---------- Forwarded message ---------- From: coderman <coderman@gmail.com> Date: Sun, Aug 3, 2014 at 3:47 AM Subject: Re: Preferred Roaming List Zero Intercept Attack [was: DEF CON nostalgia [before that: going double cryptome at DEF CON 22]][still confusing] To: Full Disclosure <fulldisclosure@seclists.org> On Fri, Aug 1, 2014 at 4:06 AM, coderman <coderman@gmail.com> wrote:
... Any carrier phones or specific builds known to not accept PRL updates without authorization should be noted in response to this thread...
anon from the wiki pointed out the verizon rigmaiden aircard incident.[0] while not a smart phone, this does illustrate how a properly privacy conscious device will refuse to accept insufficiently authenticated roaming list updates. UTStarcom PC5740 at that point in time resistant to surreptitious corruption of roaming list. also, more than twenty years for cell locator tech as written. how many years of PRL Zero tricks? still soliciting pointers, ... best regards, 0. "Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight" - http://www.wired.com/2013/04/verizon-rigmaiden-aircard/all/ ''' Verizon reprogrammed the device so that when an incoming voice call arrived, the card would disconnect from any legitimate cell tower to which it was already connected, and send real-time cell-site location data to Verizon, which forwarded the data to the FBI. This allowed the FBI to position its stingray in the neighborhood where Rigmaiden resided. The stingray then “broadcast a very strong signal” to force the air card into connecting to it, instead of reconnecting to a legitimate cell tower, so that agents could then triangulate signals coming from the air card and zoom-in on Rigmaiden’s location. To make sure the air card connected to the FBI’s simulator, Rigmaiden says that Verizon altered his air card’s Preferred Roaming List so that it would accept the FBI’s stingray as a legitimate cell site and not a rogue site, and also changed a data table on the air card designating the priority of cell sites so that the FBI’s fake site was at the top of the list. ''' - the second "data table on the air card ... designating the priority of cell sites" not unambiguous. for example, System Determination Algorithms can utilize recent tower connection history foremost, along with the "Preferred Roaming List" as commonly used. a stated common method is listed in priority order: 1. MRU ROAMING History List (MRU) 2. Preferred Roaming List (PRL) ---fwd-ctxt-sw--- please direct questions to Mathew Solnik and Marc Blanchou, who are burning all sorts of vuln this week in Vegas. Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol - https://www.blackhat.com/us-14/briefings.html#Solnik "... In this presentation, we will discuss and disclose how Over-the-Air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and Embedded M2M devices." such a setup suitable for silent PRL favor and middling as discussed.