4G and CDMA Reportedly Hacked At DEFCON

An anonymous reader writes "At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it's real or not."

And they said I was crazy

[ArhcAngel]

for sticking with my RAZR! BWAHAHAHAH...

Re:And they said I was crazy

[jon3k]

That's the same reason I don't use a computer. And those "security experts" called me a luddite! Ha! Jokes on them!

Re:And they said I was crazy

[__aazsst3756]

Me too, but not because I like the Razr. There is a stack of defective ones on my dresser. My wife's Razr looks like it has gone through a war zone (she doesn't regularly kill them like I do).

The cost of data plans and silly 2 year contracts is keeping us away. Waiting for a prepaid App-phone that I like on a prepaid plan less than $30 a month for each phone. Where getting close....

Re:And they said I was crazy

[plover]

for sticking with my RAZR! BWAHAHAHAH...

Psht. Last year a guy at DEFCON demoed a fully functional GSM MITM. That meant he is certainly capable of hijacking your puny RAZR's voice calls.

Re:And they said I was crazy

[ibpooks]

Waiting for a prepaid App-phone that I like on a prepaid plan less than $30 a month for each phone.

LG Optimus or Samsung Intercept on Virgin Mobile is $25/mo. with no contract. Not bad at all.

Re:And they said I was crazy

[antdude]

Yep, they still work for my queen ant and me. :)

Can you hear me now!?

[LinuxGeek]

This will be interesting if it is true. Maybe this will delay the rollout of smartphones to combat soldiers...

Re:Can you hear me now!?

[pnewhook]

That's why I use a blackberry. Secure encrypted communication..

Re:Can you hear me now!?

What good is encryption when they just hand it over to the government:

http://www.guardian.co.uk/uk/2011/aug/08/london-riots-blackberry-messenger-looting

http://www.bloomberg.com/news/2010-08-30/rim-averts-india-blackberry-ban-as-government-tests-security-modification.html

At least the hack above requires them to do something...

Re:Can you hear me now!?

[DrgnDancer]

It probably will have no affect what-so-ever. Why? Well you probably don't remember, but when the story about using smartphones for soldier to soldier communication came out, I said that the final version would no doubt use a portable military infrastructure for radios and towers. I got a rash of shit from people who a) thought I was right and were convinced the military would be wasting money, or b) thought I was wrong. The general argument went: "every nation on Earth has a cellular infrastructure in place, why not just use that?"

This is why.

Re:Can you hear me now!?

[b0bby]

What good is encryption when they just hand it over to the government:

Well, the fact that it's still encrypted? FTA you linked:

"RIM can be legally ordered to hand over details to police of users suspected of unlawful activity. However, the Canadian company would be likely to resist those demands and the content of users' inflammatory messages would be encrypted. The manufacturer has previously insisted that even it cannot unscramble users' messages when sent on the devices."

If you're using your phone provider's BB Server, then they have access to your messages, but that's not RIM. If you're using your own server then the messages are fully encrypted and no third party should have access. It's my understanding that in India the government has access within the country; I'm not sure if they just block your access to your server and force you to use theirs.

Re:Can you hear me now!?

[LordLimecat]

What good is encryption when they just hand it over to the government:

What, without my BES server's AES-256 key? Good luck with that.

Re:Can you hear me now!?

[DrXym]

The blackberry story looks like so much bullshit. How many people own blackberry devices compared to other kinds of phones. I imagine most rioters if they communicated at all would have done so through sms, twitter and so on.

Re:Can you hear me now!?

[plover]

With a Cell Phone Cannon, of course.

Re:Can you hear me now!?

[GooberToo]

"every nation on Earth has a cellular infrastructure in place, why not just use that?"

Because you can be traced/tracked by those outside the battlefield, basically making it an intelligence coo.

Re:Can you hear me now!?

[Spad]

A lot more than you'd expect; estimates put it at almost 40% of teenagers in the UK who have a Blackberry, mostly for the BBM functionality.

Re:Can you hear me now!?

[pnewhook]

The blackberry is the ONLY smartphone that is secure, which is why companies love them and RIM will always have a market share for corporations, ones that care about security anyway.

Re:Can you hear me now!?

[compro01]

I believe the word you're looking for is "coup".

Re:Can you hear me now!?

[bennomatic]

No, I'm pretty sure the GP poster was suggesting that enemy intelligence forces communicate with bird calls. "Coo coo!"

