Cell Phone Interception At Def Con

ChrisPaget writes "I'm planning a pretty significant demonstration of GSM insecurity at Defcon next week, where I'll intercept and record cellular calls made by my attendees, live on-stage, no user-input required. As you can imagine, intercepting cellphones is a Very Big Deal in the eyes of the law; this blog post is an attempt to reassure everyone that their privacy is being taken seriously despite the nature of the demo. I'm not just making it up either — the EFF have helped significantly with the details."

Verizon

[Anarki2004]

Does this mean Verizon will start advertising that they are CDMA?

Re:Verizon

[Shakrai]

AT&T and T-Mobile will both be CDMA once they complete the transition to UMTS.

Re:Verizon

[sznupi]

Generally it's all a clusterfuck of confusion stemming from one group choosing, for its marketing, a name of basic radio method they use...and not only them; also the group most commonly seen as "GSM association", just not in its oldest standard.

If anything, "CDMA" (in whatever form) is going out; LTE & FDMA is revving up. And considering that various "3G" technologies don't really have a universal uptake, with majority of people on 2G TDMA networks - I wouldn't be too surprised if they jump directly to LTE, at some point in the future, more often than not.

Re:Verizon

[Hylandr]

Those companies that have been struggling to push the technology that would prevent interception would have lots to gain by funding or sponsoring this demo.

Interesting times we live in...

- Dan.

Re:Verizon

[deverox]

I have it on good authority (I've worked at my fair share of cell phone operators globally) that all of the Major networks around the world will be going to LTE.. If they are on CDMA now (like Verizon) they will go straight to LET, if they are on GSM / wCDMA / UMTS they will go to LTE next..

Its not a question of if but when..

Re:Verizon

[x102output]

I have it on good authority (I've worked at my fair share of cell phone operators globally) that all of the Major networks around the world will be going to LTE.. If they are on CDMA now (like Verizon) they will go straight to LET, if they are on GSM / wCDMA / UMTS they will go to LTE next..

Its not a question of if but when..

Both parent and GP are confusing the terminology. LTE *is* UMTS.

Think of this way: There is GSM, the standard for wireless telephony all around the world. Then there was a bolt-on standard called GPRS, which basically was an add-on to GSM to allow it to support data packet delivery for web, MMS, voicemail alerts, email, etc etc. It was pretty slowwwww. The GPRS add-on, then was improved and they called it EDGE. EDGE was simply GPRS, but with enhancements to error correction and other minor tweaks. This was quite a speed boost. So you have GSM as your phone standard, and GPRS/EDGE as your data packet delivery standard sitting on top of GSM.

Now, the underlying standard that these data add-on enhancements are part of, GSM, needed a face-lift as well. So GSM was upgraded, and renamed to UMTS. UMTS is backwards compatible with GSM, and technically this is also due to them being so closely related. Just think of UMTS as GSM 2.0.

With UMTS, or a "new GSM version", came it's own set of add-on technologies for data packet delivery: HSDPA/HSUPA. Just like how GPRS/EDGE was an add-on to GSM, HSDPA/HSUPA are an add-on to UMTS. These add-ons, also use CDMA-based modulation schemes, and this is where the confusion comes into play. Verizon is a CDMA2000-based network. When people say AT&T/T-Mobile are not CDMA, they really mean it's not from the CDMA2000 (and beyond) family of standards. The GSM/UMTS family never used CDMA modulation before until HSDPA/HSUPA came along, so that's why there's confusion. Just to clarify: GSM/UMTS are not CDMA-based phone standards, but in some areas their nice slick fast data packet delivery add-on enhancements like HSDPA/HSUPA do in fact now make use of CDMA modulation. That's just the data add-on though, all basic telephony control data, phone audio, and SMS is all done the regular non-CDMA UMTS way.

Soon, HSDPA/HSUPA won't be enough. And now a new enhancement to UMTS is coming: LTE. LTE doesn't use CDMA modulation, but regardless of how it works or what modulation it does use, it is STILL a data packet add-on to the UMTS standard. It is NOT a replacement to UMTS. Verizon is the one finally switching to UMTS, and this most likely means Verizon phones will finally use SIM cards now (since UMTS requires it, being that it's really just a newer version of GSM). Think of it this way, Verizon finally realized the dead-end to their standards, and since the GSM/UMTS guys got a new toy to add to their system (LTE), they're jumping ship and joining the rest of the freaking world in GSM/UMTS land.

