Fwd: Preferred Roaming List Zero Intercept Attack [was: DEF CON nostalgia [before that: going double cryptome at DEF CON 22]][still confusing]
coderman
coderman at gmail.com
Sun Aug 3 03:49:00 PDT 2014
---------- Forwarded message ----------
From: coderman <coderman at gmail.com>
Date: Sun, Aug 3, 2014 at 3:47 AM
Subject: Re: Preferred Roaming List Zero Intercept Attack [was: DEF
CON nostalgia [before that: going double cryptome at DEF CON
22]][still confusing]
To: Full Disclosure <fulldisclosure at seclists.org>
On Fri, Aug 1, 2014 at 4:06 AM, coderman <coderman at gmail.com> wrote:
> ...
> Any carrier phones or specific builds known to not accept PRL updates
> without authorization should be noted in response to this thread...
anon from the wiki pointed out the verizon rigmaiden aircard
incident.[0] while not a smart phone, this does illustrate how a
properly privacy conscious device will refuse to accept insufficiently
authenticated roaming list updates. UTStarcom PC5740 at that point in
time resistant to surreptitious corruption of roaming list.
also, more than twenty years for cell locator tech as written. how
many years of PRL Zero tricks? still soliciting pointers, ...
best regards,
0. "Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight"
- http://www.wired.com/2013/04/verizon-rigmaiden-aircard/all/
'''
Verizon reprogrammed the device so that when an incoming voice call
arrived, the card would disconnect from any legitimate cell tower to
which it was already connected, and send real-time cell-site location
data to Verizon, which forwarded the data to the FBI. This allowed the
FBI to position its stingray in the neighborhood where Rigmaiden
resided. The stingray then “broadcast a very strong signal” to force
the air card into connecting to it, instead of reconnecting to a
legitimate cell tower, so that agents could then triangulate signals
coming from the air card and zoom-in on Rigmaiden’s location.
To make sure the air card connected to the FBI’s simulator, Rigmaiden
says that Verizon altered his air card’s Preferred Roaming List so
that it would accept the FBI’s stingray as a legitimate cell site and
not a rogue site, and also changed a data table on the air card
designating the priority of cell sites so that the FBI’s fake site was
at the top of the list.
'''
- the second "data table on the air card ... designating the priority
of cell sites" not unambiguous. for example, System Determination
Algorithms can utilize recent tower connection history foremost, along
with the "Preferred Roaming List" as commonly used. a stated common
method is listed in priority order:
1. MRU ROAMING History List (MRU)
2. Preferred Roaming List (PRL)
---fwd-ctxt-sw---
please direct questions to Mathew Solnik and Marc Blanchou,
who are burning all sorts of vuln this week in Vegas.
Cellular Exploitation on a Global Scale: The Rise and Fall of the
Control Protocol
- https://www.blackhat.com/us-14/briefings.html#Solnik
"... In this presentation, we will discuss and disclose how
Over-the-Air code execution can be obtained on the major cellular
platforms and networks (GSM/CDMA/LTE). Including but not limited to
Android, iOS, Blackberry, and Embedded M2M devices."
such a setup suitable for silent PRL favor and middling as discussed.
More information about the cypherpunks
mailing list