How To Answer Anyone’s Cell Phone — Remotely (and #NSAPickupLines, Snowden)

You know, this whole cell phone thing… Ye ole tin cans and string are looking increasingly attractive. Nothing like longitudinal waves down a nonmetallic thread to keep things secure.

Frankly, even 2M HT’s come out ahead in this latest round. At least everyone would notice if someone broke in and started messing with you.

What’s the big deal this time? Given one OSMoCom’ed Motorola handset, you can answer the calls and receive the SMS’es for any phone in your “location area” — for Berliners, that’s some 200 square kilometers!

Yes, this is fully targettable. Pick a phone, decloak the TMSI with established techniques, boom, you get their calls and messages. They don’t.

With 11 modified phones, you could entirely shut down the service for a middle-sized cell network operator in that area.

Practical implications? SMS-based two factor authentication is no longer secure. If your bank has you type in an SMS-sent code before a transaction, switch to a more secure scheme. Now anyone can grab that code out of the air before you get it, as long as they’re within your “location area.”

No doubt we’ll start seeing some larger scale scams using this too —
the “100,000 wire transfer after porting the phone number of the victim” scams will now no longer need to weather the bureaucratic hassle of illicit phone number porting. Just park a van outside the victim’s office…

#NSAPickUpLines: “Roses are red, violets are blue, your pin number 6852.”
RT has more coverage of the Twitter storm that resulted from LOVEINT.

Snowden: More details on Snowden’s escape from Hong Kong. According to Russian intelligence, Snowden appeared uninvited at the Russian consulate in Hong Kong. He spent two days there before boarding his Moscow-bound flight, at which point he was not allowed to fly further. The Russians claim Cuba refused Snowden entry (under heavy US pressure) and would not have allowed the plane to land in Cuba with Snowden aboard. Original article in Russian:

“By making simple modifications to common Motorola phones, researchers in Berlin have shown they can block calls and text messages intended for nearby people connected to the same cellular network. The method works on the second-generation (2G) GSM networks that are the most common type of cell network worldwide. In the U.S., both AT&T and T-Mobile carry calls and text messages using GSM networks.

The attack involves modifying a phone’s embedded software so that it can trick the network out of delivering incoming calls or SMS messages to the intended recipients. In theory, one phone could block service to all subscribers served by base stations within a network coverage area known as a location area, says Jean-Pierre Seifert, who heads a telecommunications security research group at the Technical University of Berlin. Seifert and colleagues presented a paper on the technique at the Usenix Security Symposium in Washington, D.C., last week. An online video demonstrates the attack in action.

Seifert’s group modified the embedded software, or “firmware,” on a chip called the baseband processor, the component of a mobile phone that controls how it communicates with a network’s transmission towers.

In normal situations, when a call or SMS is sent over the network, a cellular tower “pages” nearby devices to find the one that should receive it. Normally, only the proper phone will answer—by, in effect, saying “It’s me,” as Seifert puts it. Then the actual call or SMS goes through.

The rewritten firmware can block calls because it can respond to paging faster than a victim’s phone can. When the network sends out a page, the modified phone says “It’s me” first, and the victim’s phone never receives it.

“If you respond faster to the network, the network tries to establish a service with you as an attacker,” says Nico Golde, a researcher in Seifert’s group. That’s enough to stall communications in a location area, which in Berlin average 200 square kilometers in size. The group didn’t design the hack to actually listen to the call or SMS but just hijacked the paging process.”

%d bloggers like this: