So it's clear: this post claims that there is a man-in-the-middle attack possible over 4G networks that allows an attacker to own and capture data from an Android device, including texts and calls. If this is true, and if the media gets around to this, enterprise deployments of Android devices are truly screwed.
It's not the same scope as a claimed 4G attack, but you can already intercept voice and some data on every US GSM network with openbts/gnu-radio; it's pretty trivial to set up an IMSI-catcher with them. This[1] is from Defcon 18 in 2010; I've recently watched someone set up a rogue tower in a lab environment.
(This probably goes without saying, but I'll say it anyway; if you do this in the wild and you don't take precautions for handling emergency calls, you're probably a bad person.)
GSM implementation insecurity hasn't affected iphone or blackberry enterprise deployment, not sure why it would affect android.
The exploit code targeted 4G users on Android, so yes, Android was (one of) the attack vectors. Or rather, certain carriers poor implementations of 4G on Android.
You can't mask wifi as a mobile broadband connection. (If you know how to do it, please share - I'd be interested to know!)
I'd venture to guess they hacked some of the femtocell gear, or maybe used for the evil the gear from openbts project.
It's sad, really. These people are not too stupid at least in the technology area. It would be so great to have their skills directed at making the world good. Like, providing the connectivity somewhere in the villages in lalaland far away. Alas.
I think doing it in a place where people will (eventually) figure it out helps. Hav fun at someone's expense, but get the genie out of the bottle and in front of the public a bit faster so we know it can be done and get it fixed.
Some of my friends bring burner/throwaway/blank phones to Defcon, and this is why.
I guess not everyone is as altruistic as you, dedicating their time to societally useful things like talking about intercepting cell phone communications on HN.
Not saying this was what happened, bu my netbook lists my broadband as Verizon Broadband Connection and displays it under wireless networks. If someone were to make a publicly available wifi hotspot under the same name, there is the possibility that someone not expecting the possibility of this to happen, to connect to the hotspot instead. Very low tech in nature, but just a random possibility.
While in the US I've seen devices that have a SIM card and WiFi. I don't remember if it was Verizon or not, though. It could be that you use one of these ?
Or you insert the SIM card into the notebook itself ? If yes, would be curious to know which OS is it - I remember seeing that Windows grouped the 3G and WiFi connection settings into the same dialog, but since I do not use windows at all nor have a laptop h/w which would grok a SIM card, can't check.
And the theory you describe with the same SSID - indeed that would be very much possible to pull off. Assuming there is a nation-wide standardized SSID, it could easily trick people into connecting to it.
Mine has it built in, and it's a Windows netbook. The wifi and 3g are indeed grouped together and the name is pretty standardized, and I am pretty sure other 3g providers might offer the same standardization of their naming schemes.
Additionally, there are times my 3g connection does not show up correctly and I have to initiate it by dialing out (#777 I believe) as if it's a modem - but if the SSID of a wifi connection were there I could see someone who was not fully paying attention to click on that by accident when the default one does not show up right away.
Wow, interesting, thanks! Hopefully at least the icons are different... If not - it's worth complaining about that somewhere so the MS folks can fix that - since it's a fairly obvious hole to exploit (and not too difficult to fix).
Any chances you might find some time to make some screenshots and blogpost them ?
The Mobile Broadband Connection doesn't always show up leaving the Wireless Network Connection list at the top. In this case you now see two entries for "Verizon Wireless" - the top being my broadband connection, the second one being my wireless routers SSID. Without paying attention and just working off of muscle memory it is feasible to go to an open network acting maliciously without realizing it.
Indeed - in a hurry it is very much possible indeed to make a mistake (also, an average mom or pop would not necessarily know the difference between the "wireless" and "broadband"...
Mind if I steal this pic for a blog post ? (Or if you planned a write-up, I'd be interested in a URL. It's worth making a bit of noise around it so the MS guys think of it as a problem worth solving.)
> You can't mask wifi as a mobile broadband connection. (If you know how to do it, please share - I'd be interested to know!)
No argument here, I'm not an expert... but isn't this exactly what the microcell devices that AT&T (etc) are giving to customers do? You set it up on your home broadband and nearby users invisibly use that "tower" and it goes over your home network.
There are multiple kinds of devices. Femtocell is basically a little cell tower that is in your home/business. UMA is when you can do voice over WiFi and it was backed by T-Mobile, but they have shied away from it and not introduced it with Android. It's somewhat tricky and needs phone support (for the handoffs between networks), whereas any phone can support femtocell.
Good to see, I had missed that T-Mobile made the UMA move on Android. Does it do the seamless handoffs or do have to make a call either over the cellular network or WiFi?
