
Phone Firewall Identifies Rogue Cell Towers Trying to Intercept Your Calls - deanclatworthy
http://www.wired.com/2014/09/cryptophone-firewall-identifies-rogue-cell-towers/
======
josho
_”someone can send a message straight to your base station to operate the
camera in your phone, and the firewall will show you that the camera has been
actuated [even though] the user hasn’t pressed a button to do it.”_

You've got to be kidding me. The GSM/HSPDA specs provide for the ability to
remotely control my cell phone camera? What other gems do the spec provide for
that ATT/Verizon/Phantom Cell towers can do that people aren't aware of?

~~~
a-priori
No, they're talking about an exploit for the phone's baseband software. All
the radio signal processing and the lower layers of the cellular network stack
in a cell phone happens on a dedicated chip, the baseband processor.
Presumably, they deliver an exploit for its software, e.g. by exploiting a
buffer overrun in the baseband processor's HSDPA stack, to install malware
code of some kind on this processor.

Because it's not on the CPU, it's invisible to the phone's main operating
system and bypasses all its security and process isolation. And, since these
chips run real-time operating systems, a low-priority task is guaranteed to
never interrupt a higher priority running on the chip, so the payload would
not affect cellular communications (cellular protocols have tight timing
constraints).

Because the baseband processor is also attached to the phone's system bus
(that's how the CPU sends it commands), it can use it to control other devices
on the bus, such as the camera.

This is a very devious attack because it's almost impossible to detect, and
allows deep access to the phone's hardware.

~~~
jacquesm
Very scary that such buses are multi-master to begin with, that's simply
asking for trouble. It makes _every_ device on the bus a potential target for
exploits, after all, once you have gained a beach-head on the baseband
processor you can use that to attempt to exploit the other devices (in so far
as that is still a requirement, but possibly there are other buses not
directly visible from the baseband processor) at will.

Back in the days there was a HF hack that allowed a remote operator to listen
in on conversations in the room by using the fact that such signals would
totally ignore the 'on hook' disconnect of old style 'wired' phones ('POTS'),
these baseband processors are a _much_ worse instance of the same phenomenon.
Not that it matters much, after all, if you have access to the cell phone
towers you can listen in on whatever you want, making pictures is of a lower
threat level (to me) than listening in on random conversations in the vicinity
of the phone.

~~~
bravo22
The buses aren't multi-master. They're often USB, or SDIO. They would use the
bus to deliver another exploit directly to CPU driver which is often running
in supervisor ring, i.e. kernel privilege.

~~~
disjointrevelry
Atleast for some of the Samsung Phones which are becoming quickly popular for
custom Android-based operating systems.

Some setups with an independent USB to a baseband module can still control the
bus to other devices by exploiting USB host modes. (i.e. if the log output
indicates it can no longer control/communicate with the usb, or the usb
disconnected, then it is very likely the usb bus was hijacked by another
device).

Others phones still have some type of bus overlap, and they provide no way to
block the baseband chip from accessing other devices on the shared bus.

Even then, this is not an easy task as the baseband chip would be competing
with the processor chip in accessing devices.

edit: It is possible in future revisions, SoC Chips in mobile phones in the US
will include capabilities to control the phone irrespective of the running
soft OS. As of now there are very few phone manufacturers that include open
access to the phone's hardware, and the processor. It's a hunch the US
companies will try to blockade open phones, as foreign phones, particularly
Samsung/LG/HTC, are providing a way for secure phones to be developed. Apple's
attempts and level of aggression to blockade Samsung all around the world was
incredibly suspicious, to say the least, and only S.Job sycophants tend to
think it was for 'competitive' value. The US is fast becoming a strange place.

------
aftbit
This was posted yesterday on a similar story. It really comes down to
detecting cases where the IMSIcatcher operates differently than the normal
towers. But a lot of those are lost in the noise of different carriers. One of
the stronger signals is a forced downgrade to GSM, with no encryption.

[http://www.sba-research.org/wp-
content/uploads/publications/...](http://www.sba-research.org/wp-
content/uploads/publications/AdrianDabrowski-IMSI-Catcher-Catcher-
ACSAC2014-preprint-20140820.pdf)

------
higherpurpose
Since this seems to be happening to a _lot_ of people in US, since the base
stations attack everyone in range, I would think it's a _pretty high_ security
priority for both Google and Apple, and they should implement protections
against this sort of attacks in their operating systems.

------
ihsw
How would it distinguish from mobile cell sites[1], which are deployed by
carriers to areas where _temporary_ higher capacity necessitates their use,
and IMSI catchers operated by law-enforcement?

It does mention protection against attacks which downgrade secure connections
to insecure connections, which is good.

[1]
[http://en.wikipedia.org/wiki/Mobile_cell_sites](http://en.wikipedia.org/wiki/Mobile_cell_sites)

~~~
schoen
There are a few different strategies for detecting IMSI catchers (though I'm
not convinced that everybody working in this space has completely thought the
threats through: some of the tools seem very focused on a single attribute
they expect to see from the IMSI catcher). The mobile sites may conceivably
still have proper encryption support, so if the feature you're looking for is
"ciphering absent or downgraded", you shouldn't necessarily get false
positives from them.

~~~
schoen
There's now a front page HN item submitted by alexduggleby which points to

[https://www.sba-research.org/wp-
content/uploads/publications...](https://www.sba-research.org/wp-
content/uploads/publications/AdrianDabrowski-IMSI-Catcher-Catcher-
ACSAC2014-preprint-20140820.pdf)

which is a new academic paper on catching IMSI catchers. Their Table 1 (on
page 5 of the paper) lists 12 possible ways of detecting IMSI catchers.

I suspect there are still others, but that list is pretty thorough! I would
add "implausible service area overlap" (the basic case being seeing a tower of
carrier A and a tower of carrier B simultaneously, when carrier A and B serve
different countries that don't have territory within 50 km of one another).
For example, there was a report that a Uganda Telecom tower was seen near the
Ecuadorian embassy in London, where Julian Assange is staying. Even without a
tower-by-tower location database, you could conclude that Ugandan and UK base
station signals shouldn't be observed at the same location.

------
tombrossman
I'd love to have this firewall installed on my phone Is this something that
can be installed on an Android handset? Closest thing I can find is this XDA
thread: [http://forum.xda-
developers.com/showthread.php?t=1422969](http://forum.xda-
developers.com/showthread.php?t=1422969)

~~~
ampersandy
The last paragraph sums it up:

    
    
        He says he can envision a consumer-level app in the future that could be installed on phones by individuals. Although such an app wouldn’t have all of the same functionality as the robust firewall has, it would still be able to alert you to a rogue cell tower. There are currently no plans for an app, however.

~~~
alttab
Sounds like it can be done, but it won't be by them. Have they patented the
technology, or is it even possible with standard Android SDK?

~~~
NickNameNick
I suspect you would have to flash your own baseband firmware.

------
GrinningFool
What the hell. Some good PR is all I can say here. MOre free advertising for "
CryptoPhone 500".

------
jrochkind1
So a friend of mine who knows more about this technology says this is all BS,
and the company has not in fact demonstrated that rogue cell towers trying to
intercept your calls is what is being identified, rather than normal
functioning of the cell network.

I don't know enough about the tech to judge.

But I bet someone here does. Anyone have a comment?

------
lsh123
dup
[https://news.ycombinator.com/item?id=8261505](https://news.ycombinator.com/item?id=8261505)

~~~
BrandonMarc
Not exactly a dupe; while both describe the tech in question, the Venture Beat
story is more focused on wondering who's running these "rogue" towers. Both
articles are quite informative.

------
korzun
Viral marketing.

