They've Got Your Number

[R.A. Hettinga]

<http://www.wired.com/wired/archive/12.12/phreakers_pr.html>

Wired 12.12:

They've Got Your Number 
 

 your text messages and address book, and a way to bug your calls. Why
spam, scams, and viruses are coming soon to a phone near you.

By Annalee NewitzPage 1 of 4 next ;


It's a beautiful afternoon in Shepherd's Bush, a bustling neighborhood on
the outskirts of London, and Adam Laurie is feeling peckish. Heading out of
the office, he's about to pick up more than a sandwich. As he walks, he'll
be probing every cell phone that comes within range of a hidden antenna he
has connected to the laptop in his bag. We stroll past a park near the Tube
station, then wander into a supermarket. Laurie contemplates which sort of
crisps to buy while his laptop quietly scans the 2.4-GHz frequency range
used by Bluetooth devices, probing the cell phones nestled in other
shoppers' pockets and purses.

Laurie, 42, the CSO of boutique security firm the Bunker, isn't going to
mess with anyone's phone, although he could: With just a few tweaks to the
scanning program his computer is running, Laurie could be crashing cell
phones all around him, cutting a little swath of telecommunications
destruction down the deli aisle. But today Laurie is just gathering data.
We are counting how many phones he can hack using Bluetooth, a wireless
protocol for syncing cell phones with headsets, computers, and other
devices.

We review the results of the expedition in a nearby pub. In the 17 minutes
we wandered around, Laurie's computer picked up signals from 39 phones. He
peers at his monitor for a while. "It takes only 15 seconds to suck down
somebody's address book, so we could have had a lot of those," he says at
last. "And at least five of these phones were vulnerable to an attack."

 The "attack" Laurie mentions so casually could mean almost anything - a
person using another person's cell to make long distance calls or changing
every phone number in his address book or even bugging his conversations.
There are, he says, "a whole range of new powers" available to the intrepid
phone marauder, including nasty viral attacks. A benign Bluetooth worm has
already been discovered circulating in Singapore, and Laurie thinks future
variants could be something really scary. Especially vulnerable are
Europeans who use their mobile phone to make micropayments - small
purchases that show up as charges on cell phone bills. A malicious virus
maker bent on a get-rich-quick scheme could take advantage of this feature
by issuing "reverse SMS" orders.

 Bluetooth security has become a pressing issue in Europe, where the
technology is ubiquitous. The problem will migrate to American shores as
the protocol catches on here, too. But in the long run, Bluetooth
vulnerabilities are manageable: Handset manufacturers can rewrite faulty
implementations, and cell phone users will learn to be more careful. A far
bigger security nightmare for the US is Internet telephony, which is fast
being adopted for large corporations and is available to consumers through
many broadband providers. Voice over IP is, by design, hacker-friendly. No
enterprising criminals have dreamed up a million-dollar scam exploiting
VoIP technology yet. But when they do, it likely won't be something a
simple patch can fix.

 Bluetooth hacking is technically very different from VoIP hacking, but
they're both surging for the same basic reason. Increasingly, telephones
have become indistinguishable from computers, which makes them more useful,
but also more vulnerable. VoIP, which routes calls over the Internet, gives
users the power to port their phone number anywhere, package voice messages
into MP3s and receive them as emails, and make cheap international calls.
Yet VoIP, like Bluetooth, exposes your telephone to the same ills that
regularly befall a desktop box - worms, spam, crashes.

 "It's not like we've fixed the vulnerabilities on computers," says
security expert Bruce Schneier, author of Secrets and Lies: Digital
Security in a Networked World. "The phone network used to get its security
from being closed, but VoIP phones will be just as bad as computers."

Many of today's hacks work because the traditional phone system was built
on the premise that only large, monopolistic phone companies would be using
it, and they would all play by the same rules. But the network isn't the
telcos' private sandbox anymore; it can be manipulated and controlled by
anybody who understands basic computer networking. The people who know this
best are a new generation of phone hackers - aka phreakers - who aren't
interested in following the rules. They're busy ripping apart the latest
phones to discover what can make them turn against their owners. As the
phone companies and handset makers lumber along, we can only hope that the
phreaks in white hats figure out some fixes before the blackhats move in
for the kill.

 Laurie, whose laptop is now packed with information from vulnerable cell
phones in the Shepherd's Bush, has become infamous in Britain for
conducting a similar experiment in the House of Parliament, where he had
the opportunity (which he didn't take) to copy the address books and
calendars of several prominent politicians. That excursion resulted in a
mandate that all Bluetooth devices be turned off in the House of Parliament.

 As the inventor of "bluesnarfing," a hack that uses Bluetooth to peek at
data stored on cell phones, Laurie is dedicated to publicizing the danger
of a wide-open Bluetooth connection. A bluesnarf attack can identify an
unprotected phone and copy its entire address book, calendar, photos, and
any other information that happens to be inside. Using a bluesnarf program,
a phreak can also crash any phone within range by using Bluetooth to
broadcast what Laurie calls "a corrupted message."

Bluesnarf was born after Laurie scrutinized the code running some Bluetooth
headsets his staff was using. He wasn't happy with what he found. "Gaping
security holes," he says with a frown. Rebuffed by the cell phone companies
to which he reported the problems, he conceived of bluesnarf as a publicity
stunt, a tool that would dramatize the danger of owning these phones.

 Compounding Bluetooth's technical vulnerabilities are problems with the
way people use it. Most folks leave Bluetooth on all the time, often
because they don't bother to learn how to turn it off. Even tech-savvy
types tend to keep their connections open. "People have heard about
'toothing,' where strangers send each other flirtatious messages via
Bluetooth," he says. Hoping to get toothed, they risk an entirely different
kind of penetration.


 The risk doesn't end with snarfing. Another way to use Bluetooth to hijack
a phone completely is bluebugging, and Laurie gives me a quick demo. He
runs the bluebug software on his laptop, and it quickly locates an Ericsson
t610 phone he's set on the table between us (not all phones can be
bluebugged, but this model can). His computer connects to the phone and
takes it over, remotely. Tapping the keyboard, Laurie sends the t610 a
command to ring up the phone on his belt. It bleeps. He answers. We've got
a bluebug.

Invented by Austrian researcher Martin Herfurt earlier this year,
bluebugging is the perfect weapon for corporate spies. Let's say you and I
are competing for a big contract with an oil company. I want to hear
everything that happens in your meeting with the VP of Massive Oil Inc., so
I hire a blackhat phreak to take over your cell phone. Once he's bluebugged
it, I tell him to have your mobile call mine. The phone that's sitting in
your jacket pocket is now picking up everything you and the VP say during
your conversation, and I can hear the prices you're quoting as clear as a
bell on my own phone. "A cell phone is the ultimate well-engineered bugging
device," Laurie says.

 Unlike bluesnarfers, who need only some gear and know-how, the bluebugger
first has to get your cell phone to pair with his computer, establishing a
"trusted" data link. Laurie explains one crafty way to make this happen.
"You just say, 'Gee, that's a cool phone, can I see it?'Punch a few buttons
to establish the pairing, and hand it back." As soon as the pairing is
complete, the bluebugger can commandeer every aspect of the phone. He can
initiate calls, send SMS messages, even overwrite the address book and
contacts list.

 Laurie's revelation is disturbing, but the fact that phreakers need to
approach and interact with their intended targets significantly cuts down
on the number of victims. Yet British security consultant Ollie Whitehouse,
whose Bluetooth-hunting program Redfang has made him a celebrity among
phreakers, describes another a way to bluebug - a method that doesn't
demand the eavesdropper come into physical contact with the target's phone.
In this case, the trick is to sniff the data traffic traveling to and from
a Bluetooth phone when it's pairing with another device, like a headset.
Armed with this information, an attacker can bluebug the phone by
pretending to be the trusted device with which it regularly networks.

Cell phone companies argue that bluesnarfing and bluebugging are minor
threats because Bluetooth is designed to work only over short distances, 20
feet or less, requiring attackers to be close to their targets.

 Enter the Bluetooth sniper rifle. Made from $200 worth of off-the-shelf
parts, the sniper is a Bluetooth antenna optimized for long-distance use.
It can send and receive faint signals at more than a thousand yards. With
the sniper - or a wireless weapon like it - bluesnarfers and bluebuggers no
longer have to be in the same room as their targets. "By smashing any
notion that distance is an issue," says 24-year-old inventor Jon Hering, a
student at the University of Southern California, "we showed that
bluebugging is a real-world threat."

Surely the phone companies must be doing something to protect us from all
this. Keith Nowak, a spokesperson at Nokia, suggests "just turning off
Bluetooth - or switching into hidden mode."

 Whitehouse laughs at that advice. Redfang, his signature phreak tool, is
specifically designed to find Bluetooth devices in hidden mode. And given
that so few people actually do turn off Bluetooth, their phones are
susceptible to countless hacks - ones that Hering's sniper rifle could
launch from half a mile away.