Re:Can you hear me now!?

[GooberToo]

You are of course correct.

The fact you've bothered to correct a post which took about three seconds to create, while still fully comprehensible, IMOHO, is the greater travesty.

Seriously, look at my posts. I long gave up on caring about typos and spelling errors on /. posts. Most people on /. are beneath contempt. As such, my posts tend to reflect this fact. Basically it boils down to, I don't give a shit for 99% of my posts.

Re:Can you hear me now!?

[wolrahnaes]

That's why I use a VPN and/or SSL encrypted connections on my Android and iPhone. Secure encrypted communication, and I'm not stuck dealing with an e-mail device that's been bodged in to trying to be a smartphone which pointlessly runs everything through RIM's servers. How many times has a server outage disabled functionality on every Blackberry again?

Re:Can you hear me now!?

[hxnwix]

That's why I use a blackberry. Secure encrypted communication..

Predictably, this snark generated a whoosh, touching off a flame war.

Re:Can you hear me now!?

[LordLimecat]

I suppose there could be. Are you sure there isnt some network command that will cause your PC to start listening on port 22 for assembly instructions to execute?

Just asking the question doesnt make it a significant concern.

Re:Can you hear me now!?

[QuantumRiff]

Why would that matter, if they can get to the other host that you are communicating with? (ie, your cell phone companies BES server) Kind of like saying SSH is secure, when the bad guy is running as root on the other end :)

Re:Can you hear me now!?

[SleazyRidr]

Here's your whoosh.

Re:Can you hear me now!?

[charlesj68]

"every nation on Earth has a cellular infrastructure in place, why not just use that?"

Because you can be traced/tracked by those outside the battlefield, basically making it an intelligence coo.

And then, God help us when the pigeon Air Force attacks ...

Relation between MITM and rootkit

[Bromskloss]

Achieving MITM status is a very different thing from installing a rootkit, in my mind. The summary left out how the two could be connected but the article mention something about it:

Coderman’s report suggests that, like Wi-Fi MITM, which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device.

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Re:Relation between MITM and rootkit

[Infiniti2000]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Well, the bug is that the on-screen prompt occurred at all. That's the part needs to be stopped. Surely, no one would consciously run the rootkit, but I can see the case where the prompt accidentally gets clicked if it pops up during another high-click-count application.

Re:Relation between MITM and rootkit

[ByOhTek]

I believe you have to fill out form AK-47 or M-16, and file it with the appropriate user.

Re:Relation between MITM and rootkit

[nschubach]

Or just a simple button on the screen that get's pushed by a pocket dialer.

I've accidentally put my phone in my pocket only to pull it out later and I was one click away from sending my friend a text full of gibberish.

Re:Relation between MITM and rootkit

[gbjbaanb]

depends what the on-screen prompt says. I really doubt it'll say "click here to install virus".

Re:Relation between MITM and rootkit

[Baloroth]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

With nature. The bug is already fixed in some new generations of humans, but unfortunately the widespread deployment of the old version and it's tenacity, combined with the fact that most people have updates turned off, prevents a rapid fix of the problem.

However, a long-term plan is currently in effect. A few more earthquakes and hurricanes should do the trick.

Re:Relation between MITM and rootkit

[shugah]

Button labelled "p0rn"

Re:Relation between MITM and rootkit

[EvilStein]

And we all know how end users love to click on stuff... this is exactly how the existing Android rootkits have been getting installed.

Re:Relation between MITM and rootkit

[jesseck]

To make it simple, how about "Network busy: error code 2343" with an "OK" button. In an urban environment, it wouldn't be hard to fathom the network was busy. My Sprint service does that occasionally when I place phone calls, and I have to click "OK" to terminate the call. The MITM attack could cause the appearance of network problems, with the "forced" installation of accepting there were problems, so try again. Who doesn't click "OK" when the network tells them it is busy and to try again later? Of course, now that I think about it, maybe I shouldn't....

Re:Relation between MITM and rootkit

[LordLimecat]

Well, the bug is that the on-screen prompt occurred at all. That's the part needs to be stopped.

This can be done in plaintext open wifi connections to laptops. You request www.google.com, i send you www.InfectMeWithARootkit.com, which requests permission to download and run executable code. If you agree, you will be rootkitted.

Or on a blackberry, you send a link to a malicious .jad file, and it asks if you want to download, and later run, the content.

