Hacker Spoofs Cell Phone Tower to Intercept Calls
LAS VEGAS — A security researcher created a cell phone base station that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear.
The device tricks the phones into disabling encryption and records call details and content before they’re routed on their proper way through voice-over-IP.
The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that’s stronger than legitimate towers in the area.
“If you have the ability to deliver a reasonably strong signal, then those around are owned,” Paget said.
Paget’s system costs only about $1,500, as opposed to several hundreds of thousands for professional products. Most of the price is for the laptop he used to operate the system.
Doing this kind of interception “used to be a million dollars, now you can do it with a thousand times less cost,” Paget said during a press conference after his attack. “If it’s $1,500, it’s just beyond the range that people can start buying them for themselves and listening in on their neighbors.”
Paget’s device captures only 2G GSM calls, making AT&T and T-Mobile calls, which use GSM, vulnerable to interception. Paget’s aim was to highlight vulnerabilities in the GSM standard that allows a rogue station to capture calls. GSM is a second-generation technology that is not as secure as 3G technology.
Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed.
“Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers,” Paget said.
The system captures only outbound calls. Inbound calls would go directly to voicemail during the period that someone’s phone is connected to Paget’s tower.
The device could be used by corporate spies, criminals, or private investigators to intercept private calls of targets.
“Any information that goes across a cell phone you can now intercept,” he said, except data. Professional grade IMSI catchers do capture data transfers, but Paget’s system doesn’t currently do this.
His setup included two RF directional antennas about three feet long to amplify his signal in the large conference room, a laptop and open source software. The system emitted only 25 milliwatts, “a hundred times less than your average cell phone,” he said.
Paget received a call from FCC officials on Friday who raised a list of possible regulations his demonstration might violate. To get around legal concerns, he broadcast on a GSM spectrum for HAM radios, 900Mhz, which is the same frequency used by GSM phones and towers in Europe, thus avoiding possible violations of U.S. regulations.
Just turning on the antennas caused two dozen phones in the room to connect to Paget’s tower. He then set it to spoof an AT&T tower to capture calls from customers of that carrier.
“As far as your cell phones are concerned, I am now indistinguishable from AT&T,” he said. “Every AT&T cell phone in the room will gradually start handing over to my network.”
During the demonstration, only about 30 phones were actually connecting to his tower. Paget says it can take time for phones to find the signal and hand off to the tower, but there are methods for speeding up that process.
To address privacy concerns, he set up the system to deliver a recorded message to anyone who tried to make a call from the room while connected to his tower. The message disclosed that their calls were being recorded. All of the data Paget recorded was saved to a USB stick, which he destroyed after the talk.
Customers of carriers that use GSM could try to protect their calls from being intercepted in this manner by switching their phones to 3G mode if it’s an option.
But Paget said he could also capture phones using 3G by sending out jamming noise to block 3G. Phones would then switch to 2G and hook up with his rogue tower. Paget had his jammer and an amplifier on stage but declined to turn them on saying they would “probably knock out all Las Vegas cell phone systems.”
Photo: Dave Bullock
Municipal officials detained for wiretapping
…
Officials from Ankara’s Yenimahalle Municipality, governed by the Republican People’s Party (CHP), are suspected of being members of a wiretapping gang, which wiretaps phone conversations to use as blackmail. The Ankara Police Department’s public order unit detained 20 people on Saturday as part of the operation. Police also seized jammer devices, bugging devices and programs, hand grenades and two guns as well as fake police identity cards in the raids they carried out at the houses and workplaces of the suspects. The guns were sent to the criminal laboratory of the Ankara Police Department.
…
Wiretapping scandals prompt suspicions about gov’t pressure in Turkey
…
Wiretaps target judiciary
As wiretapping scandals have become almost routine in Turkey, the public perception of these incidents has created a growing climate of fear in substantial segments of the population, prompting thoughts that “everyone wiretaps each other, everyone plots against each other.”
Although most of the eavesdropping incidents are linked to the ongoing Ergenekon investigation, the frequency of leaks of private phone conservations, including secret tapings – generally to pro-government media sources – has created tension in Turkey’s already polarized political climate.
The victims of wiretapping and secret video taping include a broad range of prominent figures, from former CHP chief Deniz Baykal to Chief of General Staff Gen. İlker Başbuğ to Istanbul Chief Prosecutor Aykut Cengiz Engin, under whom the Ergenekon probe is being carried out.
The Supreme Court of Appeals and Council of State have recently claimed that their facilities had been tapped and demanded an examination of their switchboards, claims that came amid the conflict between the government and the judiciary over judicial independence and the controversial constitutional amendments.
For Emine Ülker Tarhan, the chairwoman of the Judges and Prosecutors Association, or YARSAV, such incidents are kinds of “dirty social engineering projects” carried out by dark powers trying to manipulate the public.
“Such illegal wiretaps against members of the judiciary aim to put pressure on the judiciary, which is deemed an obstacle to the government’s ambitions to change the regime,” Tarhan said. “These illegal wiretaps are constantly reported in certain pro-government media outlets with ruling government-affiliated statements.”
…
Surveillance Self Defense (From EFF’s site)
…
Easy interception. Cell phone communications are sent through the air like communications from a walkie-talkie, and encryption is usually inadequate or absent. Although there are substantial legal protections for the privacy of cell phone calls, it’s technologically straightforward to intercept cell phone calls on many cell networks without the cooperation of the carrier, and the technology to do this is only getting cheaper. Such interception without legal process could be a serious violation of privacy laws, but would be immensely difficult to detect. U.S. and foreign intelligence agencies have the technical capacity to intercept unencrypted and weakly encrypted cell phone calls on a routine basis.
…
Italy: Wiretapping Bill Advances
Prime Minister Silvio Berlusconi’s conservative government won a vote in the Senate on Thursday on a bill that restricts wiretaps and fines media organizations that report information derived from wiretaps used in criminal investigations before the case goes to trial. The bill, which now goes to the lower house for final approval, would require a three-judge panel, instead of a single judge, to approve a wiretap; limit the number of days for a wiretap; and require special authorization to listen in on priests.
Phone Eavesdropping in Vogue Again
With traditional identity theft channels now closing, fraudsters are increasingly targeting unprotected voice conversations to obtain confidential insider information, passwords and PIN codes without detection. Voice correspondence is almost always uncharted territory for business security armour under the false assumption that phone hacking is a highly sophisticated and expensive means of attack.
The days of phone fraud involving thousands of pounds of equipment and an extensive army of technology experts are long gone. Only in December it was revealed that a computer engineer had broken the algorithm used to encrypt the majority of the world’s digital mobile phone calls online, and published his method…
…
Silvio Berlusconi wiretap victory in confidence vote
…
Wiretapping is a widespread practice in Italy. Just this week it emerged that both Pope Benedict XVI and Hillary Clinton, the US secretary of state, had been inadvertently taped by Italian investigators.
They were recorded during telephone conversations with the head of Italy’s civil protection agency, Guido Bertolaso, who was being wire-tapped as part of an investigation into allegations of corruption over the awarding of contracts for the building of a venue for last year’s G8 conference.
The prime minister has insisted that police have been allowed to carry out far too many wiretaps. He has claimed that the leaking of transcripts to the media could destroy the reputation of public figures before a case had even come to trial.
…