Hacker News new | past | comments | ask | show | jobs | submit login
Hacker Spoofs Cell Phone Tower to Intercept Calls (wired.com)
146 points by wglb on Aug 1, 2010 | hide | past | favorite | 24 comments

This reminds me of OpenBTS, the project to create an open-source GSM interface. A full dev kit costs about $2000.


They've been using this system at Burning Man to operate a free experimental cell network:


The guy who gave this talk, Chris Paget, actually used OpenBTS in his demo.

I believe one of the more important differences between a GSM SIM and 3G USIM is that the network is required to prove its identity to the user.

You can use a standard GSM 2G SIM with a 3G WCDMA network and in that case only the network requires the phone to prove its identity. With a USIM, the network also has to prove its identity.

So you're not automatically protected when using 3G WCDMA network. You need to upgrade to a USIM.

Note: The above refers to 3GPP GSM/WCDMA technology. Not sure about IS-95 (Qualcomm's CDMA) and its multiple variants.

I know there are several conversion functions for a USIM to be able to authenticate on a 2G network, but I didn't think it was possible for a 2G SIM to register on a 3G network. Can you explain this more thoroughly?

It all depends on the operator. A UMTS (3G) network can accept users using a GSM SIM if the operator allows it.

Authentication is performed by the network HLR (Home location register) which is independent of the radio technology used. The procedure/algorithms are different for 3G-capable UEs with USIM, but the HLR can accept 2G users as well.

Bottom line is that if your 'home carrier' (the one that produced the SIM) allows it, you can use your SIM in any 3G network that is part of the roaming agreement of that carrier.

Having recently returned an AT&T 3G MicroCell after a 30 day exercise in futility and "support" horror attempting to activate it in a rural location… I want one of these![1]

If AT&T won't utilize the spectrum through my land for which they have been given stewardship, then perhaps I ought to be allowed to exercise it.

[1] Except I wouldn't get incoming calls, which is more important to me than outgoing.

You could probably setup a system to get incoming calls using something like Google Voice. Get a phone number for a VoIP account, forward GV to it and your real cell phone number, and set up your tower to route VoIP to your handset when it's connected.

This reminds me of one of the points in the End-to-End Argument by Saltzer. The network protocol offering to encrypt the payload is broken, because the two end clients should undertake to secure their communication if it's necessary. In this case I have some sympathy though, because it's not easy for two humans speaking with their voices to come up with a way to encrypt it. Maybe the responsibility should fall on the local code running on each phone?


Of course, I know close to nothing about radio security, so maybe the world as it exists today is optimal but the phone makers blundered in ignoring the insecure warning?

As far as I understand the issue in this case is not the lack of end-to-end security, it is that it's possible to trick the phone to tranmsit without encryption for regular calls. Non-encrypted calls are needed because it is important to allow making emergency calls (e.g. 911) without a SIM being present or without a PIN number and it's the SIM card that has the encryption key, not the handset.

Most phones do issue a warning if ciphering isn't enabled. On some you may be able to force it to require it. But keep in mind that this is only applied on the radio interface anyways (and GSM encryption is so broken you shouldn't be relying on it anyways). If you want end to end encryption of your calls you will need to use encrypted VOIP over your data connection.

I have it on good authority that the U.S. military uses similar technology overseas for monitoring terrorists.

Systems like these (tactical SIGINT, vs. the kind of strategic collection of everything. like NSA does) have been part of war pretty much ever since radio was invented.

Most of Rommel's awesomeness in North Africa was due to his superior radio directing finding units. No need to necessarily translate enemy communications if you know where they are and when they're sending.

The premier tier-1/special mission unit in the US military (Intelligence Support Activity (ISA), aka "the Activity", Gray Fox, Torn Victor, Cemetery Wind, Centra Spike, ... they have a lot of code names) was basically the key piece in killing Pablo Escobar (the book "Killing Pablo" is a pretty good account). They're obviously extensively involved in Iraq and Afghanistan.

One of the major reasons the military was more effective in 2005-now in Iraq, vs. 2003-2004, is that cellphones spread out to cover the whole country, and insurgents and their friends used cellphones (although this is more "strategic" vs. tactical/field gathering like this system).

I'm just waiting for the first fully autonomous weapon which combines signals intelligence and killing -- flies around listening for a specific IMSI, then drops down on the target and blows up.

> I'm just waiting for the first fully autonomous weapon which combines signals intelligence and killing -- flies around listening for a specific IMSI, then drops down on the target and blows up.

The road to Skynet is paved with these kind of desires.

I developed some of the tech used for cellular exploits and I can confirm this claim.

According to the italian anti mafia police force, mafiosi use skype to communicate to each other via voice. (http://www.google.com/cse?q=Mafia+skype) I would be surprise if terrorists weren't.

I'd be very surprised if most terrorists were 1/10 as clued in as the Mafia when it come to avoiding attention from law enforcement. Most Mafia bombs work and they don't run around setting their underwear on fire.

For a month in the spring my route to work took me by bicycle past three of the embassy in Copenhagen. You could see some radio antennas on one of them (I think it was the Russian one, but I am not entirely sure) - it didn't take that many brain cells to figure out what that was being used for.

Which means that some government agency is most likely using it right here for monitoring "terrorists."

Reminds me of the democratization other security technologies such as described in:

P. W. Singer's "Wired for War"


Perhaps even Chris Anderson's DIY Drones:


As I had not seen this mentioned here or in article; You can read more about Chris's work here, http://www.tombom.co.uk/blog/ and I would have posted the 'OpenBTS on Droid' a while back if I'd known it was a 'scoop' :) My thoughts were of some kind of shared cellular access point that could be used in the developing world to give access to a sub-let access point with a 'real' connection.

This demonstration is neither particularly novel nor particularly legal.


Can a similar, simpler method be used to steal WEP/WPA passwords?

Set up a wireless AP broadcasting an existing SSID. Some existing clients connect to it passing the keyphrase. Verify against the actual AP.

Would this work?

in WEP's case, your AP would receive an auth response encrypted with the keyphrase... you'd have to get quite a few of these to deduce the password, in general. people find it easier to just sniff traffic and deduce the key from all the traffic generated from someone downloading crap.

i don't think this is at all realistic with wpa.

you could just set up an open network with an equivalent essid, but that's nothing new is it? :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact