Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Builds $1,500 Cell Phone Tapping Device

Posted by Soulskill on from the snoop-on-the-cheap dept.

We previously discussed security researcher Chris Paget's plans to demonstrate practical cell phone interception at DefCon. Paget completed his talk yesterday, and reader suraj.sun points out coverage from Wired. Quoting: "A security researcher created a $1,500 cell phone base station kit (including a laptop and two RF antennas) that tricks cell phones into routing their outbound calls through his device, allowing someone to intercept even encrypted calls in the clear. Most of the price is for the laptop he used to operate the system. The device tricks the phones into disabling encryption and records call details and content before they are routed on their proper way through voice-over-IP. The low-cost, home-brewed device ... mimics more expensive devices already used by intelligence and law enforcement agencies — called IMSI catchers — that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area. Encrypted calls are not protected from interception because the rogue tower can simply turn it off. Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."

22 of 109 comments (clear)

  1. Disabled warning by maxwell+demon · · Score: 5, Interesting

    If the GSM spec does specify the warning should be there, does that mean the manufacturers are violating their GSM license when they disable that warning? Or could they be sued for false marketing because the phone you bought does not follow the GSM spec despite being called a GSM phone?

    In short: Could they be (successfully) sued for it?

    --
    The Tao of math: The numbers you can count are not the real numbers.
    1. Re:Disabled warning by Anonymous Coward · · Score: 2, Informative

      No, the SIM Card disables the warning not the phone

    2. Re:Disabled warning by erroneus · · Score: 4, Insightful

      They would rather violate the license as they would inevitably be protected by the government(s) that demanded things be set as they are.

      A better question would be how can we turn that feature back on?

    3. Re:Disabled warning by commodore64_love · · Score: 3, Funny

      What's a SIM card? My phone doesn't appear to have one of those.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    4. Re:Disabled warning by Anonymous Coward · · Score: 4, Insightful

      Sheesh! Why sue? That's not the answer to everything unless you're looking for a way to make some cash, or living in a litigation-crazy country like the USA.

      How about a user-driven pressure group to force a change - after all, if someone does manage to screw big bucks out of this:

      1) It'll make some lawyers even more rich.
      2) The phone companies will just pass the cost onto the customers somehow

      Suing the ass off companies just because they don't do things the way you like is just plain crazy.

  2. Give it a month by sv_libertarian · · Score: 3, Insightful

    The government will mandate better encryption and stronger standards so they maintain their monopoly on being able to intercept phone calls.

    1. Re:Give it a month by bsDaemon · · Score: 3, Interesting

      Then there will be another 3 years of court cases and lobbying to make the government pay the cell carriers to upgrade their equipment, although much of the issue is on the phones not properly realizing they're on a bogus tower and not providing the required notification. So everyone will have to upgrade phones if they're on a GSM network.

      Of course, we'll be on iPhone 7 by the time AT&T finally concedes to the upgrade, and iPhone 10 by the time its done, and as they're the only GSM carrier of consequence in the US, user upgrades likely won't be an issue 'cause everyone will be clamoring for it while remaining blissfully ignorant of this situation.

      But the reality of the situation is probably closer to the fact that the government will just let this whole thing slide under the assumption that the easier it is to do, the cheaper they'll be able to obtain 3rd-party products to conduct intercepts for investigations.

    2. Re:Give it a month by poetmatt · · Score: 4, Interesting

      actually, what about the prospect of intercepting our own phone calls?

      As noted if you can do this on a laptop and then voip a call, couldn't people do this at home as a pseudo-femtocell?

    3. Re:Give it a month by Rob+the+Bold · · Score: 3, Informative

      Your post seems to convey that people attempting to essentially illegally "wiretap" a cellphone for presumably malicious purposes are going to give half a care about FCC regulations...

      I'd say something about "fail" but I think it goes without saying at this point.

      Presumably, if you're interested in a "pseudo-femtocell" as poetmat mentions in the post to which the GP is replying, you're not doing it for malicious purposes so much as providing cell service somewhere that doesn't get proper coverage from the outside network. In certain buildings, certain terrain, neighborhoods with insufficient towers, that sort of thing. The sort of thing that "legitimate" femtocells are used for.

      I think you have "failed" to consider that this is the application that TooMuchToDo was referring to, not wiretapping or even necessarily doing anything malicious.

      --
      I am not a crackpot.
  3. "deliberate choice" by Manip · · Score: 5, Insightful

    So wait, law enforcement use a method to interception that would be compromised if that warning was displayed, and phone manufacturers fail to enable such a warning? Call my a conspiracy nut but perhaps they were asked not to include such a warning for exactly that reason. It wouldn't be the first time the government has asked private industry to make it easier to snoop.

