

DEF CON 19 - hackers get hacked  - Garbage
http://seclists.org/fulldisclosure/2011/Aug/76

======
dotBen
So I was at DEFCON 19 and I'm 90% sure my Sprint 4G Android was hacked. When I
make calls there is a beep on the line every few minutes so I'm guessing
someone managed to set up some recording of my calls. I've changed all my
passwords and reflashed the phone back to factory defaults + latest copy of
the firmware from HTC's website.

Also, I only realized AFTER a few minutes of (failed) use that my Verizon 4G
card was being MiTM'd as I had full strength but no connectivity.

What I don't understand is how this vector occurred (on the Android phone)
given it is no different to connecting over public (open) wifi - anyone can
read packets and so the connections between Google Apps (for example) are
supposed to be encrypted.

My only guess is that my phone auto-downloaded a patch that was poisoned and
the security failure here is that the phone assumes any patch fed to it over
the mobile network must be trustworthy. :/

~~~
mirkules
"What I don't understand is how this vector occurred (on the Android phone)
given it is no different to connecting over public (open) wifi"

See the talk from BlackHat titled "Femtocells: a poisonous needle in the
operator's haystack"

<http://femto.sec.t-labs.tu-berlin.de/bh2011.pdf>

Basically, they set up a rogue femtocell, you connected to it as you walked by
and voila. It would also explain why you sometimes couldn't make calls (you
need to be within 15 feet of most femtos to make a call, but you still have
signal strength up to 40 feet).

~~~
dotBen
Sure, but my point is more to do with the fact you can MiTM Wifi base-stations
and poison DNS the urls to updates... the point is why was the phone more
susceptible via 4G than Wifi?

Also, from what I can tell this wasn't a femto-cell but a significant antenna,
perhaps even telco industry-grade.

------
X-Istence
I heard that there was a hack that went on whereby someone was on the phone in
the elevators at the Rio and their entire conversation was played over the
speakers in the elevator bank. Friend of mine said he was in the elevator at
the time and that it was hilarious. Could have been a bluetooth hack though.

Also plenty of people on Sprint's network had full bars but could make
absolutely no calls and data was extremely slow, but about half a block from
the Rio everything worked perfectly again, now it could well be that they were
handed off to a different tower, but people on AT&T and T-Mobile weren't
having the same issues.

DefCon this year was awesome. Plenty of fun to be had, and as more and more
people start carrying around cell phones that are more powerful these attacks
will continue to be developed and continue to be exploited.

~~~
bonzoesc
> Also plenty of people on Sprint's network had full bars but could make
> absolutely no calls and data was extremely slow, but about half a block from
> the Rio everything worked perfectly again, now it could well be that they
> were handed off to a different tower, but people on AT&T and T-Mobile
> weren't having the same issues.

I was definitely having the same issues on AT&T. Falling back to SMS instead
of voice or Twitter for communication worked a lot better for coordinating
things, although the lag was an issue.

~~~
ssharp
I was in Vegas this past week, but not for Defcon and I was on the Strip, not
at the Rio, and still had flaky service. However, I've always had flaky
service when on the strip. I am able to make calls, but it would delay before
the phone started ringing, texts messages would hang longer than usual, and 3G
data transfers were painfully slow. But again, nothing out of the ordinary for
that part of town.

------
drink
So it's clear: this post claims that there is a man-in-the-middle attack
possible _over 4G networks_ that allows an attacker to _own and capture data
from an Android device, including texts and calls_. If this is true, and if
the media gets around to this, enterprise deployments of Android devices are
truly _screwed_.

~~~
drivebyacct2
This has nothing to do with android, FUD aside.

~~~
illumin8
The exploit code targeted 4G users on Android, so yes, Android was (one of)
the attack vectors. Or rather, certain carriers poor implementations of 4G on
Android.

------
trotsky
It's a pretty good troll, but the chances of it being true are very low. I
think someone attended the excellent talk: "Femtocells: a Poisonous Needle in
the Operator's Hay Stack" [1] about 3G MITM and got inspired to have a bit of
a laugh.