 The Default Radio boys, rock stars in the phreak underground, are onstage
at DefCon, the venerable hacker conference that's sort of a cross between
the Ozzfest mosh pit and an after-hours party for NSA agents. Wearing
baseball caps, T-shirts, and baggy jeans, the boys are doing a live version
of their phreak-friendly streaming-audio talk show. The long table in front
of them is covered with telephone equipment and computers.

 A Defaulter using the nom de phreak Lucky225 steps up to the mike. With a
phone tucked between his ear and shoulder and the keyboard under his
fingers, he looks like a cross between a DJ and a telephone line repairman.

 Lucky regales the audience with a tale about his favorite VoIP hack: He
can make a VoIP phone display whatever caller ID number he chooses. To
prove his point, he tells us he can impersonate "Jenny," the girl from the
pop song by Tommy Tutone.

 Earsplitting static issues from the speakers, and suddenly we hear a
thunderous dial tone. Lucky has routed his VoIP phone through the sound
system. He dials MCI's caller ID readback line, a service that identifies
whatever number you're calling from. A robotic voice slowly intones Lucky's
number: "eight-six-seven-five" - the crowd erupts, screams of laughter
mingling with groans - "three-zero-nine."

Having demonstrated his power over caller ID, Lucky proceeds to tell the
phreak-packed auditorium how he spoofed the number. Turns out the whole
thing is a social hack. A few days before, he called his service provider,
Vonage, and told them he wanted to port all his cell phone calls to the
Internet phone connected to his computer. His cell number is 867 5309, he
lied, and Vonage believed him. Now it's rerouting all calls made to Jenny
on the Vonage network to Lucky.

 Naturally, Vonage also set the caller ID on Lucky's VoIP phone to Jenny's
number - so any time he dials out, it looks like he's calling from 867
5309. A lot of systems depend on receiving accurate caller ID - credit
card-activation lines, voicemail systems, even 911. So being able to
control what a called party sees after you dial can be a potent weapon.
Armed with your caller ID, an identity thief could order a new ATM card,
activate it over the phone, and use it to empty your bank account. And,
given that many voicemail boxes will play their contents to any phone with
the right caller ID, you could be opening up your private life to anyone
with a Vonage phone.


 After the show, I ask Lucky why he got into the phreak scene. "Well,"
Lucky deadpans, sketching out plans for a network of cans and rubber bands,
"I wanted to start this elastic-based phone system " He's a prankster, but
with a purpose - to make clear to the public that VoIP is a privacy
nightmare. "Yup," he concludes, still pondering voice over elastic, "I
think this tin can shit is really going to take off."

Steve Wozniak, the Apple computer pioneer whose phreak days began in the
1970s, says pranks are what it's all about. "Those of us who have the
phreaker mentality see playing with the world as fun, but in these times
it's hard for people to see us as harmless."

 Maybe so, but Vonage doesn't seem too concerned. When I contact the
company later to find out whether they know about Lucky's caller ID trick
and what they are doing to stop it, executive VP Louis Holder admits
they're not doing anything. "We allow people to do what he did," Holder
says. "We give people a temporary phone number before we verify it with the
phone company, and verification takes a couple of weeks. Somebody could
pick the White House number and pretend to be the president."

 Today's phreaks have the power to crash the phone system - but they also
have the power to rebuild it. Lucky's joke about creating his own network
out of tin cans and rubber bands isn't that far from the truth. Slestak, Da
Beave, and GiD are the crew behind Florida-based Telephreak.org, a free
VoIP service that they've built to run on a roll-your-own, open source
private branch exchange (PBX) system called Asterisk.

 Typically used by businesses, a PBX consists of computers that route calls
between what amounts to a phone intranet and the public telephone system. A
company using a PBX might pay for 100 lines that service 500 employees,
linking callers to the outside world, voicemail, or conferences by
dynamically connecting phone calls using whichever landlines are open. In
the past, all these connections would be managed by the phone company or a
proprietary, closed black box in the server room. But with Asterisk,
there's no need for the phone company to manage your lines anymore. You can
do it yourself.

The Telephreak crew has created its own private phone company for
themselves and their friends - one that never sends a bill. Dial an access
line to check voicemail, create conference calls, forward calls to other
phones, even get a new number. And never pay a cent.

Currently, there are several hundred voicemail accounts, and the system can
handle a hundred simultaneous calls. Although the Telephreak crew has to
pay for connectivity to Ma Bell, the amount is so negligible that they're
willing to eat the money. It's a small price to pay for freedom.