Re:Relation between MITM and rootkit

The injected rootkits were specific to different android builds and phones. On some no prompt was needed, on others if a prompt was accepted we saw the phones get completely destroyed by the rootkits or have the microphones turned on. The WiMax in particular discussion is not LTE, but it is likely that LTE was compromised as well because the hardware required to MiTM WiMax would be software defined radio systems which could just as easily be programmed for 4G as 4G LTE emulation. No upgrades or installs or prompts were required for rooting, it was a progressive system of attacks whereby low-hanging fruit was plucked first, and later the horrific 0days came out to play.

Re:Relation between MITM and rootkit

[tlhIngan]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

The user is the biggest vulnerability. It's called the Dancing Pigs problem and it's extremely difficult to protect. In fact, popping up additional dialogs hurt security because of it (that Android permissions screen? Utterly useless - even if you make it so they have to check off every item then hit install).

Hell, the age of the Honor System Virus is actually around. Facebook viruses and spam and such often rely on such odd techniques as well (click here and here and here, paste this URL, etc...).

A simple popup like "Low battery" might be easily dismissed by anyone and no one is the wiser.

Re:Relation between MITM and rootkit

[hitmark]

Could be that what we see as a bug was originally intended as a feature, used by the carriers to prompt the handset user about something.

I would that the security-thru-obscurity mentality is still rampant in telcos and related organizations to this day, even tho AT&T and others got bitten by leaving open modems behind unlisted numbers on their switches.

Re:Relation between MITM and rootkit

[dissy]

So, to install the rootkit, you also need to exploit a bug in the user.

The user is no doubt the best thing to exploit, as it is the weakest link in the chain.

But you are assuming there are no exploits (Which there are, some Android phones installed the app with no prompt)

You also assume the Over-the-Air updates are signed somehow.

Re:Relation between MITM and rootkit

[gbjbaanb]

there's only 1 way to be safe, put the phone down and stick to stiff paper letters. sealed with wax stamped with a high-intricacy authentication symbol, delivered by armed guards.

Define "4G"

[russlar]

Which "4G" technology are we talking? WiMAX? LTE? AT&T&Tmobile's HSPA cranked up to 11?

Re:Define "4G"

[bunnyman]

From: coderman <coderman () gmail com>

Date: Wed, 10 Aug 2011 11:17:25 -0700

802.16/ClearWire/Sprint4G

did not have LTE to test with.

Re:Define "4G"

[TubeSteak]

WiMAX, LTE, and AT&T&Tmobile's HSPA do not meet the speed requirements of 4G.

4G was supposed to be ultra-highspeed* wireless, based on the next Generation of hardware
In the meantime, telcos were all rolling out stuff that could best be described as 3.5G or 3.75G, but were advertising it as 4G.

The standards committee caved and now, for all intents and purposes, 3.5/3.75G is the new 4G and,
because marketing droids can't help themselves, true 4G will be called 4.5G or 5G.
WiMAX-advanced and LTE-advanced will be considered 'real' 4G when they come out.

*100 Mbit/s mobile and 1 Gbit/s stationary or pedestrian speeds

Good to know

[Phaeilo]

that I'm not alone out there ;)

Re:

[taiwanjohn]

I was thinking the same thing. Kinda ties in with the previous /. story about Why The US Will Lose a Cyber War.

It's tempting to deploy every new gadget that looks useful, but the military (rather, the gov't in general) has a spotty record in new-tech security.

le sigh

[TheBeardIsRed]

Let me take a moment to point out that using the wifi or atms at the hotel as well as making software updates during DEF CON all are squarely in the category of "babytown frolics".

Re:le sigh

[DrgnDancer]

My technology plan for BlackHat:

1) Put phone on airplane mode
2) Once a day, drive to the middle of the desert to check e-mail/voice mail/text messages.
3) Put phone back on airplane mode.
4) Hope some enterprising asshole hasn't put up some crap in the middle of the desert.

Probably a little over paranoid, but not much. In reality I'd probably be a bit less paranoid than that, but I'd definitely move a few hotels down to do anything more serious than checking text messages.

Re:le sigh

[ewanm89]

I suggest learning where the power button is, then take out the battery and sim card ;)

Re:le sigh

[RobertLTux]

"Probably a little over paranoid, but not much. In reality I'd probably be a bit less paranoid than that, but I'd definitely move a few hotels down to do anything more serious than checking text messages."

actually given that this is DEFCON we are talking about you might be just being "safe" given the mix of TLAs and "interested parties" you might be on to something.

