So I was at DEFCON 19 and I'm 90% sure my Sprint 4G Android was hacked. When I make calls there is a beep on the line every few minutes so I'm guessing someone managed to set up some recording of my calls. I've changed all my passwords and reflashed the phone back to factory defaults + latest copy of the firmware from HTC's website.
Also, I only realized AFTER a few minutes of (failed) use that my Verizon 4G card was being MiTM'd as I had full strength but no connectivity.
What I don't understand is how this vector occurred (on the Android phone) given it is no different to connecting over public (open) wifi - anyone can read packets and so the connections between Google Apps (for example) are supposed to be encrypted.
My only guess is that my phone auto-downloaded a patch that was poisoned and the security failure here is that the phone assumes any patch fed to it over the mobile network must be trustworthy. :/
Basically, they set up a rogue femtocell, you connected to it as you walked by and voila. It would also explain why you sometimes couldn't make calls (you need to be within 15 feet of most femtos to make a call, but you still have signal strength up to 40 feet).
Sure, but my point is more to do with the fact you can MiTM Wifi base-stations and poison DNS the urls to updates... the point is why was the phone more susceptible via 4G than Wifi?
Also, from what I can tell this wasn't a femto-cell but a significant antenna, perhaps even telco industry-grade.
Unless you're rooted the updates are checked with the public key to make sure they are signed with the correct private key. Unless Google lost their set of private keys it wouldn't be possible to modify the update.
It's entirely possible there are other exploits but a modified update.zip is not a likely vector.
I heard that there was a hack that went on whereby someone was on the phone in the elevators at the Rio and their entire conversation was played over the speakers in the elevator bank. Friend of mine said he was in the elevator at the time and that it was hilarious. Could have been a bluetooth hack though.
Also plenty of people on Sprint's network had full bars but could make absolutely no calls and data was extremely slow, but about half a block from the Rio everything worked perfectly again, now it could well be that they were handed off to a different tower, but people on AT&T and T-Mobile weren't having the same issues.
DefCon this year was awesome. Plenty of fun to be had, and as more and more people start carrying around cell phones that are more powerful these attacks will continue to be developed and continue to be exploited.
> Also plenty of people on Sprint's network had full bars but could make absolutely no calls and data was extremely slow, but about half a block from the Rio everything worked perfectly again, now it could well be that they were handed off to a different tower, but people on AT&T and T-Mobile weren't having the same issues.
I was definitely having the same issues on AT&T. Falling back to SMS instead of voice or Twitter for communication worked a lot better for coordinating things, although the lag was an issue.
I was in Vegas this past week, but not for Defcon and I was on the Strip, not at the Rio, and still had flaky service. However, I've always had flaky service when on the strip. I am able to make calls, but it would delay before the phone started ringing, texts messages would hang longer than usual, and 3G data transfers were painfully slow. But again, nothing out of the ordinary for that part of town.
So it's clear: this post claims that there is a man-in-the-middle attack possible over 4G networks that allows an attacker to own and capture data from an Android device, including texts and calls. If this is true, and if the media gets around to this, enterprise deployments of Android devices are truly screwed.
It's not the same scope as a claimed 4G attack, but you can already intercept voice and some data on every US GSM network with openbts/gnu-radio; it's pretty trivial to set up an IMSI-catcher with them. This[1] is from Defcon 18 in 2010; I've recently watched someone set up a rogue tower in a lab environment.
(This probably goes without saying, but I'll say it anyway; if you do this in the wild and you don't take precautions for handling emergency calls, you're probably a bad person.)
GSM implementation insecurity hasn't affected iphone or blackberry enterprise deployment, not sure why it would affect android.
The exploit code targeted 4G users on Android, so yes, Android was (one of) the attack vectors. Or rather, certain carriers poor implementations of 4G on Android.
You can't mask wifi as a mobile broadband connection. (If you know how to do it, please share - I'd be interested to know!)
