a hijack is possible, Kamkar wrote a program that displays messages and can make other modifications when someone is attempting to use the Google Maps program on an iPhone that has been intercepted. He will be releasing his hijacking program via his Twitter account: http://twitter.com/samykamkar.

Kamkar hasn’t attempted the hijack on an iPod Touch, but plans to determine whether it has the same vulnerability.

iPhone users can protect themselves by disabling their Wi-Fi, or they can turn off the automatic joining of the AT&T Wi-Fi network, but only if the device is within range of an existing AT&T hot spot, Kamkar said.

Asked for comment an Apple spokeswoman said: “iPhone performs properly as a Wi-Fi device to automatically join known networks. Customers can also choose to select to ‘Forget This Network’ after using a hot spot so the iPhone doesn’t join another network of the same name automatically.”

Kamkar, an independent researcher based in Los Angeles, first made a name for himself by launching what was called the “Samy” worm on MySpace in order to see how quickly he could get friends on the social-networking site. The cross-site scripting (XSS) worm displayed the words “Samy is my hero” on a victim’s profile and when others viewed the page they were infected.

He served three years of probation under a plea agreement reached in early 2007 for releasing the worm.

Source: cnet

June 22, 2010 Posted by | bugging devices, cellular phone, countersurveillance, eavesdrop, email, encryption, English, espionage, illegal, mobile, phone tap, privacy, security, spy, surveillance, tap, technology, text message, USA, wireless, wiretap | , , , , , , , , , , , , | Leave a comment

Hacker Unleashes BlackBerry Spyware

Proof-of-concept demonstrates ease at which mobile spyware can be created to pilfer text messages and email, eavesdrop, and track victim’s physical location via smartphone’s GPS.

Tyler Shields, senior researcher for Veracode’s Research Lab, also released proof-of-concept source code for a spyware app he created and demonstrated at the hacker confab in Washington, D.C., that forces the victim’s BlackBerry to hand over its contacts and messages. The app also can grab text messages, listen in on the victim, as well as track his physical location via the phone’s GPS. The spyware sits on the victim’s smartphone, and an attacker can remotely use the app to dump the user’s contact list, email inbox, and SMS message. It even keeps the attacker updated on new contacts the victim adds to his contact list. “This is a proof-of-concept to demonstrate how mobile spyware and applications for malicious behavior are trivial to write just by using the APIs of the mobile OS itself,” Shields says.{hwdvideoshare}id=23|width=|height={/hwdvideoshare}Smartphones are expected to become the next big target as they get more functionality and applications, yet remain notoriously unprotected, with only 23 percent of its users deploying security on these devices. And smartphone vendors for the most part have been lax in how they vet applications written for their products, security experts say.

“Personal information is traveling from the PC to the smartphone. The same data they are attacking on the PC is now on a lower-security form factor where security is less mature,” Shields says. “It makes sense that [attackers] will follow the money to that new device.”

His spyware app, TXSBBSpy, could be plugged into an innocuous-looking video game or other application that a user would download. Then the bad guys could harvest contacts they could sell for spamming purposes, for instance, he says. Although Shields’ spyware app is only a blueprint for writing a spyware app, writing one of these apps is simple, he says.

“If we try to tell ourselves that the bad guys don’t already know how to do this, we’re lying. This is trivial to create,” he says. Shields has posted a video demo of his BlackBerry spyware tool.

Indeed, smartphone apps were a hot topic last week: A researcher at Black Hat DC demonstrated his own spyware app for iPhones, SpyPhone, which can harvest email addresses as well as information from the user’s Safari searches and his or her keyboard cache. Nicolas Seriot, a software engineer and scientific collaborator at the Swiss University of Applied Sciences, says Apple iPhone’s review process for apps doesn’t stop these types of malicious apps from being downloaded to iPhone users.

Veracode’s Shields says app stores such as BlackBerry’s, where users download free or fee-based applications for their phones, can be misleading to users. “The app store makes the problem worse by giving customers a sense of security, so they don’t necessarily screen for this ‘trust’ button,” Shields says.

The problem is that mobile spyware is “trivial” to create, and the security model of most mobile platforms is inadequate because no one uses the security features and sandboxing methods that protect user data, he says.

Shields recommends that enterprises using BlackBerry Enterprise Server set policies that restrict users from downloading third-party applications or whitelist the ones that are vetted and acceptable.

Users can also configure their default app permissions so that when an app tries to access a user’s email or contact list, the OS prompts the user for permission. Shields says to avoid setting an app to “trusted application status.”

As for app store owners like BlackBerry AppWorld, Apple iTunes, and Google Android Marketplace, Shields recommends the vendors check the security of all applications in these stores. That way, apps would undergo a rigorous vetting process before they hit the stores. “Some are [doing this], but I’m not sure to what degree,” he says. “Regardless of what they are catching or not, they are not telling us what they are looking for.”

Shields’ TXSBBSpy spyware, meanwhile, isn’t the first such tool for the BlackBerry. There’s the controversial tool FlexiSPY, aimed at tracking employees, children, or cheating spouses, but considered by anti-malware companies as malicious code. And there has been at least one documented case of a major spyware infiltration on the BlackBerry: Users in the United Erab Emirates last year were sent a spyware-laden update to their BlackBerrys on the Etisalat network.

Written by :

June 22, 2010 Posted by | bugging devices, cellular phone, countersurveillance, eavesdrop, email, encryption, English, espionage, illegal, mobile, phone tap, privacy, security, spy, surveillance, tap, technology, text message, Uncategorized, USA, wireless, wiretap | , , , , , , , , , , | Leave a comment

Legal spying via the cell phone system

Two researchers say they have found a way to exploit weaknesses in the mobile telecom system to legally spy on people by figuring out the private cell phone number of anyone they want, tracking their whereabouts, and listening to their voice mail.
Independent security researcher Nick DePetrillo and Don Bailey, a security consultant with iSec Partners, planned to provide details in a talk entitled “We Found Carmen San Diego” at the Source Boston security conference on Wednesday.
“There are a lot of fragile eggs in the telecom industry and they can be broken,” Bailey said in an interview with CNET. “We assume the telecom industry protects our privacy. But we’ve been able to crack the eggs and piece them together.”
The first part of the operation involves getting a target’s cell phone number from a public database that links names to numbers for caller ID purposes. DePetrillo used open-source PBX software to spoof the outgoing caller ID and then automated phone calls to himself, triggering the system to force a name lookup.
“We log that information and associate it with a phone number in a (caller ID) database,” DePetrillo said. “We created software that iterates through these numbers and can crawl the entire phone database in the U.S. within a couple of weeks… We have done whole cities and pulled thousands of records.”
“It’s not illegal, nor is it a breach of terms of service,” Bailey said.
Next up is matching the phone number with a geographic location. The SS7 (Signaling System) public switched network routes calls around the world and uses what’s called the Home Location Register to log the whereabouts of numbers so networks can hand calls off to one another, DePetrillo said. Individual phones are registered to mobile switching centers within specific geographic regions and they are logged in to that main register, he said.
Only telecom providers are supposed to have access to the location register, but small telcos in the EU are offering online access to it for a fee, mostly to companies using it for marketing data and cost projections, according to DePetrillo.
“Using previous research on the subject as a starting point, we’ve developed a way to map these mobile switching center numbers to caller ID information to determine what city and even what part of a city a phone number is in” at any given moment, he said. “I can watch a phone number travel to different mobile switching centers. If I know your phone number, I can track your whereabouts globally.”
For instance, the researchers were able to track a German journalist talking to a confidential informant in Serbia and follow his travels back to Germany, as well as obtain the informant’s phone number, Bailey said.
Bailey said he had contacted telecom providers with the information on how industry outsiders were able to get to information believed to be privileged to the providers, but said the hands of GSM providers in the U.S. are tied.
“The attack is based on the assumption of how the networks work worldwide,” he said. “For interoperability and peer sake, the larger providers in the U.S. have to hand out the information to other providers.”
Asked what cell phone users can do to protect themselves, Bailey said, “people are just going to have to be made aware of the threat.”
It’s also relatively easy to access other people’s voice mail, a service that’s been around for years from providers like SlyDial. They operate by making two nearly simultaneous calls to a target number, one of which disconnects before it is picked up and another that goes straight into voice mail because of the earlier call. This enables the caller to go directly to voice mail without the phone ringing. DePetrillo and Bailey re-created that functionality for purposes of their legal spying scenario.
“If I want to find Brad Pitt, I find his number using the caller ID database, use Home Location Register access to figure out what provider he has. T-Mobile is vulnerable to voice mail spoofing so I get into his voice mail and listen to his messages,” said DePetrillo. “But I can also have the system tell me the numbers of the callers and I can take those numbers and look them up in the caller ID database and use the Home Location Register system to find their providers and break into their voice mail, and so on.”
This can allow someone to make a social web of people, their cell numbers, the context of their voice mail, and their relationships to others, he said.
“These attack scenarios are applicable to corporations and individual users alike,” DePetrillo said. “Corporations specifically should start to take a look at their security policies for executives as this can impact a business very hard, with insider trading, tracking of executives, etc.”

May 13, 2010 Posted by | bugging devices, cellular phone, countersurveillance, eavesdrop, encryption, English, illegal, mobile, phone tap, privacy, security, spy, surveillance, tap, technology, text message, Uncategorized, wireless, wiretap | | Leave a comment

Sigillu Banner

March 19, 2010 Posted by | APAC, Argentina, BlackBerry, Bolivia, Brazil, bugging devices, Canada, Caribbean, cellular phone, Central America, Chile, Colombia, contraespionaje, correo electronico, countersurveillance, criptografia, dispositivos de escucha, eavesdrop, Ecuador, email, EMEA, encryption, escuchas telefonicas, espionage, espionaje, ilegal, illegal, inalambrico, intercepcion, Iphone, Israel, mensajes de texto, Mexico, mobile, Nextel, Nokia, Paraguay, Peru, phone tap, privacidad, privacy, security, seguridad, Skype, spy, surveillance, tap, technology, tecnologia, telefonia celular, text message, Uruguay, USA, Venezuela, Windows, Windows Mobile, wireless, wiretap | Leave a comment

Carrier specific APN/TCP settings

BlackBerry TCP/IP Configuration Success Reports

credit – Mark Rejhon and bfrye
Nextel/Telus – iDEN – Has TCP/IP

No APN/TCP settings required on iDEN units including 65XX, 75XX and 7100i. They are special because they are iDEN and more native TCP/IP. After a new BlackBerry activation, you may need to wait 2 business days before third party Internet software such as VeriChat works. In the past, it was necessary to call Nextel to order the static IP address option (about $4/month), but now a static IP address appears to be included with BlackBerries by default.
Rogers – Has TCP/IP

Go to Options->TCP

APN: internet.com

Username/password is blank

Note: If this does not work, call Rogers and get the “internet.com Access Point Name” added to your account. If they say it already exists, tell them to load up the records anyway, just to doublecheck.
T-Mobile – Has TCP/IP

Go to Options->TCP (or Tools->TCP)

APN: wap.voicestream.com

Username: (blank)

Password: (blank)

Note: T-Mobile has fixed the port-blocking issue – see this post for more info. In rare cases, it is reported you may need to enter your T-Mobile username and password, the same information used for logging into http://www.t-mobile.com/bwc … If it still does not work properly, just call T-Mobile (call after Feburary 11th, 2005), and ask them to get the “wap.voicestream.com Internet Access Point Name” added to your BlackBerry account at no extra charge.
Cingular Orange – Has TCP/IP

Go to Options->TCP

APN: wap.cingular

Username: wap@cingulargprs.com

Password: CINGULAR1

Formerly, it used to be difficult to get this to work on Cingular but in December 2005, a new Internet Browser Icon suddenly appeared on Cingular BlackBerry units. When this happened, it also suddenly became easier to use Cingular BlackBerry with TCP/IP. If you are still having problems, please click here.