Don't take electronics, maybe?

[Beardydog]

Why in god's name would anyone be willing to go to that with electronics? For god's sake, just take a pad and pencil! Even if you manage not to become part of a hilarious proof-of-concept hack to startle the audience into realizing how easy it is to X and Y someone's Z by forging an A with a malformed B, and avoid being targeted by some Russian mobster who's thrown out a dragnet for data on -other- people's new techniques ( and sure, credit card numbers and personal info, as long as were in there already, the place is still probably surrounded by black vans full of studious FBI, NSA, DHS, and CIA ( east AND west ) agents, all trying to hack, monitor, and watchlist you on completely separate orders and agendas. It's got to be just... a shitstorm. Am I wrong?

Re:Don't take electronics, maybe?

Two types of people take electronics (near) there:

1. Those who don't know
2. Those who have honeypots running on their smartphones to collect all the wonderful exploits that others have developed.

Re:Don't take electronics, maybe?

[LordLimecat]

Or just disable your data ports and adapters (ethernet, bluetooth, wifi), and your usb ports. Good luck hacking that; I dont care if youre an NSA agent with Charles Babbage as a lifeline, I doubt you have a hack that can exploit an unpowered wifi adapter.

Re:Don't take electronics, maybe?

[AC-x]

Why in god's name would anyone be willing to go to that with electronics?

Or stick that device in flight mode

Re:Don't take electronics, maybe?

[ftobin]

Consider attacks involving remove screen capturing and remote keystroke-capturing technology.

I wouldn't want to be viewing or enter any privileged data at such a conference. Simply typing a passphrase could expose you.

Re:Don't take electronics, maybe?

[bill_mcgonigle]

Why in god's name would anyone be willing to go to that with electronics?

Sometimes playing the game is more fun than perfect security. Plus, people can get ahold of you still, so you might actually get invited to parties and such.

It would be bad form to permanently destroy the phone via an exploit, and I'm sure most attendees know how to wipe their phones blank when they get home.

Re:Don't take electronics, maybe?

[sempernoctis]

You need to adjust your tin foil hat. I took my droid, my tablet, and my laptop, and there really isn't that much to worry about if you follow basic security practices, like not sending any plaintext passwords, closing any ports or services you don't need, and not doing financial transactions or other very confidential things there. And I'm sure the assorted 3-letter agencies already know all about anyone they are interested in.

Re:Don't take electronics, maybe?

[sexconker]

Consider attacks involving remove screen capturing and remote keystroke-capturing technology.

I wouldn't want to be viewing or enter any privileged data at such a conference. Simply typing a passphrase could expose you.

Such attacks are academic at best. Up there with "able to read deleted data unless you overwrite it at least a dozen times". And then you posit performing such an attack during a tech convention? I'd be more worried about contracting the hantavirus from rat shit in the hotel walls.

Re:Don't take electronics, maybe?

[LordLimecat]

What, exactly, am i logging into without wireless? Why would I care about keystroke capturing if I have no connectivity? Why am I opening Top Secret documents @ DEFCON?

Seems to me I would be listening to music and taking notes.

Re:Don't take electronics, maybe?

[russotto]

and not doing financial transactions or other very confidential things there

I went to DefCon, logged into my bank, logged out, logged in from a different machine, took out the max advance on all my credit cards, transferred the money into a series of other accounts, then withdrew those as gambling chips, had a lot of fun gambling it all away, then claimed I got hacked.

Re:Don't take electronics, maybe?

[ftobin]

You might be using the same passphrase to unlock your device as your email account. Or even if it's not the exact same passphrase, it could provide knowledge on your passphrase methodology, which, combined with other data, would reduce the amount of entropy in your secret.

If the loss of your secret would not in any way assist an attack on another vector, sure, you might be fine. But people are human and can only manage so much.

Also, you wouldn't even need to be opening "top secret" documents. If your device has information on you that could grant access through a lost-passphrase "security question" on a website, you need to protect even that.

Re:Don't take electronics, maybe?

[bsDaemon]

I left my laptop in my hotel (did not stay at the Rio), only used the hardwire network while in my room, and used the VPN to do anything remotely important by way of my office. To the conference, I only brought a pen and a pad to take notes (most of the talks were total ass this year, although I did enjoy the asian apt tactics talk) and made no calls that weren't just trying to locate co-workers in the crowds between sessions, otherwise BBM only, and I would turn the thing off when I wasn't actually planning on using it.