I'd venture to guess they hacked some of the femtocell gear, or maybe used for the evil the gear from openbts project.
It's sad, really. These people are not too stupid at least in the technology area. It would be so great to have their skills directed at making the world good. Like, providing the connectivity somewhere in the villages in lalaland far away. Alas.
I think doing it in a place where people will (eventually) figure it out helps. Hav fun at someone's expense, but get the genie out of the bottle and in front of the public a bit faster so we know it can be done and get it fixed.
Some of my friends bring burner/throwaway/blank phones to Defcon, and this is why.
I guess not everyone is as altruistic as you, dedicating their time to societally useful things like talking about intercepting cell phone communications on HN.
Not saying this was what happened, bu my netbook lists my broadband as Verizon Broadband Connection and displays it under wireless networks. If someone were to make a publicly available wifi hotspot under the same name, there is the possibility that someone not expecting the possibility of this to happen, to connect to the hotspot instead. Very low tech in nature, but just a random possibility.
While in the US I've seen devices that have a SIM card and WiFi. I don't remember if it was Verizon or not, though. It could be that you use one of these ?
Or you insert the SIM card into the notebook itself ? If yes, would be curious to know which OS is it - I remember seeing that Windows grouped the 3G and WiFi connection settings into the same dialog, but since I do not use windows at all nor have a laptop h/w which would grok a SIM card, can't check.
And the theory you describe with the same SSID - indeed that would be very much possible to pull off. Assuming there is a nation-wide standardized SSID, it could easily trick people into connecting to it.
Mine has it built in, and it's a Windows netbook. The wifi and 3g are indeed grouped together and the name is pretty standardized, and I am pretty sure other 3g providers might offer the same standardization of their naming schemes.
Additionally, there are times my 3g connection does not show up correctly and I have to initiate it by dialing out (#777 I believe) as if it's a modem - but if the SSID of a wifi connection were there I could see someone who was not fully paying attention to click on that by accident when the default one does not show up right away.
Wow, interesting, thanks! Hopefully at least the icons are different... If not - it's worth complaining about that somewhere so the MS folks can fix that - since it's a fairly obvious hole to exploit (and not too difficult to fix).
Any chances you might find some time to make some screenshots and blogpost them ?
The Mobile Broadband Connection doesn't always show up leaving the Wireless Network Connection list at the top. In this case you now see two entries for "Verizon Wireless" - the top being my broadband connection, the second one being my wireless routers SSID. Without paying attention and just working off of muscle memory it is feasible to go to an open network acting maliciously without realizing it.
Indeed - in a hurry it is very much possible indeed to make a mistake (also, an average mom or pop would not necessarily know the difference between the "wireless" and "broadband"...
Mind if I steal this pic for a blog post ? (Or if you planned a write-up, I'd be interested in a URL. It's worth making a bit of noise around it so the MS guys think of it as a problem worth solving.)
> You can't mask wifi as a mobile broadband connection. (If you know how to do it, please share - I'd be interested to know!)
No argument here, I'm not an expert... but isn't this exactly what the microcell devices that AT&T (etc) are giving to customers do? You set it up on your home broadband and nearby users invisibly use that "tower" and it goes over your home network.
There are multiple kinds of devices. Femtocell is basically a little cell tower that is in your home/business. UMA is when you can do voice over WiFi and it was backed by T-Mobile, but they have shied away from it and not introduced it with Android. It's somewhat tricky and needs phone support (for the handoffs between networks), whereas any phone can support femtocell.
Good to see, I had missed that T-Mobile made the UMA move on Android. Does it do the seamless handoffs or do have to make a call either over the cellular network or WiFi?
It's a pretty good troll, but the chances of it being true are very low. I think someone attended the excellent talk: "Femtocells: a Poisonous Needle in the Operator's Hay Stack" [1] about 3G MITM and got inspired to have a bit of a laugh.
