‘Fake’ cellphone towers found in U.S.
If you've never considered the threat of baseband attacks to be real, but considered them more of a speculative possibility, speculate no more: http://www.welivesecurity.com/2014/08/28/android-security-2/ "The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology - but the surprise is that they are in active use. "Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says. “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one at South Point Casino in Las Vegas." "What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases." Alfie -- Alfie John alfiej@fastmail.fm
On 9/1/14, Alfie John <alfiej@fastmail.fm> wrote:
... "The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware,...
"What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases."
this is a classified "data loss prevention" mechanism, if you will. rather than deny cell use on sensitive locations (some locales demand no digital electronics) a happy middle ground of surreptitious deep inspection on demand is applied. what was once foreign battlefield only, is now plentiful lawful access, locally. don't be fooled; no less malicious in re-purpose. these are war weapons aimed at all of us...
If you've never considered the threat of baseband attacks to be real, but considered them more of a speculative possibility, speculate no more:
..based on the word of a company that markets "firewalled baseband phones" and cites personal research in undisclosed locations instead of releasing actual data. Don't get me wrong, basebands are probably swiss cheese and they are often (or usually?) masters to the mobile OS. On my model of phone IIRC they even directly share some RAM, so they can read/write willy-nilly the Android RAM. So the idea of baseband attacks overwhelming the OS is perfectly sound and something to bear in mind. All that said, this is a glorified marketing campaign for the company in question, with surprising complicity from people like Cory Doctorow (who even uncritically describes their "patent pending" technology, somewhat out of character for a usually pretty freedom-minded person). The correct response, in my opinion, is "Show us the proof and the fake tower locations or STFU". On 02/09/14 07:09, Alfie John wrote:
If you've never considered the threat of baseband attacks to be real, but considered them more of a speculative possibility, speculate no more:
http://www.welivesecurity.com/2014/08/28/android-security-2/
"The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology - but the surprise is that they are in active use.
"Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says. “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one at South Point Casino in Las Vegas."
"What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases."
Alfie
-- Twitter: @onetruecathal, @formabiolabs Phone: +353876363185 Blog: http://indiebiotech.com miniLock.io: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
On 9/2/14, Cathal Garvey <cathalgarvey@cathalgarvey.me> wrote:
... ..based on the word of a company that markets "firewalled baseband phones" and cites personal research in undisclosed locations instead of releasing actual data.
Don't get me wrong, basebands are probably swiss cheese and they are often (or usually?) masters to the mobile OS.
this is totally marketing oriented, as the traditional "baseband" attack is arbitrary code execution within the baseband processor embedded system rather than opportunistic advantage of inherent signaling and authentication weaknesses in protocol implementations. the latter can be "weaponized" by nearly anyone with a full duplex SDR. the former is usually accomplished with insider access or painstaking expertise - the opposite of accessible. if you read between the lines you can see how they classify any tower aggressively peering stations in range as "baseband intercept attack" for their maximal PR purposing. best regards,
On 9/2/14, Cathal Garvey <cathalgarvey@cathalgarvey.me> wrote:
... ..based on the word of a company that markets "firewalled baseband phones" and cites personal research in undisclosed locations instead of releasing actual data.
bit more detail here: https://www.sba-research.org/wp-content/uploads/publications/AdrianDabrowski... which clarifies that innocuous uses are indeed omitted from what they consider a "camping catcher". best regards,
On Thu, Sep 04, 2014 at 05:57:17PM -0700, coderman wrote:
bit more detail here: https://www.sba-research.org/wp-content/uploads/publications/AdrianDabrowski...
catchercatcher has been presented in 2011: http://events.ccc.de/congress/2011/Fahrplan/attachments/1994_111217.SRLabs-2... -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On 09/05/2014 11:28 AM, stef wrote:
On Thu, Sep 04, 2014 at 05:57:17PM -0700, coderman wrote:
bit more detail here: https://www.sba-research.org/wp-content/uploads/publications/AdrianDabrowski...
catchercatcher has been presented in 2011: http://events.ccc.de/congress/2011/Fahrplan/attachments/1994_111217.SRLabs-2...
SRLabs' works are covered and extended in the new paper by Adrian, a very good read.
..based on the word of a company that markets "firewalled baseband phones" and cites personal research in undisclosed locations instead of releasing actual data.
I agree. I was asked to review and test a CryptoPhone (and I still use it daily). The warnings err on the cautious side of things and single events only rarely/never mean a real attack. Unless we see more data, this is completely marketing bullshit. As someone who tries to move forward an Open Source implementation of something like their (quite limited) Baseband Monitor (misleadingly called Baseband Firewall), I am pretty annoyed by their patent: https://patentimages.storage.googleapis.com/pdfs/US20140004829.pdf -- especially given that Frank Rieger, the owner of the patent, is official speaker for the CCC and should know better. http://esdamerica.com/ ("Manufacturer of CryptoPhone" - which is bullshit, since they use unmodified Samsung S3 hardware) "ESD America’s team maintains operational security and confidentiality for our clients. Clients include Government, Intelligence, Police, Military, Narcotics Task Forces and Royalty. Products are centred on intelligence gathering, surveillance, reconnaissance and encryption as well as sourcing other specialised products and training." *shakes head*
I suggested one of the Bitcoin ATM guys to use two boards. One board is connected like normally to networks and accessories and the like. That one board also has a custom connection to the other board. The other board contains all the secrets and performs all the important functions. The one board just communicates. The advantage is that once the big bad guys crack your baseband, your chipset, your system on a chip's trapcards, etc. your secrets are still safe. If you sign all the packets that pass through the communication board you can truly abstract away from almost every possible hack that both the boards could be vulnerable for. (Do you trust your silicon?)
participants (6)
-
Alfie John -
Cathal Garvey -
coderman -
Lodewijk andré de la porte -
Moritz -
stef