One of my coworkers had turned off wifi on his android, but still managed to have his twitter password grabbed and his account hijacked for a while, and we all had assumed that he was connecting to a rogue cell tower, particularly after the UAV-based rogue GSM tower thing.

Re:Don't take electronics, maybe?

[bsDaemon]

You must be joking because anyone capable of coming up with such an elaborate plan would be smart enough to post a confession on a public forum. At least, I like to think so.

Re:Don't take electronics, maybe?

[LordLimecat]

Having a windows login password on a personal laptop is, unless you use EFS or truecrypt, a bad idea.

A) someone with Ophcrack (or who sneaks SamDump onto your computer and grabs the hash) can recover your plaintext password quite quickly (10 minutes for 10char passwords with ophcrack), with no trace. As you pointed out, learning this password likely reveals info about your other passwords.

B) Windows has for the longest time refused to allow remote connections to accounts with a blank password, regardless of other policies on your computer. A blank password is far more secure than a weak password. Blank password means no RDP, no telnet, no SMB connections (unless youre using a home edition), no management connections.

C) Passwords are trivial to circumvent, when you have physical access (and for remote, see #2). A 1meg boot iso can completely wipe out your password; an ophcrack disk can reveal it; any linux liveboot distro can run chntpw and kill the password.

Also, if youre on a laptop, its far better (imo) to have it set to autologon, lock the bios, and have boot time services which connect to wifi and grant you remote control (if your laptop is ever stolen. If you have a password, a thief can trivially get to your data unless youve truecrypted your drive; if its set to autologon, at least you have an attempt to grab geolocation data and control the webcam.

Basically, if your data is REALLY that sensitive, you need to be running volume or full disk encryption, not relying on a windows logon. Windows logons are only useful for network (AD) authentication, or multiple users on a locked down computer.

Re:Don't take electronics, maybe?

[russotto]

You must be joking because anyone capable of coming up with such an elaborate plan would be smart enough to post a confession on a public forum. At least, I like to think so.

Hey! The hacker who maxed out my credit cards got my slashdot account too! Good thing he didn't change the password!

Re:Don't take electronics, maybe?

[treeves]

Legionnaire's disease FTW.

Really surprised... not.

[ewanm89]

This is DEFCON, it's like putting every army and mercenary group in the world in one room without disarming them first. There is a reason why the DEFCON wireless network is described as the most hostile network on earth, it's more hostile than the internet itself.

Re:Really surprised... not.

[tgd]

This is DEFCON, it's like putting every army and mercenary group in the world in one room without disarming them first.
There is a reason why the DEFCON wireless network is described as the most hostile network on earth, it's more hostile than the internet itself.

I smell next years' big summer Hollywood blockbuster!

What's Michael Bay up to?

Re:Really surprised... not.

[antdude]

That is why I avoid Sin City during that week so my old school bone conduction analog hearing aid, CASIO Data Bank 150 calculator watch, body, etc. won't get hacked/exploited. :P

Re:Really surprised... not.

[cjb658]

I went to Defcon 16 and brought my laptop. I set up Wireshark on it and connected to the unprotected Wifi (I think the SSID was Warzone). A few minutes passed. Then an hour. Nothing happened. I didn't see so much as an arp flood, port scan, or even an attempt to connect to my Samba shares. I even enabled the guest account so people could download stuff from me without a password.

I was sorely disappointed.

Re:Really surprised... not.

[bobbozzo]

Every user of the (real) DC WiFi is on their own VLAN. You shouldn't see anything.

If you give a mouse a cookie...

[Oswald+McWeany]

If you put candy in a bowl in a room full of children- they will eat it. If you put whiskey in a room full of frat-boys- they will drink it. If you put technology in a room full of hackers- they will hack it. If you put Michael Jackson in a room full of children- he will behave admirably. I don't see much surprise here.

Re:If you give a mouse a cookie...

[morgosmaci]

If you put Michael Jackson in a room full of children- he will behave admirably.

You mean sit in the corner and add a lovely decomposition smell to the room?

Re:If you give a mouse a cookie...

[Oswald+McWeany]

Decomposing plastic has no odor.

Re:If you give a mouse a cookie...

[PIBM]

I guess you could say he wouldn`t do a thing..

Re:If you give a mouse a cookie...