I'm talking to them on a Telephreak conference call, and the sound is a
little fuzzy. Beave, identifiable by his slight southern twang, tells me
he's working on ironing out the bugs. It's a little strange to know someone
is manipulating your phone connection while talking to you. Suddenly, the
sound is perfect. We've been rerouted. Slestak's voice comes in loud and
clear: "My connection to you guys right now is going across a cordless
phone with a box to the server, then to Telephreak. My dial tone is coming
from the West Coast."

One of the best things about building your own PBX is that you can do what
Slestak calls "chemistry experiments" with the phone system. Some PBX
phreakers, like Telediablo, even provide a caller ID spoofing service: With
it, there's no need to lie to Vonage - you simply call up Telediablo's PBX,
plug in the number you want to use as your caller ID, then dial the party
you want to trick. When I try out his little hack, I pick the number 666
6666. Next, I key in a nearby friend's number. It rings. My friend shows me
his caller ID window: Now I feel like a phreak. Instead of displaying my
number, his phone is displaying the devil's digits.

 There are other PBX tricks - like caller ID unmasking, which can sometimes
reveal the actual phone number of a caller, regardless of whether they've
paid to have their number blocked. So if you think you're anonymous on the
telephone system, think again.

 Probably the most unsettling discovery made by whitehat phreakers is that
VoIP providers and wireless companies are willing to peddle phones and
services that they know perfectly well are vulnerable to all kinds of
attacks. After several months of bad publicity in the UK, where Laurie and
Whitehouse are based, the cell phone companies are responding. Nokia and
Sony Ericsson have issued patches, and Motorola says that its security
flaws have been fixed in the newer models. And upstart VoIP provider Skype
is marketing built-in encryption. Meanwhile, the Bluetooth Consortium - a
group of industry leaders, including Nokia and Sony Ericsson, whose
products incorporate Bluetooth - focused explicitly on security at its
UnPlugFest in Germany last month. At the meeting, security experts
(including Laurie) rated each company's phones in terms of their resistance
to common attacks. Still, nobody is tracking bluesnarf or bluebug attacks
to measure the extent of the problem - nobody but the whitehat phreaks
themselves.

Whitehouse has written a program he calls Sweet Tooth that can detect the
signature radio signals sent by bluesnarfers. Modeled on honeypot programs
that law enforcement and security analysts use to detect hackers on the
Internet, Sweet Tooth could provide accurate statistics on how prevalent
bluesnarf attacks really are. The program is ready for action, says
Whitehouse. The question now is whether law enforcement and the phone
companies will actually deploy it, however. Ignoring the problem is not
going to make it better - especially because phone hacking is only going to
get easier.

Bluetooth phreaking is just the beginning. The holes will get patched, but
the problem won't go away, because all the tools that hackers have spent
decades developing will now be repurposed to hijack your phone.
Next-generation handsets will have three entry points for the blackhats: If
a snarfer can't suck down your data with Bluetooth, he'll try your Wi-Fi
port, and if that doesn't work, infrared.

 "I guess that's the price you pay for convergence," Whitehouse says.

--------
The Great Cell Phone Robbery

How security flaws in today's mobile phones could add up to tomorrow's
perfect crime.

 Step 1: Approach
A virus-spreader enters Heathrow Airport toting a briefcase with a laptop
and an external antenna. The rig can sniff Bluetooth signals from up to 20
feet away - and with just a bit of hacking, it can be modified to send and
receive signals over much greater distances.

Step 2: Discover
Using a program like bluesnarf, the laptop automatically finds Bluetooth
phones with firmware vulnerable to remote takeover. This process is
completed in less than 15 seconds.

Step 3: Take over
The laptop sends a program to all the vulnerable phones. Disguised as a
game or a marketing promotion, the program is really a Trojan horse hiding
a nasty virus. Once the user launches it, the virus hijacks the phone's
operating system, taking over basic functions like dialing and messaging.

Step 4: Propagate
The target phone is now infected, and it reacts by broadcasting the virus
to other vulnerable Bluetooth phones within 20 feet. Within minutes,
thousands of phones can be infected.

Step 5: Steal
Commandeering the phones' SMS system, the virus uses a popular European
micropayment system called reverse SMS to transfer 10 euros from each phone
to a temporary account in Estonia. The virus requests the transfer and
stays in control until it can confirm the order. The account is closed long
before any user sees the charge reflected on the monthly bill.
Annalee Newitz (annalee at techsploitation.com), a policy analyst at the
Electronic Frontier Foundation, wrote about dating optimizers in issue
12.06.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'