4G and CDMA Reportedly Hacked At DEFCON

An anonymous reader writes "At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it's real or not."

And they said I was crazy

[ArhcAngel]

for sticking with my RAZR! BWAHAHAHAH...

Re:And they said I was crazy

[jon3k]

That's the same reason I don't use a computer. And those "security experts" called me a luddite! Ha! Jokes on them!

Relation between MITM and rootkit

[Bromskloss]

Achieving MITM status is a very different thing from installing a rootkit, in my mind. The summary left out how the two could be connected but the article mention something about it:

Coderman’s report suggests that, like Wi-Fi MITM, which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device.

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Re:Relation between MITM and rootkit

[Infiniti2000]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

Well, the bug is that the on-screen prompt occurred at all. That's the part needs to be stopped. Surely, no one would consciously run the rootkit, but I can see the case where the prompt accidentally gets clicked if it pops up during another high-click-count application.

Re:Relation between MITM and rootkit

[jesseck]

To make it simple, how about "Network busy: error code 2343" with an "OK" button. In an urban environment, it wouldn't be hard to fathom the network was busy. My Sprint service does that occasionally when I place phone calls, and I have to click "OK" to terminate the call. The MITM attack could cause the appearance of network problems, with the "forced" installation of accepting there were problems, so try again. Who doesn't click "OK" when the network tells them it is busy and to try again later? Of course, now that I think about it, maybe I shouldn't....

Re:Relation between MITM and rootkit

The injected rootkits were specific to different android builds and phones. On some no prompt was needed, on others if a prompt was accepted we saw the phones get completely destroyed by the rootkits or have the microphones turned on. The WiMax in particular discussion is not LTE, but it is likely that LTE was compromised as well because the hardware required to MiTM WiMax would be software defined radio systems which could just as easily be programmed for 4G as 4G LTE emulation. No upgrades or installs or prompts were required for rooting, it was a progressive system of attacks whereby low-hanging fruit was plucked first, and later the horrific 0days came out to play.

Re:Relation between MITM and rootkit

[tlhIngan]

So, to install the rootkit, you also need to exploit a bug in the user. Where do I file the bug report?

The user is the biggest vulnerability. It's called the Dancing Pigs problem and it's extremely difficult to protect. In fact, popping up additional dialogs hurt security because of it (that Android permissions screen? Utterly useless - even if you make it so they have to check off every item then hit install).

Hell, the age of the Honor System Virus is actually around. Facebook viruses and spam and such often rely on such odd techniques as well (click here and here and here, paste this URL, etc...).

A simple popup like "Low battery" might be easily dismissed by anyone and no one is the wiser.

Define "4G"

[russlar]

Which "4G" technology are we talking? WiMAX? LTE? AT&T&Tmobile's HSPA cranked up to 11?

Re:Define "4G"

[TubeSteak]

WiMAX, LTE, and AT&T&Tmobile's HSPA do not meet the speed requirements of 4G.

4G was supposed to be ultra-highspeed* wireless, based on the next Generation of hardware
In the meantime, telcos were all rolling out stuff that could best be described as 3.5G or 3.75G, but were advertising it as 4G.

The standards committee caved and now, for all intents and purposes, 3.5/3.75G is the new 4G and,
because marketing droids can't help themselves, true 4G will be called 4.5G or 5G.
WiMAX-advanced and LTE-advanced will be considered 'real' 4G when they come out.

*100 Mbit/s mobile and 1 Gbit/s stationary or pedestrian speeds

Re:Can you hear me now!?

[pnewhook]

That's why I use a blackberry. Secure encrypted communication..

Re:Can you hear me now!?

What good is encryption when they just hand it over to the government:

http://www.guardian.co.uk/uk/2011/aug/08/london-riots-blackberry-messenger-looting

http://www.bloomberg.com/news/2010-08-30/rim-averts-india-blackberry-ban-as-government-tests-security-modification.html

At least the hack above requires them to do something...

le sigh

[TheBeardIsRed]

Let me take a moment to point out that using the wifi or atms at the hotel as well as making software updates during DEF CON all are squarely in the category of "babytown frolics".

Re:le sigh

[DrgnDancer]

My technology plan for BlackHat:

1) Put phone on airplane mode
2) Once a day, drive to the middle of the desert to check e-mail/voice mail/text messages.
3) Put phone back on airplane mode.
4) Hope some enterprising asshole hasn't put up some crap in the middle of the desert.

Probably a little over paranoid, but not much. In reality I'd probably be a bit less paranoid than that, but I'd definitely move a few hotels down to do anything more serious than checking text messages.

Don't take electronics, maybe?

[Beardydog]

Why in god's name would anyone be willing to go to that with electronics? For god's sake, just take a pad and pencil! Even if you manage not to become part of a hilarious proof-of-concept hack to startle the audience into realizing how easy it is to X and Y someone's Z by forging an A with a malformed B, and avoid being targeted by some Russian mobster who's thrown out a dragnet for data on -other- people's new techniques ( and sure, credit card numbers and personal info, as long as were in there already, the place is still probably surrounded by black vans full of studious FBI, NSA, DHS, and CIA ( east AND west ) agents, all trying to hack, monitor, and watchlist you on completely separate orders and agendas. It's got to be just... a shitstorm. Am I wrong?

Re:Don't take electronics, maybe?

[sexconker]

Consider attacks involving remove screen capturing and remote keystroke-capturing technology.

