
Hacker Spoofs Cell Phone Tower to Intercept Calls  - wglb
http://www.wired.com/threatlevel/2010/07/intercepting-cell-phone-calls/
======
fdb
This reminds me of OpenBTS, the project to create an open-source GSM
interface. A full dev kit costs about $2000.

<http://openbts.sourceforge.net/>

They've been using this system at Burning Man to operate a free experimental
cell network:

<http://pagalegba2010.wikispaces.com/PublicInformation>

~~~
noahlt
The guy who gave this talk, Chris Paget, actually used OpenBTS in his demo.

------
nimrody
I believe one of the more important differences between a GSM SIM and 3G USIM
is that the network is required to prove its identity to the user.

You can use a standard GSM 2G SIM with a 3G WCDMA network and in that case
_only_ the network requires the phone to prove its identity. With a USIM, the
network also has to prove its identity.

So you're not automatically protected when using 3G WCDMA network. You need to
upgrade to a USIM.

Note: The above refers to 3GPP GSM/WCDMA technology. Not sure about IS-95
(Qualcomm's CDMA) and its multiple variants.

~~~
grogers
I know there are several conversion functions for a USIM to be able to
authenticate on a 2G network, but I didn't think it was possible for a 2G SIM
to register on a 3G network. Can you explain this more thoroughly?

~~~
nimrody
It all depends on the operator. A UMTS (3G) network can accept users using a
GSM SIM if the operator allows it.

Authentication is performed by the network HLR (Home location register) which
is independent of the radio technology used. The procedure/algorithms are
different for 3G-capable UEs with USIM, but the HLR can accept 2G users as
well.

Bottom line is that if your 'home carrier' (the one that produced the SIM)
allows it, you can use your SIM in any 3G network that is part of the roaming
agreement of that carrier.

------
jws
Having recently returned an AT&T 3G MicroCell after a 30 day exercise in
futility and "support" horror attempting to activate it in a rural location…
_I want one of these!_ [1]

If AT&T won't utilize the spectrum through my land for which they have been
given stewardship, then perhaps I ought to be allowed to exercise it.

[1] Except I wouldn't get incoming calls, which is more important to me than
outgoing.

~~~
tlrobinson
You could probably setup a system to get incoming calls using something like
Google Voice. Get a phone number for a VoIP account, forward GV to it and your
real cell phone number, and set up your tower to route VoIP to your handset
when it's connected.

------
leelin
This reminds me of one of the points in the End-to-End Argument by Saltzer.
The network protocol offering to encrypt the payload is broken, because the
two end clients should undertake to secure their communication if it's
necessary. In this case I have some sympathy though, because it's not easy for
two humans speaking with their voices to come up with a way to encrypt it.
Maybe the responsibility should fall on the local code running on each phone?

[http://web.mit.edu/Saltzer/www/publications/endtoend/endtoen...](http://web.mit.edu/Saltzer/www/publications/endtoend/endtoend.pdf)

Of course, I know close to nothing about radio security, so maybe the world as
it exists today is optimal but the phone makers blundered in ignoring the
insecure warning?

~~~
DrJokepu
As far as I understand the issue in this case is not the lack of end-to-end
security, it is that it's possible to trick the phone to tranmsit without
encryption for regular calls. Non-encrypted calls are needed because it is
important to allow making emergency calls (e.g. 911) without a SIM being
present or without a PIN number and it's the SIM card that has the encryption
key, not the handset.

------
reynolds
I have it on good authority that the U.S. military uses similar technology
overseas for monitoring terrorists.

~~~
rdl
Systems like these (tactical SIGINT, vs. the kind of strategic collection of
everything. like NSA does) have been part of war pretty much ever since radio
was invented.

Most of Rommel's awesomeness in North Africa was due to his superior radio
directing finding units. No need to necessarily translate enemy communications
if you know where they are and when they're sending.

The premier tier-1/special mission unit in the US military (Intelligence
Support Activity (ISA), aka "the Activity", Gray Fox, Torn Victor, Cemetery
Wind, Centra Spike, ... they have a lot of code names) was basically the key
piece in killing Pablo Escobar (the book "Killing Pablo" is a pretty good
account). They're obviously extensively involved in Iraq and Afghanistan.

One of the major reasons the military was more effective in 2005-now in Iraq,
vs. 2003-2004, is that cellphones spread out to cover the whole country, and
insurgents and their friends used cellphones (although this is more
"strategic" vs. tactical/field gathering like this system).

I'm just waiting for the first fully autonomous weapon which combines signals
intelligence and killing -- flies around listening for a specific IMSI, then
drops down on the target and blows up.

~~~
mkramlich
> I'm just waiting for the first fully autonomous weapon which combines
> signals intelligence and killing -- flies around listening for a specific
> IMSI, then drops down on the target and blows up.

The road to Skynet is paved with these kind of desires.

------
nickpinkston
Reminds me of the democratization other security technologies such as
described in:

P. W. Singer's "Wired for War"

<http://amzn.to/gSsI>

Perhaps even Chris Anderson's DIY Drones:

<http://DIYDrones.com>

------
tudorw
As I had not seen this mentioned here or in article; You can read more about
Chris's work here, <http://www.tombom.co.uk/blog/> and I would have posted the
'OpenBTS on Droid' a while back if I'd known it was a 'scoop' :) My thoughts
were of some kind of shared cellular access point that could be used in the
developing world to give access to a sub-let access point with a 'real'
connection.

------
mctavjb9
This demonstration is neither particularly novel nor particularly legal.

[http://laforge.gnumonks.org/weblog/2010/08/01/#20100801-on_r...](http://laforge.gnumonks.org/weblog/2010/08/01/#20100801-on_recent_news_about_imsi_catcher)

------
lt
Can a similar, simpler method be used to steal WEP/WPA passwords?

Set up a wireless AP broadcasting an existing SSID. Some existing clients
connect to it passing the keyphrase. Verify against the actual AP.

Would this work?

~~~
bnchdrff
in WEP's case, your AP would receive an auth response encrypted with the
keyphrase... you'd have to get quite a few of these to deduce the password, in
general. people find it easier to just sniff traffic and deduce the key from
all the traffic generated from someone downloading crap.

i don't think this is at all realistic with wpa.

you could just set up an open network with an equivalent essid, but that's
nothing new is it? :)

