This post gives the internals of the attack The below three are used to make this eavesdropping possible. >miniature GSM cell phone tower >Open Source Software >Laptop
"GSM is the telnet of cell phone standards," stated Paget several times, alluding to the cellular's service's basic -- and bypassable -- approach to security and authentication. Most disturbingly, he established a way to intercept and redirect phone calls with nothing more than a laptop, open source software, and around $1500 in off-the- shelf equipment. Pagat replicated an IMSI catcher, a virtual base station specifically designed to identify the subscriber ID information of nearby GSM phones and intercept their calls. The GSM specification requires handsets to authenticate themselves to the network, but does not require the network to authenticate itself to handsets, so the IMSI catcher appears as a base station and starts logging data of GSM mobile phones as they attach to it. If that wasn't bad enough, the ISMI catcher can also forces phones to connect to it without encryption, making all call data easy to intercept and voice calls conduced "in the clear" for easy recording. Used by some law enforcement and intelligence agencies, Paget said an off-the-shelf IMSI catcher costs in the range of $100,000. However, the functionality of a GSM network has been replicated by OpenBTS, a GSM-network side protocol stack with a SIP network interface and integrated radio management. Put OpenBTS together with off-the-shelf radio hardware plus a Digium Asterisk PBX and an enterprising person could build anything from a mobile cell site in a rural village to, well, an IMSI catcher. OpenBTS has been used to provide cellular service at the annual "Burning Man" event and on the small Pacific island of Niue. During his on-stage demonstration, Paget was able to get about 30 phones in the audience to attach to his base station using a mere 25 milliwatts of power. He said the only practical limitation to extending the range of the setup was the GSM protocol itself -- about 35 kilometers. Fixing this GSM security flaw has only one solution, said Paget -- shut it down, and move to 3G as fast as possible. "I want to see it happen very quickly, but it's down to the operators," Paget stated. "GSM is such a widely deployed technology with billions of handsets in use." @TMCNET I believe this would be the immediate concern to look and find the countermeasure Cheers, 0xN41K On Aug 11, 7:03 pm, Srinivas Naik <[email protected]> wrote: > HI Geeks, > > <http://www.engadget.com/2010/07/31/hacker-intercepts-phone-calls-with...> > In 2009, Chris Paget showed the world the vulnerabilities of RFID by > downloading > the contents of US > passports<http://www.engadget.com/2009/02/02/video-hacker-war-drives-san-franci...>from > the safety of his automobile. This year, he's doing the same for > mobile > phones. Demonstrating at DefCon 2010, the white hat hacker fooled 17 nearby > GSM phones into believing his $1,500 kit (including a laptop and two RF > antennas) was a legitimate cell phone base station, and proceeded to > intercept and record audience calls. "As far as your cell phones are > concerned, I'm now indistinguishable from AT&T," he told the crowd. The > purpose of the demonstration was highlight a major flaw in the 2G GSM > system, which directs phones to connect to the tower with the strongest > signal regardless of origin -- in this case, Paget's phony tower. > > The hacker did caveat that his system could only intercept outbound calls, > and that caller ID could tip off the owner of a handset to what's what, but > he says professional IMSI > catchers<http://www.engadget.com/2010/05/10/meganets-dominator-i-snoops-on-fou...>used > by law enforcement don't suffer from such flaws and amateur parity > would only be a matter of time. "GSM is broken," Paget said, "The primary > solution is to turn it off altogether." That's a tall order for a world > still very dependent on the technology for mobile connectivity, but we > suppose AT&T and T-Mobile could show the way. Then again, we imagine much of > that same world is still using > WEP<http://www.engadget.com/2007/04/04/wep-security-gets-busted-yet-again/>and > WPA1<http://www.engadget.com/2009/08/27/wpa-networks-cracked-in-just-under...>to > "secure" their WiFi. > > @Defcon 2010 > > Cheers, > 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