This is so far into the "state sponsored only" realm that if you'd actually
pulled it off and were bragging about it you'd provide some kind of proof
instead of generic symptoms designed to make people paranoid.

I'm pretty surprised at all the media outlets that are carrying this and
people taking it at face value. Anyone can write up something and send it to a
mailing list - remember that full disclosure is pretty much ground zero for
security trolling.

[1] [http://www.slideshare.net/zahidtg/femtocells-a-poisonous-
nee...](http://www.slideshare.net/zahidtg/femtocells-a-poisonous-needle-in-
the-operators-hay-stack)

~~~
windsurfer
So the people who make the 3G and 4G standards made them pretty secure. Those
are not broken. What's broken is the implementation. The carriers are not the
ones developing the technology, so they do boneheaded things like making the
client identifiers sequential or using the wrong verification schemes. I would
be willing to bet that if there is some kind of exploit here, it's due to the
specific implementation.

~~~
interurban
Exactly, it sounds as if the mitm attack wasn't based on hijacking a
broadcast, but on redirecting data/voice/sms/etc. from a cracked device to a
network of the attacker's choosing. The redirection wasn't based on fooling
the phone into connecting , it was based on explicitly changing the network
the phone connected to.

A very interesting attack, but not interesting in the sense that cdma/wimax
(perhaps LTE too?) is unsafe but in the sense that there are serious
vulnerabilities in the network stack for android.

------
kalleboo
I'd like to know what he means by "4G". HSDPA (could probably be done really
easily with a hacked AT&T femtocell)? WiMAX? LTE?

~~~
borism
he mentions CDMA, so I guess it's WiMax

~~~
ConstantineXVI
That doesn't really mean anything. Sprint's the only CDMA carrier that's
deployed WiMAX, Verizon and MetroPCS have both deployed LTE. And there's
nothing implying he's talking about the same phones, so he could just as
easily be talking about HSPA ("4G")

------
iwwr
The atmosphere seems to be so rife with paranoia that it looks best not to
take any digital device with you there.

~~~
JonnieCache
A pen and paper would probably do just fine for taking the odd note.

However I'd probably take a cheap old laptop off ebay, bought for the event
and then discarded afterward. I'd feel I was missing out if I wasn't able to
at least dip a packet sniffer into the famously hellish torrent of exploits
I've heard so much about. I'd never take any of my personal machines though.

~~~
khafra
One year I took a pocket-sized notebook and a slide rule. The next year I took
an iPhone and a eee PC. I experienced the same level of hacking both times.

~~~
scarmig
Wow, what'd they do to the slide rule?

------
someone13
With all due respect to "coderman", but I think that I'd like to see some
proof of what he's mentioning. If what he says is true, someone has created a
system that automatically man-in-the-middles all mobile connections, and then
intelligently exploits them with increasingly more sophisticated exploits?
Please forgive me if I'm a little skeptical.

~~~
kevindication
Friend of mine came back from Defcon complaining of some of the exact same
symptoms as those listed by coderman and said he'd be DBANning his phone
later.

~~~
munin
funny story, there was an android SW upgrade on verizon that weekend. i was
halfway across the world and i accepted. i guess i'm boned! :( powerful mitm

~~~
drzaiusapelord
Yeah, I hate to say it, but as an android user half those symptoms are
typical, especially in heavily congested areas, and the other half could be
explained with a half-cooked update, which is also typical.

------
jamieb
The advice i got from some barcamp peeps was "do not bring anything to DEFCON
that you cant afford to get hacked". One fellow is a security consultant and
the other manages networks for a financial institution. They could have been
being dramatic for effect, but why risk it? I know enough about programming to
know that I cannot secure my devices against a determined foe (unless you
count the power button - but hey there's conspiracy theories there too
right?).

So the advice was: disposable pay-as-you-go phone and craigslist it
afterwards. Same for laptop. Don't bring them home.

------
kenotic
I think we need more clarity here. I would like to know what "4g" was MiTM.
This makes a huge difference as it will lead to further research on that
network.

------
guywithabike
Curious: were any iPhones/iPads hacked?

~~~
blacksmith_tb
Probably by the carload, but not by this exploit, since they aren't using
4G...