Re:Verizon

[bill_mcgonigle]

LTE doesn't use CDMA modulation, but regardless of how it works or what modulation it does use, it is STILL a data packet add-on to the UMTS standard. It is NOT a replacement to UMTS. Verizon is the one finally switching to UMTS

If I understand it correctly, with Verizon on LTE, they won't actually use the UMTS part, just the LTE part, and route all voice traffic over IP. And, yeah, I forget the modulation name, but it's an advance beyond CDMA or WCDMA.

Re:Verizon

[sznupi]

Talk about confusion...

GSM part of the story is fine, not exactly with UMTS and beyond - while it was meant to & can smoothly interoperate with GSM infrastructure (and is indeed standardised by basically the same association), it doesn't depend on it. There are places with, essentially, UMTS networks which never had "classic" GSM (certainly where "GSM" phones can roam...only if they are also UMTS though, only on that access method). And it is from the beginning CDMA, WCDMA to be exact; extensions giving more bandwith didn't add that. LTE is more than them - while it will certainly coexist with UMTS networks in most cases, it also doesn't have to; down the line it can bring quite a lot of changes, of "everything is just data" kind.

Re:Verizon

[sznupi]

Yup, though I wouldn't be surprised if GSM is here to stay for a long, long time - even when many of networks throughout the world, which are now purely GSM, will go to LTE (mostly skipping UMTS, because it will simply make sense regarding infrastructure / new phones will have LTE); or even when UMTS starts to get neglected and switched off at some point. GSM just seems like a "good enough" tech, to assure wide coverage.

Will there be any GSM calls with "no user-input"?

[sznupi]

Is jamming UMTS network also planned? (yes, lots of folks still don't have handsets with UMTS; but at Defcon...)

Feds in audience

[AnonymousClown]

Reading the second link, I had this image of them capturing a Fed in the audience phoning in a report.

Isn't this the show that the "Spot the Fed" game?

Re:Feds in audience

[_Sprocket_]

[Nokia ringtone]

"HELLO?! WHAT?! YEAH! I'M AT DEFCON. Yeah. Some guy is giving some demo now. No, it's rubbish. What? No. Nobody know's I'm a Fed. Right. OK. Got to go."

(Imagine that in all caps 'cause the /. filter doesn't like loud literary voice)

Re:Feds in audience

Is that why defcon attendees are unable to utilize even rudimentary tools to identify the source of a poisoned W.A.P.? Or how about the fact that they flail around with iptables when goatse is replacing all the pics on *everyone's* loading pages?

Am I trolling? Yeah. But some people do consider defcon to be detrimental at this point. HoPE at least maintains a sense of humor and is balanced by the sense that creative works without utility value may still be recognized as inherently valuable by certain observers.

Defcon is more about utility and less about spirit every year if you go by the attendees.

Then again, the best outcome for CyberCommand is an increase in quality of relationships formed between the NSA and the Hacker community now that the guv can at least front that they are separating the application from the theory. Maybe is same for Defcon - doomed to be average and evil so others can be free and good.

Just be careful

[Sycraft-fu]

It is illegal to intercept cellphone communications. Doesn't matter if it is a "security demonstration" what you call it is not relevant. You probably need waivers from everyone you plan on intercepting.

Get a lawyer who know that area of law, and not from the EFF. I like their ideals and all, but their track record is as idealists and they don't seem to do so good in terms of actual law, especially in the court.

Not saying don't give your talk, GSM security is serious and the phone companies need to get with it and fix that shit. However make sure you aren't breaking the law.

Re:Just be careful

[Facegarden]

It is illegal to intercept cellphone communications. Doesn't matter if it is a "security demonstration" what you call it is not relevant. You probably need waivers from everyone you plan on intercepting.

Get a lawyer who know that area of law, and not from the EFF. I like their ideals and all, but their track record is as idealists and they don't seem to do so good in terms of actual law, especially in the court.

