DefCon: Practical Cellphone Spying – Cell phone calls intercepted live on stage
By Chris Paget
The Room was packed and warning poster where all over the place warning people that cell phone traffic may be intercepted in the area around the talk. Expectations are high at the start of the talk and we were about to find out if they are to be met.
In this presentation Chris is going to intercept cell phone calls, specifically GSM calls. For this purpose he uses what he calls an IMSI catcher. Critical for intercepting calls is the IMSI, the International Mobile Subscriber Identity, think of this as the GSM username. Chris built his IMSI catcher for $1,500 out of open software and open hardware, a fraction of the millions charged for commercial IMSI catchers.
Because handsets always choose the strongest signal and a attacker will always win the battle for this. Since GSM assumes that the network is trusted, the base station dictates the settings, so if the base station wants to disable encryption, the phone will do that. The IMSI catcher does have to not break GSM encryption, it just acts as a base station and tell the phone to disable GSM encryption. In theory the phone could warn of this behaviours, but most sims have this disabled, because it would confuse users.
Because of difference in regulations between the USA and Europe there is a frequency in both spectrums that you can use that is in the HAM radio band and thus governed by the HAM radio regulations and these regulations give enough lead way to run GSM across it without needing a telco license. A HAM radio license allows the use of transmitting power of up to 1500W, a very small fraction of the 0.25W used by Chris during his demo.
In order to spoof a network you need some information: the mobile country code, the mobile network code and th enetwork name. All this information can be easily found on Wikipedia and after programming these values into the OpenBST the AT&T network could reliably be spoofed. Without spoofing the settings 30 handsets already associated themselves with the fake basestatiion. After spoofing the AT&T network over 45 handset associated with the fake base sation.
If no additional techniques are used, it may take a phone over an hour to hand over to the fake base station, but there some tricks to make them hand over faster. Most of these techniques do not fit into the regulations for ham radio. E.g. Disrupting the base stations around us. A noise generator and a 100W signal amplifier could disrupt GSM traffic for most of Las Vegas and force cell phones to switch over to the HAM radio frequency. This would be highly illegal, but impossible to stop. You could also spoof and advertised neighbour cells but then you would have to transmit on a GSM reserved frequency. Chris therefore refrained from demonstrating these techniques.
Fake base stations don’t actually have to transmit a strong signal, the GSM standards allow a basestation to just tell the handset to treat its signal as if it is stronger then it actually is. Because the network is trusted in the GSM system, the cellphone has to comply. Unfortunatly this command is not supported in the OpenBTS.
Is there a solution to prevent these attacks for GMS 2G. GSM 2G is seriously broken. You can compare it to the telnet vs. ssh situation. “2G is telnet and 3G is ssh”.
Chris did not play back any of the captured calls live on stage in fear of legal consequences, but cell phone calls where captured life on stage.
Thanks for the information about GSM, I learn about something new.