Reports from contact with Cingular (now AT&T) Blackberry support are that due to an October 2007 change in the system settings, many users will no longer need to use the wap.cingular settings. Blackberry users can now purportedly bypass the AT&T proxy that the wap.cingular setup required and can now have direct access using isp.cingular settings. Try the following settings:

Go to Settings->Advanced Options->TCP

APN: isp.cingular

Username: (leave blank)

Password: (leave blank)
Cingular Blue – Has TCP/IP

Go to Options->TCP

APN: proxy

Username: (blank)

Password: (blank)

Try using these settings if you are on the former AT&T network, instead of the Cingular settings.
Verizon – Has TCP/IP

Newer models including 7250 and 7130 now has a TCP/IP stack, no configuration is needed. Many third party Internet applications work out of the box on it! However, the older 6750 and 7750 models will NOT work with TCP/IP.
Telus – CDMA – Has Partial TCP/IP

Recently, in late 2005, this feature got activated on newer Telus units. Newer models including 7250 now has a TCP/IP stack, no configuration is needed. However, there seems to be blocking for certain applications such as IM. Several third party Internet applications work out of the box on it! However, the older 6750 and 7750 models will NOT work with TCP/IP.
Bell Mobility – Does NOT Work; Need MDS hosting

Unfortunately, none of the Bell Mobility BlackBerries have a TCP/IP stack enabled. Not even the 7250. A future BlackBerryOS may fix this, or Bell Mobility might enable the feature in the future. No timeline known. For now, get BES/MDS Hosting in order to make 3rd party Internet applications work. (Note: Some applications such as IM+ will work on Bell Moblity if configuring using WAP/gateway/APN settings listed below. See this post)
Sprint – Unknown; Might Work

Unknown. There is enough TCP/IP functionality in BlackBerryOS 4.0.0.204 or later, for software such as Verichat and Berry411 to work. This BlackBerryOS is preinstalled on the model 7250. Some software such as Reqwireless Emailviewer will require you to input gateway IP address information (See below). For the best TCP/IP support, you must use BES/MDS. You will need to pay $10 to $25 extra per month for BES/MDS Hosting in order to gain access to the Internet and TCP/IP software.
Other Carriers – Might Work This is a list posted by a wonderful forum member bfrye on BlackBerryForums.com … In addition to this list, there is also another list of alternate APN’s on the Internet. You may have to telephone your carrier to tell them to get the Access Point Name (APN) added to your BlackBerry mobile phone account. Here are the most common APN’s, although they can change over time:

AT&T

Gateway IP: 10.250.250.250

Port: 9201

APN: proxy

Bell Mobility

Gateway IP: 207.236.197.199

Port: 9203

APN: internet.com

Cincinnati Bell

Gateway IP: 216.68.79.199

Port: 9201

APN: wap.gocbw.com

username: cbw

Cingular (modem compatible)

Gateway IP: ?

Port: ?

APN: isp.cingular

Username:

Password: CINGULAR1

Cingular

Gateway IP: ?

Port: ?

APN: wap.cingular

Username: wap@cingulargprs.com

Password: CINGULAR1

Cingular

Gateway IP: 66.209.11.61

Port: 9203

APN: blackberry.net
Dobson

APN: cellular1wap

O2 (Germany)

Gateway IP: 195.182.114.52

Port: 9201

APN: wap.viaginterkorn.de

O2 (Holland)

Gateway IP: 193.113.200.195

Port: 9201

APN: internet

O2 (Ireland)

Gateway IP: 192.168.90.74

Port: 9201

APN: wap.dol.ie

username: gprs

password: gprs

O2 (UK)

Gateway IP: 192.113.200.195

Port: 9201

APN: wap.o2.co.uk

username: o2wap

password: password

Rogers

Gateway IP: 208.200.67.150

Port: 9201

APN: blackberry.net
T-Mobile (Czech)

Gateway: ?

Port: ?

