What's new
DroidForums.net | Android Forum & News

This is a sample guest message. Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

$250 verizon device let's hackers take over your phone

xtor

Senior Member
A femtocell is a miniature cell phone tower that anyone can use to boost their wireless signal in their home.*(Samsung/Verizon)If you’ve never heard of a femtocell, now would be a good time to learn.At the Black Hat hacker conference in Las Vegas, NV, on Wednesday, a pair of security researchers detailed their ability to use a Verizon signal-boosting device, a $250 consumer unit called a femtocell, to secretly intercept voice calls, data, and SMS text messages of any handset that connects to the device.A femtocell is, basically, a miniature cell phone tower that anyone can use to boost their wireless signal in their home. Most of the major U.S. wireless carriers sell femtocells, as do other retailers, and they can typically be purchased for $150 to $250.For a cell phone or tablet to connect to a femtocell, it must be within 15 feet of the device, and remain within 40 feet to maintain a connection, explains Doug DePerry of security firm iSEC Partners and one of the researchers who discovered the vulnerability. But when your device does connect to the femtocell, you will not know it.“Your phone will associate to a femtocell without your knowledge,” says DePerry. “This is not like joining a Wi-Fi network. You don’t have a choice.”The iSEC Partners team, led by DePerry and fellow researchers Tom Ritter and Andrew Rahimi, successfully tapped into the root of two femtocells sold by Verizon and manufactured by Samsung, which allowed them to intercept SMS messages in real-time, and even record voice calls.During a demonstration of their exploit, Ritter and DePerry showed how they could begin recording audio from a cell phone even before the call began. The recording also included both sides of the conversation. The duo also demonstrated how it could trick Apple’s iMessage – which encrypts texts sent over its network using SSL, rendering them unreadable to snoopers, including the NSA – into defaulting to SMS, allowing the femtocell to intercept the messages.“If you block the SSL connection back home to Apple, iMessages fails over to SMS, which plain text,” explains Ritter. “And that we can see just fine.”In their final demonstration, DePerry and Ritter showed off their ability to “clone” a cell phone that runs on a CDMA network (like Verizon’s) by remotely collecting its device ID number through the femtocell, in spite of added security measures to prevent against cloning of CDMA phones. Once a phone is cloned to another handset – meaning the network thinks both phones are the same device, assigned to a single account – a hacker can make expensive phone calls (i.e. 1-900 numbers), or use excessive amounts of data, and the charges are all attributed to the cloning victim.Because both the cloned phone and its evil twin device must be connected to a femtocell to work – “any femtocell,” says DePerry, not just one that’s been hacked – the cloning dangers are limited. However, when it comes to intercepting calls and text messages, the eavesdropping potential is significant – especially if someone with a hacked femtocell sets up camp in a heavily trafficked area, like Times Square, to listen in on passersby.Fortunately for Verizon customers, the company has since issued a patch to all affected femtocells. Sprint currently offers a femtocell that is similar to the vulnerable models from Verizon, but the company has said it plans to discontinue the device. And while AT&T also offers femtocells, it requires an extra level of authentication that makes much of the iSEC Partner’s findings irrelevant. Still, says Ritter, the femtocell vulnerability is still a major problem.“It’d be easy to think this is all about Verizon,” says Ritter. “But this really about everybody. Remember, there are 30 carriers worldwide who have femtocells, and three of the four U.S. carriers.”Ritter suggests that all carriers that offer femtocells require owners to provide a list of approved devices that are allowed to connect to their femtocell. And also prevent customers’ cell phones from connecting to any unauthorized femtocell.Read more:*http://www.foxnews.com/tech/2013/08...s-hackers-take-over-your-phone/#ixzz2b1ICQ2gJ

sent from a note yee (2)
 
We're gonna have to quit calling then black hats if they keep exposing these vulnerabilities.

Sent from my DROID RAZR using Tapatalk 4
 
We're gonna have to quit calling then black hats if they keep exposing these vulnerabilities.

Sent from my DROID RAZR using Tapatalk 4

This isn't anything new,cell cloning has been around for awhile, but now the thieves don't have to build a collection device, they can buy one.

sent from a note yee (2)
 
This is not about cloning a phone's MEID, SIM or anything like that, this is monitoring a live call, using the hand-off actions of actual towers, and using the femto cells to steal data and record it in real time. The problem with these are on the crook's end, as they need to be close enough to capture the phone, and prevent hand-offs to the serving tower.

If your target is close enough, the femto cell might capture the phone as a hand-off, or the tower's downlink signal will obliterate the femto cell's actual RF power and take back control of the phone without the crook knowing. even digital RF signals are prone to the capture effect, as are all FM based radios.

This is also where tower shadowing and reflections come into immediate play.

If the crook is within 50 feet f his intended target, and the nearest tower is 1/2 to 1 mile away, the femto cell will probably capture the target phone, and the crime proceeds as if nothing ever occurred, but if the real tower is under a 1/4 mile, I would doubt the micro cell would garner any useful data, as the tower's signal strength would in probability, make the femto cell useless, and drown it out.

All cell sites use frequency re-use in their networks, this allows a specified set of channels and data to be re-used across a carrier's entire network, saving build out time and expense, One site has specific channels used, and these identical channels will not be re-used in the same service area, but you may find them in another town, 15 miles away though, and this is a good thing for those microcells. They can have the same channel data as a distant tower, but NOT the same channels as YOUR serving tower, which makes the criminal's job easier because of this little known fact. Almost al 800 Mhz. trunked radio system uses a 45 Mhz. split, with the lower channel being the handset uplink To the tower, and the higher channel being the downlink FROM the tower to your handset. The 1.9 Ghz. systems use a similar system, but I am unsure of the actual offset.

All a crook needs to verify a tower's channels, is to carry a sensitive frequency counter, and log every frequency the tower is transmitting, and then ignore the overhead data frequency as it is a 'constant' and does not transmit any voice data, only tower-used data that is routed back to the switch located at the carrier's main office (C.O).

From the tower's transmitted frequencies, the crook can deduce the actual handset frequencies, and if the femto cell uses these, he can relocate to a tower that doesn't use them, to ensure he can take control of your phone without you knowing it.
 
Back
Top