I wouldn't want to be viewing or enter any privileged data at such a conference. Simply typing a passphrase could expose you.

Such attacks are academic at best. Up there with "able to read deleted data unless you overwrite it at least a dozen times". And then you posit performing such an attack during a tech convention? I'd be more worried about contracting the hantavirus from rat shit in the hotel walls.

Really surprised... not.

[ewanm89]

This is DEFCON, it's like putting every army and mercenary group in the world in one room without disarming them first. There is a reason why the DEFCON wireless network is described as the most hostile network on earth, it's more hostile than the internet itself.

Re:Can you hear me now!?

[b0bby]

What good is encryption when they just hand it over to the government:

Well, the fact that it's still encrypted? FTA you linked:

"RIM can be legally ordered to hand over details to police of users suspected of unlawful activity. However, the Canadian company would be likely to resist those demands and the content of users' inflammatory messages would be encrypted. The manufacturer has previously insisted that even it cannot unscramble users' messages when sent on the devices."

If you're using your phone provider's BB Server, then they have access to your messages, but that's not RIM. If you're using your own server then the messages are fully encrypted and no third party should have access. It's my understanding that in India the government has access within the country; I'm not sure if they just block your access to your server and force you to use theirs.

G is like san Re:Define "4G"

[140Mandak262Jamuna]

Most Asian languages use a suffix to indicate respectful reference. Japanese uses -san as in Suzuki-san or Yamomoto-san or Admiral Nakudo-san. Similarly Hindi uses ji. As in Obama-ji met the Senator Liberman-ji.

Most cell phone companies use the suffix G to add respectability to what is otherwise a meaningless number.

Re:Can you hear me now!?

[LordLimecat]

What good is encryption when they just hand it over to the government:

What, without my BES server's AES-256 key? Good luck with that.

Re:If you give a mouse a cookie...

[Oswald+McWeany]

Decomposing plastic has no odor.

Re:And that ladies is geeks...

[Sancho]

For what it's worth, I still can't parse what your original post said, nor do I get the joke even after explanation.

FYI

[DDLKermit007]

It's WiMax that's fallen. It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Re:FYI

[YoopDaDum]

It's WiMax that's fallen.

Could you point to a reference for this? The disclosure email doesn't mention WiMAX at all. I'd be surprised if they'd get a MITM attack on WiMAX (see below from more discussion). If it's WiMAX, more likely they owned a specific device. But breaking a specific device is a very different thing than breaking a protocol.

It was already cracked open as of the last Defcon. Some other cool stuff is being done with it too. The WiMax authentication system is a joke.

Following you comment I tried to find more info on that "crack" and found this WiMAX hacking Defcon presentation at last year Defcon 18. There's no cracking of WiMAX there, just sniffing into some devices and a Clear specific location based services security issue (which is not WiMAX but Clear stuff). No cracking of WiMAX to see there, so if I missed the right announce I'd appreciate a pointer. Because the coolest thing in the presentation was the guys bérets. Ok I'm a bit harsh, the LBS info was interesting too.

Regarding WiMAX authentication, we must be talking about different things if you believe it's a joke.
The way WiMAX operates is that network and devices have X.509 certificates. When a device is not provisioned the device and network mutually authenticate using EAP-TLS, which is considered safe. Based on this encryption is set-up using AES-CTR (from memory), at 128 bits. This is also considered safe.
The unprovisioned device can normally only access a subscription portal, where you give your credit card info and get a subscription. Then the device is provisioned, and reboot in normal mode with Internet access enabled.
The guys doing the WiMAX session at Defcon 18 found a hole in the subscription portal. Using OpenVPN you could bypass it and connect outside and get service for free. This is indeed a security breach, but this has nothing to do with WiMAX itself. This part is operator specific and not standardized. But we're not talking about the WiMAX authentication (EAP-TLS) here, just how an operator handles its subscription portal.

Now once the device is provisioned (with a login and password among other things), it will use EAP-TTLS for authentication. This normally both do device and network level authentication using the same X.509 certificates as with the first EAP-TLS step, and on top of it verifies the login and password for service access. Again, EAP-TTLS is considered secure.

So I don't see any "WiMAX authentication" weakness. To do a MITM attack at the WiMAX level, you would need an owned WiMAX BS with either a real certificate signed by the WiMAX Forum, or a working BS with no proper BS certificate and pawn badly implemented MS that do not authenticate the network (there were some...). Both seem unlikely to me. If there were WiMAX femto BS available it may be more practical, but for WiMAX only macro BS are deployed as far as I know. Somewhat, I don't see these guys owning a cell site...

Still, if anyone has some pointers please share. But for now, from what I know of WiMAX and what I saw in last year presentation I think it's very misleading to say that WiMAX has been cracked.

Re:Can you hear me now!?

[GooberToo]

You are of course correct.

The fact you've bothered to correct a post which took about three seconds to create, while still fully comprehensible, IMOHO, is the greater travesty.

Seriously, look at my posts. I long gave up on caring about typos and spelling errors on /. posts. Most people on /. are beneath contempt. As such, my posts tend to reflect this fact. Basically it boils down to, I don't give a shit for 99% of my posts.

Re:Can you hear me now!?

[wolrahnaes]

That's why I use a VPN and/or SSL encrypted connections on my Android and iPhone. Secure encrypted communication, and I'm not stuck dealing with an e-mail device that's been bodged in to trying to be a smartphone which pointlessly runs everything through RIM's servers. How many times has a server outage disabled functionality on every Blackberry again?