[jemtallon]

Michael Jackson behaving admirably... http://i.imgur.com/Okk86.jpg

G is like san Re:Define "4G"

[140Mandak262Jamuna]

Most Asian languages use a suffix to indicate respectful reference. Japanese uses -san as in Suzuki-san or Yamomoto-san or Admiral Nakudo-san. Similarly Hindi uses ji. As in Obama-ji met the Senator Liberman-ji.

Most cell phone companies use the suffix G to add respectability to what is otherwise a meaningless number.

Re:G is like san Re:Define "4G"

[orthancstone]

Long way to get to that, but I'll say it was worth it.

For once, helps to be Canadian!

[thejaded1]

... or any other country with atrocious data package rates.

I shut my Android's data option off before arrived, primarily for costs reasons, but also for security reasons. I'm sure there were plenty other foreign travelers who had there data disabled for duration of their stay.

Fucking Steve Jobs!

[bennomatic]

I'm sure he's responsible for this somehow. Probably because he can't innovate!!

Re:And that ladies is geeks...

[San-LC]

And that ladies is geeks...Is why you only gamble at Harrah's!

Sorry to burst your bubble, but Caesar's Entertainment owns both Harrah's and the Rio. Hope your Faraday cage fits ar the Blackjack table.

We need Authentication/Encryption NOW

[Gyorg_Lavode]

This points that the last bastion of security (secure transport layers provided by the transporter) is no longer viable. MITM is apperently practical on most wireless networks, even the adnvaced cellular ones. In that case, you MUST authenticate every location every app goes to. This means EVERYONE needs certs. I wish there was more info on Moxie's new tool because it may be an absolute necessity in the very near future. (Unless the CAs are going to start giving out free certs.)

Re:We need Authentication/Encryption NOW

[DDLKermit007]

You make it out to be way worse than it is. If you go over cellular, should just SSH back to your home connection. The wireless insecurity isn't much to worry about at that point. WiMax is a huge joke security-wise anyways. WiMax was cracked last year already in this regard. Seems he spent the year building better tools.

Re:We need Authentication/Encryption NOW

[citizenr]

Its worse than that. Last year GSM presentation revolved around taking over GSM codec part of the phone, and ALL android phones run codec in same memory space as main CPU.

You do know what DEFCON is, right?

[gosand]

I can't even come up with a sufficient analogy to describe how wrong your comment is.

Like entering a bicycle in a Formula 1 race because you don't like going fast?

Re:And that ladies is geeks...

[Sancho]

For what it's worth, I still can't parse what your original post said, nor do I get the joke even after explanation.

FYI

[DDLKermit007]

It's WiMax that's fallen. It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Re:FYI

[YoopDaDum]

It's WiMax that's fallen.

Could you point to a reference for this? The disclosure email doesn't mention WiMAX at all. I'd be surprised if they'd get a MITM attack on WiMAX (see below from more discussion). If it's WiMAX, more likely they owned a specific device. But breaking a specific device is a very different thing than breaking a protocol.

It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Following you comment I tried to find more info on that "crack" and found this WiMAX hacking Defcon presentation at last year Defcon 18. There's no cracking of WiMAX there, just sniffing into some devices and a Clear specific location based services security issue (which is not WiMAX but Clear stuff). No cracking of WiMAX to see there, so if I missed the right announce I'd appreciate a pointer. Because the coolest thing in the presentation was the guys bérets. Ok I'm a bit harsh, the LBS info was interesting too.

Regarding WiMAX authentication, we must be talking about different things if you believe it's a joke.
The way WiMAX operates is that network and devices have X.509 certificates. When a device is not provisioned the device and network mutually authenticate using EAP-TLS, which is considered safe. Based on this encryption is set-up using AES-CTR (from memory), at 128 bits. This is also considered safe.
The unprovisioned device can normally only access a subscription portal, where you give your credit card info and get a subscription. Then the device is provisioned, and reboot in normal mode with Internet access enabled.
The guys doing the WiMAX session at Defcon 18 found a hole in the subscription portal. Using OpenVPN you could bypass it and connect outside and get service for free. This is indeed a security breach, but this has nothing to do with WiMAX itself. This part is operator specific and not standardized. But we're not talking about the WiMAX authentication (EAP-TLS) here, just how an operator handles its subscription portal.

Now once the device is provisioned (with a login and password among other things), it will use EAP-TTLS for authentication. This normally both do device and network level authentication using the same X.509 certificates as with the first EAP-TLS step, and on top of it verifies the login and password for service access. Again, EAP-TTLS is considered secure.