This is so far into the "state sponsored only" realm that if you'd actually pulled it off and were bragging about it you'd provide some kind of proof instead of generic symptoms designed to make people paranoid.
I'm pretty surprised at all the media outlets that are carrying this and people taking it at face value. Anyone can write up something and send it to a mailing list - remember that full disclosure is pretty much ground zero for security trolling.
So the people who make the 3G and 4G standards made them pretty secure. Those are not broken. What's broken is the implementation. The carriers are not the ones developing the technology, so they do boneheaded things like making the client identifiers sequential or using the wrong verification schemes. I would be willing to bet that if there is some kind of exploit here, it's due to the specific implementation.
Exactly, it sounds as if the mitm attack wasn't based on hijacking a broadcast, but on redirecting data/voice/sms/etc. from a cracked device to a network of the attacker's choosing. The redirection wasn't based on fooling the phone into connecting , it was based on explicitly changing the network the phone connected to.
A very interesting attack, but not interesting in the sense that cdma/wimax (perhaps LTE too?) is unsafe but in the sense that there are serious vulnerabilities in the network stack for android.
That doesn't really mean anything. Sprint's the only CDMA carrier that's deployed WiMAX, Verizon and MetroPCS have both deployed LTE. And there's nothing implying he's talking about the same phones, so he could just as easily be talking about HSPA ("4G")
A pen and paper would probably do just fine for taking the odd note.
However I'd probably take a cheap old laptop off ebay, bought for the event and then discarded afterward. I'd feel I was missing out if I wasn't able to at least dip a packet sniffer into the famously hellish torrent of exploits I've heard so much about. I'd never take any of my personal machines though.
One year I took a pocket-sized notebook and a slide rule. The next year I took an iPhone and a eee PC. I experienced the same level of hacking both times.
Always have an obscure old phone with almost no feature (except voice and text). Generally the OS is so minimal that there's little room for an exploit, and by little room I mean that you will not have enough memory to add your rootkit.
That works for you, it won't work for everyone. UMTS and LTE don't have the capacity to replace GSM, not even close, they can barely keep up with the growth of additional demand. GSM is broken and here to stay for a long, long time.
With all due respect to "coderman", but I think that I'd like to see some proof of what he's mentioning. If what he says is true, someone has created a system that automatically man-in-the-middles all mobile connections, and then intelligently exploits them with increasingly more sophisticated exploits? Please forgive me if I'm a little skeptical.
Friend of mine came back from Defcon complaining of some of the exact same symptoms as those listed by coderman and said he'd be DBANning his phone later.
funny story, there was an android SW upgrade on verizon that weekend. i was halfway across the world and i accepted. i guess i'm boned! :( powerful mitm
Yeah, I hate to say it, but as an android user half those symptoms are typical, especially in heavily congested areas, and the other half could be explained with a half-cooked update, which is also typical.
The advice i got from some barcamp peeps was "do not bring anything to DEFCON that you cant afford to get hacked". One fellow is a security consultant and the other manages networks for a financial institution. They could have been being dramatic for effect, but why risk it? I know enough about programming to know that I cannot secure my devices against a determined foe (unless you count the power button - but hey there's conspiracy theories there too right?).
So the advice was: disposable pay-as-you-go phone and craigslist it afterwards. Same for laptop. Don't bring them home.
I think we need more clarity here. I would like to know what "4g" was MiTM. This makes a huge difference as it will lead to further research on that network.
Also, I only realized AFTER a few minutes of (failed) use that my Verizon 4G card was being MiTM'd as I had full strength but no connectivity.
What I don't understand is how this vector occurred (on the Android phone) given it is no different to connecting over public (open) wifi - anyone can read packets and so the connections between Google Apps (for example) are supposed to be encrypted.
My only guess is that my phone auto-downloaded a patch that was poisoned and the security failure here is that the phone assumes any patch fed to it over the mobile network must be trustworthy. :/