    1. Re:"deliberate choice" by hitmark · · Score: 4, Interesting

      have GSM encryption ever been about end to end encryption? My understanding is that the encryption only covers the radio signal, so that someone with a radio scanner cant just grab the call out of the air. The police can get a warrant and make a call to the telco and have them set up a tap at the base station or some other convenient place.

      i suspect the message is not there more out of convenience, as the message would be popping up all the time when going between stations of various generations. Also, we seem to be confusing handset makers (nokia, HTC, apple etc) with the telcos (AT&T, T-mobile). From the summary, its the SIM, not the phone, that says if the message should show or not. That means its the telcos that suppress the message, not the handsets. given the number of involved parties in the mobile phone business, it helps to place the blame where it belongs.

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    2. Re:"deliberate choice" by Auckerman · · Score: 3, Funny

      Call my a conspiracy nut

      Not a problem, I'll get his number from the CIA.

      --

      Burn Hollywood Burn
  4. Some interesting and troubling points by UnknowingFool · · Score: 4, Informative

    The device works only on 2G GSM. While Chris Paget did not demonstrate it, he noted that he could also set up the device to block 3G signals and thus force all calls through 2G.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
    1. Re:Some interesting and troubling points by citizenr · · Score: 3, Informative

      GSM blocker is only $30 on dealextreme
      http://www.dealextreme.com/details.dx/sku.28714

      if you only screw 3G antenna it will block 2110~2170MHz leaving 930~960MHZ alone

      --
      Who logs in to gdm? Not I, said the duck.
  5. If it is the SIM card disabling the warning?? by Sigurd_Fafnersbane · · Score: 3, Insightful
    Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice on the cell phone makers, Paget said."

    I am not sure I understand the above text. If it is the SIM card disabling the setting, why is this then labeled a deliberate choice by the cell phone makers?

    Also I have seen at least on numerous Nokia mobile phones that an icon in the display notify you at least in some instances when encryption is disabled. (This happen quite frequently in e.g. China).

    1. Re:If it is the SIM card disabling the warning?? by maxwell+demon · · Score: 5, Insightful

      I am not sure I understand the above text. If it is the SIM card disabling the setting, why is this then labeled a deliberate choice by the cell phone makers?

      Why can SIM cards disable the warning? Well, clearly because the cell phone allows the SIM card to disable the warning.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  6. Root cause by cliffjumper222 · · Score: 3, Informative

    The root cause of this weakness is that whereas the 2G network can authenticate the handset (both the SIM and the ME), the handset cannot authenticate the network. It's assumed the 2G network is trustworthy, which in this case, it isn't. There's a stack load of problems with 2G (GSM) security including unilateral authentication, which leads to network impersonation; weak encryption (short keys and broken algorithms); lack of end-to-end or virtually end-to-end encryption; weak confidentiality; no data integrity algorithms; lack of visibility to the user that encryption is on, etc. A lot of these are fixed in 3G. See http://www.3gpp.org/ftp/tsg_sa/WG3_Security/_Specs/33120-300.pdf and http://www.arib.or.jp/IMT-2000/ARIB-spec/ARIB/21133-310.PDF. In this second PDF, section A.4 Hijacking of services describes this attack.

  7. Hak5 by doronbc · · Score: 3, Informative

    He actually gave a talk about this on Hak5. It seemed it could be accomplished using an USRP and OpenBootTS

  8. Re:how would one reenable this warning setting by kidgenius · · Score: 3, Insightful

    Here's the easiest way....have this guy not only publish his results, but his methods too. Put the plans up for free download so anyone can follow his plans and build such a device. When hundreds (or thousands) of these devices start popping up and people are getting spied on by their fellow citizens, there will be an outrage! (silly emphasis). After that, the manufacturers may start including the warnings. Note: using one of these devices probably already violates various cyber-laws, so that threat wouldn't deter many if it's hard to be caught.

  9. Haha by X.25 · · Score: 3, Interesting

    I can't even explain how common this thing is, and how many geeks are playing with it.

    He didn't actually *build* the hardware, he purchased it - some smart people actually build these things, and hobbyists play with it.

    Why this guy felt like he had to take a credit for it is beyond me.

    1. Re:Haha by Anonymous Coward · · Score: 3, Insightful

      I can't even explain how common this thing is, and how many geeks are playing with it.

      Try using a car analogy.

      Why this guy felt like he had to take a credit for it is beyond me.

      As clearly linked, Paget is demonstrating . This is the community equivalent of science journal peer review -- it's separating the facts from the FUD. This is Investigative Reporting, the third leg that Democracy stands on.

      That is creditable, quite unlike "I can't even explain how common this thing is, and how many geeks are playing with it", which is as credible as any other sniggering teenager remark that's designed to say "I'm so cool and in the know, and you're so not."

  10. Re:A work-around! by bill_mcgonigle · · Score: 2, Insightful

    I am concerned about the future if I ever decide to get an internet-capable phone. I don't want police spying on me without a warning that the encryption had been turned off.

    Assume they are - do you encryption at the application layer, or at least with a VPN you control.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)