So I don't see any "WiMAX authentication" weakness. To do a MITM attack at the WiMAX level, you would need an owned WiMAX BS with either a real certificate signed by the WiMAX Forum, or a working BS with no proper BS certificate and pawn badly implemented MS that do not authenticate the network (there were some...). Both seem unlikely to me. If there were WiMAX femto BS available it may be more practical, but for WiMAX only macro BS are deployed as far as I know. Somewhat, I don't see these guys owning a cell site...

Still, if anyone has some pointers please share. But for now, from what I know of WiMAX and what I saw in last year presentation I think it's very misleading to say that WiMAX has been cracked.

Re:FYI

[YoopDaDum]

Thanks for the pointer!

I checked the sources listed in the email for more info. Many still doubt the claim (one guy pointing out the lack of WiMAX femto as I did), others defend it... One of the defenders claiming knowing the guy who did it said this: "The WiMAX MitM is possible because of Clear/Sprint's absolutely retarded network configuration, not any problems with the spec it's self.". More credible than seeing EAP-TLS/TTLS and AES broken ;)

Later on someone mention using a femto, but it's not clear if it's for the Verizon CDMA attack (easy to find a CDMA femto) or WiMAX. Attacking a femto makes the most sense (physical access to the box allows more attacks). But even if there's no commercial femto, maybe they could get their hands on some second hand reference board? (some people made femto prototypes for WiMAX). That shouldn't work as a WiMAX device MUST check the BS certificate too, and a second hand WiMAX femto should not have a proper one. But as said, some devices are sloppy in authenticating the network.

Re:FYI

[YoopDaDum]

If certificates are managed properly no MITM attack is possible at the WiMAX radio level. Then because WiMAX is pure IP you can't have ARP redirection or other L2 attacks. That leaves IP level redirections?...

Re:And that ladies is geeks...

[hxnwix]

DEFCON is at one casino, so this guy was like, "hurr you should go to a different casino if you are joe sixpack otherwise these hackers will get you." (no disrespect, I'm sure the OP was being comical)

Re:I want to call bullshit...

[synthesizerpatel]

No, it is bullshit.

If this were true someone would have posted captured conversations or some sort of proof. Why just make the claim without any evidence to back it up?

This is just a sad attempt at instilling fear.

No proof, no hack.

Don't worry

[ThatsNotPudding]

the carriers will fix this by rolling out... 5G!!!

Re:Don't worry

[TeknoHog]

the carriers will fix this by rolling out... 5G!!!

That will probably just be a research project, and the real action will be with 6G. Then, 20 years after the invention of 6G, we will still be suffering from 4G's address space limit.

I heard about this

[dave562]

People were talking about this at the pool on Saturday night. FWIW someone mentioned that the Verizon network had the same IPSEC key for all of their towers. The attack vector was probably along those lines.

As a Verizon user with a Blackberry I wasn't particularly concerned. If someone is interested in my SMS messages, more power to them. The only other app running on my phone besides email is Gmail, and that uses SSL. I suppose they could capture the login session and crack it at their leisure, but I went ahead and changed my password after the con.

Re:I want to call bullshit...

[Khyber]

Spoken like someone that truly has zero clue.

Man can make it, man can break it, it's just that simple.

Re:I want to call bullshit...

[bleh-of-the-huns]

And this is what is wrong with people.. no proof no hack.. talk about a false sense of security..

There are various kinds of hackers.. those who do it for fun and bragging rights, and those who do it for nefarious purposes..

Those who do it for nefarious purposes.. generally do not brag, and go all out trying to hide what they did, otherwise the methods they use tend to get closed rather quickly.

It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last year during blackhat and defcon.

Re:I want to call bullshit...

[synthesizerpatel]

My first defcon was defcon 3.

No proof, no hack.

Re:I want to call bullshit...

[synthesizerpatel]

http://www.defcon.org/html/defcon-18/dc-18-speakers.html#Paget

GSM != ( CDMA || 4G )

I'm underwhelmed.

Re:I want to call bullshit...

[Khyber]

Keep it secret, pwn everyone quietly.

First rule of hacking - you don't say shit.

DEFCON is for poseurs.

Re:I want to call bullshit...

[_Sprocket_]

It should be noted that this particular attack (base station impersonation) was actually demo'd and performed last year during blackhat and defcon.

I highlighted the important part that you should have been paying attention to.