Hacker Builds $1,500 Cell Phone Tapping Device

We previously discussed security researcher Chris Paget's plans to demonstrate practical cell phone interception at DefCon. Paget completed his talk yesterday, and reader suraj.sun points out coverage from Wired. Quoting: "A security researcher created a $1,500 cell phone base station kit (including a laptop and two RF antennas) that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. Most of the price is for the laptop he used to operate the system. The device tricks the phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP. The low-cost, home-brewed device ... mimics more expensive devices already used by intelligence and law enforcement agencies — called IMSI catchers — that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area. Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."

Some interesting and troubling points

[UnknowingFool]

The device works only on 2G GSM. While Chris Paget did not demonstrate it, he noted that he could also set up the device to block 3G signals and thus force all calls through 2G.

Re:Some interesting and troubling points

[citizenr]

GSM blocker is only $30 on dealextreme
http://www.dealextreme.com/details.dx/sku.28714

if you only screw 3G antenna it will block 2110~2170MHz leaving 930~960MHZ alone

Re:Disabled warning

No, the SIM Card disables the warning not the phone

Root cause

[cliffjumper222]

The root cause of this weakness is that whereas the 2G network can authenticate the handset (both the SIM and the ME), the handset cannot authenticate the network. It's assumed the 2G network is trustworthy, which in this case, it isn't. There's a stack load of problems with 2G (GSM) security including unilateral authentication, which leads to network impersonation; weak encryption (short keys and broken algorithms); lack of end-to-end or virtually end-to-end encryption; weak confidentiality; no data integrity algorithms; lack of visibility to the user that encryption is on, etc. A lot of these are fixed in 3G. See http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf and http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF. In this second PDF, section A.4 Hijacking of services describes this attack.

Hak5

[doronbc]

He actually gave a talk about this on Hak5. It seemed it could be accomplished using an USRP and OpenBootTS

Re:Give it a month

[Rob+the+Bold]

Your post seems to convey that people attempting to essentially illegally "wiretap" a cellphone for presumably malicious purposes are going to give half a care about FCC regulations...

I'd say something about "fail" but I think it goes without saying at this point.

Presumably, if you're interested in a "pseudo-femtocell" as poetmat mentions in the post to which the GP is replying, you're not doing it for malicious purposes so much as providing cell service somewhere that doesn't get proper coverage from the outside network. In certain buildings, certain terrain, neighborhoods with insufficient towers, that sort of thing. The sort of thing that "legitimate" femtocells are used for.

I think you have "failed" to consider that this is the application that TooMuchToDo was referring to, not wiretapping or even necessarily doing anything malicious.