Not saying don't give your talk, GSM security is serious and the phone companies need to get with it and fix that shit. However make sure you aren't breaking the law.

Yeah. Now that they've announced this to reassure everyone, they'll probably get shut down somehow. :-/
-Taylor

Re:Just be careful

[Itninja]

Are you sure just intercepting is illegal? I have had police scanners in the past that would pick up cell phone (and nearby cordless phone) conversations all time. My understanding at the time was the law was violated only if I recorded and/or distributed the information. This was years ago, so the laws may have changed....or maybe it was illegal all along and I am a huge criminal.

Re:Just be careful

[dcw3]

The Federal Communications Commission (www.fcc.gov) ruled that as of April 1994 no radio scanners may be manufactured or imported into the U.S. that can pick up frequencies used by cellular telephones, or that can be readily altered to receive such frequencies. (47 CFR Part 15.37(f)) The law rarely deters the determined eavesdropper, however.

Another federal law, the Counterfeit Access Device Law, was amended to make it illegal to use a radio scanner "knowingly and with the intent to defraud" to eavesdrop on wire or electronic communication. (18 USC 1029) Penalties for the intentional interception of cordless and cellular telephone calls range from fines to imprisonment depending on the circumstances. (18 USC 2511, 2701)

Re:Just be careful

[steelfood]

(IANAL)

The legality of interception depends on juristiction. Wiretapping laws may or may not apply, as wiretapping is usually with respect to landlines.

I think there's also an expectation of privacy in play. I wouldn't expect privacy at a black hat convention unless I crashed it while drunk thinking it was E3 or something.

If the EFF says it's ok, they've probably checked the local laws already. And, there's probably fine print in the contract that attendees have to sign that makes it all legal.

Re:Just be careful

[TomXP411]

You're almost right. You can intercept non-encrypted, non-cellular communications.

Actually, the FCC has specific laws in place regarding phone calls on cellular networks. You cannot, under any circumstances, listen in to a cell phone conversation without permission. That is why all radio scanners sold in the United States are required to block the AMPS cellular phone frequencies.

Aside from cell phones, it's legal to intercept any open transmission you can receive, as long as it's not encrypted. I would assume you need permission of one or both parties to decrypt encrypted communications.

From what I can tell, the OP is going to be using a femtocell modified base station that will basically act as a cellular tower. For the duration of the presentation, anyone within range of the base station will have their calls routed through his base station, rather than their regular cellular carrier. The legality of this is dubious, but it is a security seminar and presentation. It would be far safer (but less dramatic) if they staged the call, rather than actually pulling up the conversations of random people at the convention.

Re:Just be careful

[Skuld-Chan]

Only in America too - seriously - buy a scanner - there's a US version (that cannot tune 800 MHz freq's) and the everyone else version. Same with ham radio equipment - my Icom 706 is a special revision only sold in the US that cannot tune cell frequencies - never mind its incapable of decoding any of that stuff anyhow.

Re:Just be careful

More than just this, it is taken very seriously. All scanners have to be build not just to block the cell frequencies, but also to not be easily modifiable to intercept them (ie: the cell bands may be different or not blocked for interception in Europe, and often two radios will be sold in different countries and just have jumpers switched to disable/enable bands for transmission/reception...can't do this for scanners on cellphone frequencies. You have to have a separate model that cannot be modified in any easy way to intercept them).

This is taken pretty seriously actually.

Cordless phones, not as big of a deal, old ones were easy to pick up on scanners, modern ones use spread-spectrum technology. Police are also harder now, thanks to digitally trunked systems (see APCO-25). That said, you can still do both of these types of scanning, and do them legally provided there's no encryption.

However...cellphones once again are different. It's not too hard to build something to intercept the frequencies, but even building or owning such equipment is a federal offense. Then, when you use the equipment, that's another federal offense.

So...it'll be interesting to see if any charges as pressed here :)

Re:Just be careful

[phyrexianshaw.ca]

Illegal != people won't do it.

I'm sick and fucking tired of all the "it's illegal, so nobody would do it!" arguments.
if somebody want's to listen to a wireless broadcast, and has the means to do so, a "law" is not going to stop that person.

the point of the demo is NOT "hey, look what I can do legally!" it's a demo to show that it can be some.

when will people learn, security through obscurity doesn't work.

Re:Just be careful

[SETIGuy]

It's not just potentially illegal because you're "wiretapping" but it's actually illegal to own a radio receiver capable of receiving on the frequencies used by cell phones.

Damn! I carry a radio transceiver capable of transmitting and receiving on those frequencies in my pocket every day!

Re:Just be careful

[Shakrai]

It's also likely to be illegal under State law as well. NYS Penal Law 250.02:

A person is guilty of eavesdropping when he unlawfully engages in wiretapping, mechanical overhearing of a conversation, or intercepting or accessing of an electronic communication.

Re:Just be careful

[dgcaste]

Well, during DEFCON I will be intercepting US Postal mail to show how the chain of trust fails at the mailbox. But I'm white hat, so I should be safe from the law!

Re:Just be careful

[dcw3]

Interesting. Control of the airwaves used to be completely under the purview of the FCC, and state/local laws prohibited. That was one of the arguments used against states banning radar detectors way back. Times have changed though.

Re:Just be careful

[Shakrai]

Some of the states do ban radar detectors......

Re:Just be careful

[dcw3]

Yes, I live in one of them. I was just pointing out that that was one of the original legal arguments used against those bans...that the state had no right to prohibit them. This is similar to how some homeowners associations have attempted to regulate their members with regards to satellite dishes...they legally can't. Mine tried to do that, and found themselves on the wrong side of the law.

Re:Just be careful

[bill_mcgonigle]

This is similar to how some homeowners associations have attempted to regulate their members with regards to satellite dishes...they legally can't

That's actually pretty crummy law, with a positive benefit. Congress shouldn't be interfering with private contracts (and HOA members shouldn't be signing crummy contracts).

Iphone 4 is protected against this nonsense.

Just press lightly against the bottom left!

Re:Iphone 4 is protected against this nonsense.

[DigiShaman]

Did you just pull a HeadOn advert?

Re:Iphone 4 is protected against this nonsense.

[Pieroxy]

And you thought Steve was out of his mind... An airplane mode so readily avilable right before Defcon. Genius! He's a Genius!

Encryption is the future

[carp3_noct3m]

In this age, where more and more people and institutions are trying to control, and intercept, the flow of information, encryption is the future. Anyone with some knowledge in the area knows that LE et al have the ability to intercept all kinds of comm, emails, phone calls, etc. Just as you should automatically assume that any email you send to anyone is compromised and therefore public knowledge, the same for phone conversations. The only way around this is to encrypt if at all possible, though the demand has to rise for things to be more pragmatic and easily accessed. It is still an interesting method, but much like the internet, phone systems were not designed with security as a main priority.

Re:Encryption is the future

[houghi]

Encryption on a large scale will be forbidden, I am sure. The excuse will be terrorism and children. Together with the "If you have nothing to hide, show it."-excuse. Privacy? You don't need no stinkin' privacy.

Re:Encryption is the future

[DigitAl56K]

GSM has various encryption standards that are supposed to protect calls. But some are weak, and phones using stronger algorithms can be tricked into falling back to the weaker ones. With a fake tower you can probably turn it off completely.

The problem with encrypting cell conversations is many-fold:
* Can you rely on the GSM encryption?
* Can you trust third-party implementations?
* Even if you run an encrypted VOIP app, can you trust the handset manufacturer? (e.g. not to allow the government to steal your keys from device memory via privileged access)
* If you can trust the manufacturer, is your device security from nearby wireless attacks? There have been exploits for bluetooth and wifi stacks.
* Can someone clone your phone?
* Do you know through systems like CALEA and IP monitoring what details of your conversation will be private vs which will be public and whether that suits your needs? Data mining can probably reveal a lot about who knows who and sequences of events.
* Instead of expending the effort to break your encryption isn't it easier for someone to bug places you frequently call from?
* Can you trust the guy on the other end of the line to have been as careful as you have? If not, everything you've done to protect yourself is useless.

IMO if you have something you need to say to someone in secret a cell phone is a particularly bad way to go about it.

