from defcon – cellular interception on the cheap, long range RFID, and Android rootkit

I just got a new radiola phone installed in my flivver!

Although I did not make it to Las Vegas for Defcon, I have been keeping an eye out for interesting information coming out of the conference.  This the first in a series of posts which will summarize the good stuff…

Intercepting GSM cellular phone calls (such as those on ATT and T-Mobile in the US and most cellular carriers worldwide) used to be a difficult and expensive proposition.  Solutions were available, but they required expensive customized hardware which was for sale only to law enforcement entities.  Not any more… Researcher Chris Paget demonstrated a system which uses widely available hardware and custom written software to impersonate a GSM cellphone tower, entices handsets to connect to this fake “tower” and relays calls to their destinations, allowing the the attacker to listen in on or record conversations.  The price tag for the system? US$1500 – at this price point, intercepting cell phone calls becomes feasible for criminals, corporate spies, and other nosey folks.

So, what does this mean for you, oh paranoid reader?     Well, Paget has not released the code he used to mount this attack (good news) but I would be very surprised if a number of enterprising hackers are not working to replicate his work.

One way to avoid this attack entirely is to disable your phone’s ability to switch from the normal 3G mode to the 2G mode which the attack requires to be successful.  Unfortunately, this does not seem to be easy to do.  Paget’s blog entry said that he had heard of an option to disable 2G on the BlackBerry, but looking at a BB, I saw options only for “3G and 2G” and “2G only.”  On the other hand, the encryption used for BlackBerry data should protect against email eavesdropping.  Vendors need to provide an option to allow users to disable 2G mode – call your carrier!  There is a downside to this; if you disable 2G mode, you may end up with no signal in places where 3G service is not available or the signal is weak.

What carriers need to do to really close this hole is to stop using GSM and upgrade their networks to newer, more secure standards.  Hopefully, this work will provide an impetus the carriers.

For now, the truly paranoid here in the US should probably stick with Verizon or another carrier that does not use the GSM standard.

More reading on this attack:

Paget also demonstrated the ability to read second generation RFID tags (such as those embedded in newer passports and drivers licenses) from a pretty significant distance.   The potential for abuse here is pretty significant… think government tracking of people by their driver’s license or passports, terrorists identifying people of a specific nationality for targeting, or corporations snooping on what products passers by have purchased.

In other wireless news, Spider Labs released a “rootkit” for cellphones running the popular Google Android operating system.  Once installed on the phone, this software allows an attacker to read emails and text messages.  Since Android apps are subject to less scrutiny than those for the iPhone, and since Android has an option to allow “non market apps” to be installed, getting this code onto a Android phone is going to be a lot easier than making a similar attack on Apple’s iPhone.  The code for the rootkit was apparently included on the DVD provided to conference attendees.  Android users should definitely think before installing any really cool new apps that come out in the coming weeks!

I’ll be here all week, folks, posting more interesting stuff from Defcon and BlackHat.

Leave a Reply