GSM Phone Hack FAQ: What You Should Know
By Tony Bradley, PC World
A researcher at the Def Con security conference in Las Vegas demonstrated that he couldimpersonate a GSM cell tower and intercept mobile phone calls using only $1500 worth of equipment. The cost-effective solution brings mobile phone snooping to the masses, and raises some concerns for mobile phone security.
How does the GSM snooping work?
Chris Paget was able to patch together an IMSI (International Mobile Identity Subscriber) catcher device for about $1500. The IMSI catcher can be configured to impersonate a tower from a specific carrier. To GSM-based cell phones in the immediate area–the spoofed cell tower appears to be the strongest signal, so the devices connect to it, enabling the fake tower to intercept outbound calls from the cell phone.
What happens to the calls?
Calls are intercepted, but can be routed to the intended recipient so the attacker can listen in on, and/or record the conversation. To the real carrier, the cell phone appears to no longer be connected to the network, so inbound calls go directly to voicemail. Paget did clarify, though, that it’s possible for an attacker to impersonate the intercepted device to the wireless network, enabling inbound calls to be intercepted as well.
But, aren’t my calls encrypted?
Generally speaking, yes. However, the hacked IMSI catcher can simply turn the encryption off. According to Paget, the GSM standard specifies that users should be warned when encryption is disabled, but that is not the case for most cell phones. Paget explained “Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers.”
What wireless provider networks are affected?
Good news for Sprint and Verizon customers–those networks use CDMA technology rather than GSM, so cell phones on the Sprint or Verizon networks would not connect to a spoofed GSM tower. However, AT&T and T-Mobile–as well as most major carriers outside of the United States–rely on GSM.
Does 3G protect me from this hack?
This IMSI catcher hack will not work on 3G, but Paget explained that the 3G network could be knocked offline with a noise generator and an amplifier–equipment that Paget acquired for less than $1000. With the 3G network out of the way, most cell phones will revert to 2G to find a viable signal to connect to.
Should I be worried that my mobile phone calls are being tapped?
Yes and no. The hack demonstration at Def Con proves it can be done, but it doesn’t mean that it’s in widespread use. $1500 is a relatively low investment, but it’s still enough to be out of range of most casual hackers that just want to experiment.
Now that the information is out there, though, hackers with the financial resources to put the IMSI catcher together could start intercepting calls. But, as noted earlier–if you are a Sprint or Verizon customer you don’t need to worry.
If you are on a GSM network like AT&T and T-Mobile, though, it is possible that an attacker could intercept and record your calls. The range of the IMSI catcher is relatively small, so the odds of your phone connecting to a random IMSI catcher are almost negligible, and it would only be an issue as long as you stayed in close proximity to the IMSI catcher.
However, if a user is specifically targeted, the rogue GSM tower could be an effective means of intercepting calls. The IMSI catcher could be used by corporate spies to target specific high profile individuals in a company to gain corporate secrets or other sensitive information.
Radio Interview about Gold Lock Hacker Challenge
Gold Lock is proud to announce that Douglas Haskins, Channel Manager-North America, is scheduled to be interviewed by Federal News Radio AM1500 in Washington, DC, Monday 12/14/09 at 8:30am (eastern time). Federal News Radio contacted Gold Lock to schedule the radio interview to discuss the Gold Lock Hacker Challenge: a $250,00o prize to anyone who can hack a 10 minute encrypted conversation.
Would be hackers are free to use any tools or technology at their disposal. This contest is open to anyone, anywhere, unless your participation is specifically prohibited by law.
Hackers have until 12:00 AM (GMT/UTC + 02:00 hours) on February 1st 2010 to provide us with the transcript. Read the contest rules for complete details and restrictions. Be sure to complete the entry form on that page before you start trying to grab the gold.
Socialite Charged with Hacking Voice Mail
(CBS) Most of us carry a cell phone to stay in touch. But, as CBS News Science and Technology correspondent Daniel Siebergreports, you might be surprised to learn just how easy it is to violate your privacy or even trick you.
A high-profile publicist is accused of hacking into the voice mail of some other women, including one who dated her ex-boyfriend.
Former Dolce & Gabbana publicist Ali Wise is accused of hacking into the voice mail of a romantic rival after the woman started dating Wise’s ex-boyfriend.
Wise used free software called “SpoofCard” to gain access to the voice mails. The program also lets you disguise your voice and make it appear as though you’re calling from a different number.
Wise’s lawyer, Ed Kratt, told CBS: “SpoofCard is readily available on the Internet to anybody who wants to use it. One of the issues is whether Ali realized what she was doing was unlawful and the answer to that is clearly she did not.”
Celebrities have also been tempted by SpoofCard; one case involved Lindsay Lohan.
“A few years back, Paris Hilton was using our technology to access a whole bunch of Hollywood celebrity’s voicemail, including Lindsay Lohan, and we had to terminate her account for misusing it,” said Meir Cohen, who makes SpoofCards.
Cohen said users must sign an agreement not to use the service illegally.
“Is this encouraging people to break the law?” Sieberg asked.
“I would not say so,” Cohen responded. “I think anything can be used maliciously, but it’s all in the hands of the user.”
Wise faces up to four years in prison for felony computer trespassing and eavesdropping.
Sieberg explained that this technology allows you to trick people into thinking you are calling from another number.
To protect your voice mail from being hacked, Sieberg suggested setting up a password on your voice mail – even if you are calling from your own phone.
http://www.cbsnews.com/stories/2009/10/21/earlyshow/main5405296.shtml
Adrian Lamo knows your number
How safe is the Internet today? Do you think your own personal data is safeguarded? If you have a website, do you think it can’t be hacked? Well, if you’re Adrian Lamo, you know the answer is simple: absolutely nothing is safe.
Lamo knows this from deep personal experience. He gained his own measure of fame back in 2001 and 2002 as a computer hacker. He allegedly accessed the databases of the largest companies in the world (Bank of America, Yahoo!, McDonalds, Citigroup) and quickly racked up an impressive track record as someone who would break into a corporate system and then let the “hackee” know about it. All of this came to a screeching halt in September, 2003 when he surrendered to the FBI and was sentenced to 2 years probation for computer crimes involving Microsoft and The New York Times.
Located now in the Bay Area, Lamo is a working journalist who is frequently called upon to give speeches at security conventions and various “cybecrime” gatherings. He likes to open each appearance by giving out to everyone in attendance his own Social Security number. The message here is clear: if we think that one of the “sacred cows” of our personal data is protected on the Web, then we are all just fooling ourselves.
Credit card security? There are underground websites where stolen credit card numbers can be bought and used. Two years ago, the going price for a number was $5 per card. Today, an enterprising hacker can pick up a number for a mere 50 cents. It’s the classic case of supply and demand, and in the rapidly expanding world of Internet crime, there’s a whole lot of supply.
Lamo may soon become an ever bigger celebrity if a movie – Hackers Wanted – is ever released. The film was backed by some big names in Hollywood – Kevin Spacey’s company produced it and Spacey himself is the narrator. There’s a trailer for viewing online courtesy of the Eye Crave Network (scroll down to find the clip) but that’s all you can see. The documentary is tied up in internal squabbles that are common in the movie industry and there is no timeframe for when it will be released for viewing by a mass audience.
The film company missed a huge opportunity. Chances are good that if they released the picture over Halloween, it would be one of the most frightening films available in theaters today.
http://www.examiner.com/x-27653-SF-Technology-Examiner~y2009m11d2-Adrian-Lamo-knows-your-number
Gold Lock protects your communications
Gold Lock keeps your communications safe |
|||||||
|
|||||||
|