Re:Encryption is the future

[Shakrai]

Thankfully we have a 2nd amendment right to possess encryption ;)

Re:Encryption is the future

[guruevi]

The solution is for the end users to encrypt with their own personal keys between two trusted parties. Cell phones in most instances are already encrypted over the air (albeit weakly) as well as most WiFi connections these days. However it's the hardwired stations in between two parties that are always going to be suspect and susceptible to attack.

In this world, anyone with any type of money or any type of electronics/soldering skills and a computer can intercept any form of communication that is not encrypted end-to-end, not just law enforcement.

The sad thing is that a generic, easy-to-use public key exchange is not at all available or widely used.

Re:Encryption is the future

[mcgrew]

* Can someone clone your phone?

I'd like to be able to clone my own phone. The one I have is small enough to fit into a pocket comfortably, but I'd like to have one with a full keyboard and bigger screen, too. I saw one from my carrier at the store yesterday, but it has no SIM card. It would be nice to be able to use one or the other without doubling my phone bill, especially if I could have the same number on both phones.

Smart phone hacks?

[religious+freak]

I was planning on going to defcon (but everyone bailed on me and I don't know very many hard-core computer nerds - ugh!)... but I do wonder about smart cell phones there. I was hesitant to even bring my G1 there because as a computer it certainly can be hacked by some of the evil geniuses which inhabit that place. Is anyone else not going to bring the smart phone at all because of this - or am I just very paranoid?

I was planning on digging up an old crappy phone which basically just makes calls. (But given this article, it sounds like no matter what happens, I'd be screwed!)

Re:Smart phone hacks?

[dave562]

Just figure whatever you have will be compromised. We were snarfing ESN/MIN pairs at Defcon 1 and it hasn't slowed down since.

Re:Smart phone hacks?

[RebootKid]

I leave the hard drive out of my laptop, boot off of read-only media. I write back to flash drives for data that needs saving. I leave my phone in airplane mode. Never had a problem, but have been called "paranoid" ;)

Re:Smart phone hacks?

[RichiH]

My plan is to buy & bring a Nokia 1616 or similar to 27C3 for exactly that reason.

It's cheap enough that tossing it away after using it there and/or keeping it as a dedicated conference phone won't hurt me.

Re:Why ask slashdot on legal advice.

[religious+freak]

Evidently, you haven't been to too many attorneys because those are the same exact responses you would get from them! Though they'd use bigger words and charge you $350 for an opinion.

oooh boy

[Lord+Ender]

For fear of wifi trickery, I decided to bring an iPad 3G to defcon. I was to use the 3G connection exclusively while there. Oops.

Re:oooh boy

[RichiH]

Use Wi-Fi, but only with OpenVPN or a SSH tunnel.

Of course, that means you will not be able to use an iPad.

Re:Why ask slashdot on legal advice.

[Yvanhoe]

It doesn't ask for advice (apparently he got some from the EFF) he is just making advertisement for his talk on /.
Which is totally on-topic if this is really what the summary says it is about.

Type of attack ..

[Idimmu+Xul]

The article suggests he's doing a MITM style attack, is he spoofing a cell tower?!

Re:Type of attack ..

[cheros]

is he spoofing a cell tower

Yup, but without the altitude :-). What I'm more interested in is how one defends against that. What can be done to make cellphone calls more secure.

Re:Type of attack ..

[HumanEmulator]

It sounds like he's going to use a modified Femtocell. Since you can actually go out and buy these and they route phone calls over public networks, there any many potential points of attack. Considering if someone wants to listen to your cell phone calls and asks ATT nicely ATT will happily given them a room, or anybody with a radio scanner can listen to cordless phone calls and WiFi WPA2 has been cracked in several different ways, no one should be assuming privacy on anything wireless.

Re:Type of attack ..

[RichiH]

I saw the talk at 26c3, though unfortunately, they could not whip up a demo system for Fosdem.

Creating their own femto-cells has been done time and time again, as is the case for decrypting saved frequency dumps.

As far as I understand things, this is the first time that they want to decrypt intercepted phone calls live and in real-time.

Faraday cage?

[maxrate]

Is there anyway to setup a faraday cage with a cell phone inside it with some passive antenna repeater? That way you could isolate the testing to a small group of phones. Just an idea.

Love that Patriot Act! So moist!