APN:internet.t-mobile.cz
T-Mobile (UK) 1

Gateway IP: 149.254.1.10

Port: 9201

APN: general.t-mobile.uk
T-Mobile (UK) 2

Gateway IP: 140.254.1.0

Port: 9201

APN: blackberry.net
T-Mobile (Germany)

Gateway IP: 193.254.160.2

Port: 9201

APN: wap.t-dl.de
T-Mobile (US)

Gateway IP: 216.155.165.50

Port: 9201

APN: wap.voicestream.com
T-Mobile (US)

Gateway IP: ?

Port: ?

APN: internet2.voicestream.com
Telcel

APN: internet.itelcel.com

Username: webgprs

Password: webgrps2002

NOTE: If you have a Blackberry Pearl with Telcel and you add this APN, you _will_ get charged for GPRS data transfer (at $0.12/kb). Even if you are paying for BlackBerry Internet Service ($299+IVA). I am currently trying to get this resolved with Telcel, but I suggest you leave this blank for now if you don’t want to pay more.
Telefonica Movil

Gateway IP: 192.168.80.21

Port: 9201

APN wap.movistar.es
Telstra

Gateway IP: 10.1.1.150

Port: 9201

APN: telstra.internet
TIM (Italy)

Gateway IP: 213.26.205.1

Port: 9201

APN: wap.tim.it
Unicel (US)

Gateway: ?

Port: ?

APN:apn.unicel.com
Verizon Alternate

Gateway IP: 12.168.70.74

Port: 9201
Verizon

Gateway IP: 153.114.115.100

Port 9203
Vodafone (NL)

Gateway IP: 192.168.251.150

Port: 9201

APN: blackberry.vodafone.nl

username: vodafone

Password: vodafone
Vodafone (Spain)

Gateway IP: 212.73.32.10

Port: 9201

APN: airtelwap.es

username: wap@wap

password: wap125
Vodafone (UK)

Gateway IP: 212.183.137.12

Port: 9201

APN: wap.vodafone.uk

username: user@vodafone.net

password: user

—-

Link

February 26, 2010 Posted by | BlackBerry, technology, wireless | Leave a comment

Carrier APN Settings

Contents

This page contains carrier APN settings, for setting up your iPhone with other carriers data services.

Link

February 26, 2010 Posted by | BlackBerry, Iphone, technology, wireless | Leave a comment

German hacker cracks cell phone encryption

A German engineer has broken the 64-bit encryption still used by a large number of GSM cellular networks around the globe and released his findings online in hopes of spurring tighter security. What does this really mean for most wireless phone users?

Karsten Nohl presented his work at the Chaos Communication Congress in Berlin, a 4-day conference for computer hackers. He also released his findings via BitTorrent, where they can be downloaded by anyone.

The GSM standard was originally created in 1988 using 64-bit encryption called the A5/1 privacy algorithm, though a stronger 128-bit algorithm is currently available. Nohl says that his work is intended to push carriers who haven’t upgraded into tightening their security.

Consumers increasingly rely on their mobile phones as a primary means of communication and insecure mobile networks could become a huge threat for transactions like mobile banking and commerce. Without the proper security measures, consumer information could be vulnerable to well-funded cyber criminals.

Claire Cranton of the GSM Association said, “this is theoretically possible but practically unlikely.” She continued that, “what he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

Cracking into a mobile operator’s network would require specialized equipment to intercept the signal and to analyze the transmissions that aren’t available to the general public. Nohl counters that open source software is available to do the signal processing if the hackers get their hands on the right equipment.

Overall this isn’t an immediate threat to anyone’s mobile privacy, though it could become one if carriers don’t upgrade their security. Cell phone users on GSM networks account for over 80 percent of the world’s 4.3 billion wireless subscribers.

In the U.S., both AT&T and T-Mobile use the GSM standard, while Verizon and Sprint use a different protocol. That accounts for about 299 million cell phone users in the United States alone.

December 29, 2009 Posted by | Canada, cellular phone, eavesdrop, encryption, English, espionage, mobile, phone tap, privacy, security, surveillance, tap, technology, USA, wireless, wiretap | , , , , , , , , , , , , , , , , , , | Leave a comment

« Previous Entries