[DominatorDan]

So, for the NSA to listen in on all cell conversations with Echelon is ok under the Patriot Act, but its not ok for the average citizen....? Gotta love Amerika!

Re:Love that Patriot Act! So moist!

[Locke2005]

It's perfectly legal for the cops to photograph you in order to issue traffic citations, but if you photograph the cops doing their job, you are hauled in for "interfering with arrest". Likewise, they can have audio/videotape recorders in their squad cars (with tapes that are conveniently "lost" when they are accused of wrongdoing), but if you put a videocamera on your helmet, you are illegally wiretapping them.

Doubt it

[downhole]

Somehow, I doubt that anyone will ever be able to implement encryption that is actually secure while being used by large segments of the population that really don't care that much. The only people who use high-quality encryption for pretty much any kind of communications are paranoid/curious geeks and people who have (or think they have) very good reasons for keeping their communications secret, e.g. some criminals, spies, the military, etc, and I don't expect that to change anytime soon. The best we're likely to get is a system where the messages are encrypted over the air with a key that the carrier or some other central authority has, which will readily give the Government whatever it asks for, and probably won't be too hard to hack for anyone really motivated anyways. AFAIK, that's pretty much what we have now.

And the point is?

[couchslug]

What's the point of mooning the Man (unless that IS the point) when you could publish the information offshore without attribution?

Analog "encryption"

[ben_kelley]

Pffft! Such interception is easily defeated with complex analog encryption strategies such as Arp Language.

Navy boys ?

[johnjones]

they have been listening to you all for a while

Somebody call 911!!

[Cathoderoytube]

From the blog post...

"It is unlikely that any 911 service can be provided, however a best effort will be made to connect any emergency calls to a suitable local destination."

Well let's hope your best effort doesn't result in someone's death. That generally doesn't bode well for tech demos.

Try reading the article first

[cheros]

Wow, violence. Yeah, that will solve everything. Did you actually read any part of the articles linked?

First off, the area will be marked, secondly it's announced and thirdly you should expect stuff like this to happen at a hacker conference. If you can't handle that, stay away. This is demonstrated to provide proof of a flaw so it can be addressed.

I can remember the last Access All Areas in London where people wandered in off the street and started checking their email on the computers we had installed there. I mean, how dumb can you get?

Re:Try reading the article first

[Unequivocal]

Yeah really. And what about those basement hotel conferences where there is NO cell phone reception at all. The perils!

Jeez - GP should lighten up. Thanks for setting him straight.

Re:You should be pleased I'm not there...

[RichiH]

Tough words from a tough guy. On the other hand, if you enter a talk with a big fat tagline of "we will now intercept your calls", it might make sense to either avoid that or live with it.

That's not as much fun as armchair-bullying from your mom's basement, though ;)

Re:Will there be any GSM calls with "no user-input

[deverox]

You can set your phone to GSM only.. (which lots of people do as it increases battery life and generally gives a better call quality) .. Or just put a few phones doing data connections on UMTS at the time of the demo.. It will take up most of the connection (used to be max of 7 per cell).. then everyone else will be diverted to GSM

Re:Will there be any GSM calls with "no user-input

[sznupi]

...hence not with "no user-input", requiring deviation from defaults.

Few data connections? It's primarily a telephony network, with QoS geared heavily towards that goal.

Re:You should be pleased I'm not there...

[mcgrew]

I would hope you had bail money in your pocket for the battery charge, and a good lawyer when they sued you for medical damages. Plus whatever the anger management classes the judge would order you to take after you paid your fine (or served your jail time).

As Isaac Asimov's Salvor Hardin said in the Foundation, "Violence is the last refuge of the incompetent."

Re:You should be pleased I'm not there...

[pandrijeczko]

Actually, I am not a violent person but my strong comments were meant to illustrate my disdain at no-hopers searching for a bit of fame by using Slashdot as an advertising platform for some boring little talk they're doing at a computer show somewhere.

People like me, who just get on and do their security work without bragging to the rest of the world about it, are the ones with skills - anyone can stand in front of a bunch of salivating muppets and perform magic tricks.

@Chris Paget

[radialblur]

Foon you kill me man.. shout me, been a long time! :D