Want to spy on the boss? Try this phone-mast-in-an-HP printer An engineer has shown how you can sneak a tiny cellphone base station into an innocuous office printer. The idea is the brainchild of New Zealand's Julian Oliver, who was inspired by the Stingray cellphone snooping technology now in widespread use by the cops and FBI. He was looking to see how such tech could be hidden and …
"the phone trusts the dodgy base station because the police and gchq etc want your phone to trust dodgy base stations...." Wow, the paranoia! Actually, it's because most telcos allow roaming, which means your phone will always query any cell tower it finds within range to see if it will provide a better service than your carrier's nearest tower. Roaming was introduced due to international customer demand, not the government nor the GCHQ. if you disable roaming, all the fake tower will be able to do is record your IMEI and details from your phone's registration request (unless it also spoofs the real carrier's SID), which anyone with the right toys can do already just by listening to radio traffic between phones in an area and local cell towers.
"something something terrorists"
No, back then it was "something something Russian spies".
Back when GSM came out there was a huge crypto discussion on whether it should be allowed to be encrypted. Not allowing the network to authenticate itself to the handset was the compromise.
Simply put, there's a common misconception that mobile communications are secure to the nth degree, but I should clarify that. The greatest insecurity is in the design of the technology which allows your call to remain 'connected' even if you are speeding down the highway for hours on end. To be fair, it's not that it was designed badly, it just wasn't designed to be a mobile 'solution'. In fact, it's quite old. Back on the pre-mobile days, digital phone exchanges needed some smarts to manage call volumes and routes to the next exchange between caller and recipient. Logically, if an exchange was too busy, the routing smarts would send the data via a different path as required to keep the call connected and of acceptable quality. That logic was based on both caller/recipient being in fixed locations, as were the exchanges, and only the data was routed around as needed. But when phones needed to become mobile, the network had to cater for points that were no longer fixed. The simplest way to do that at the time was to take the existing routing smarts that operated between exchanges, and use that as the framework for the new mobile network between phone towers. The logic was not overly complex; the towers were fixed, the callers may not be, so the job of the 'software' was to find the best route between towers and keep the call connected. None of which is a problem, except when you consider the level of security present in the pre-mobile era. Exchanges are fixed points, and the phone companies owned the cabled in the ground. So when you placed a call, the data traveled on their property 'hard wired" to their exchange - which was then on their closed network between exchanges. Simply put, there was no need for encryption between changes. The assumption was the traffic was secure because it was a closed network. For the most part, that logic was solid. But now the phone makes a connection to (typically) the closest tower, it asks who the tower is etc, but so long as it can make a connection (or thinks it can), it doesn't interrogate it further. Remember, the old network had fixed exchanges and fixed phones running from fixed wires in the ground. The objective was to ensure connectivity - not security. It was rightly considered to be sufficiently secure. That logic was fine with everything fixed. With a roaming world, it's completely flawed as it opened up a man-in-the-middle vulnerability.
So when your phone talks to a cell tower, it isn't interested in finitely learning what it's talking to - it's only interested in knowing it's 'connected'. It has a signal and (what it believes) is a valid connection to a trusted tower. The assumption can be made that the tower will route the call data as needed, not that it will do so AND take a copy for itself.
For more information on this and how it all comes together in a very scary way, have a look at how Signaling System 7 (SS7) can be exploited just like this article has demonstrated.
Oh, and why hasn't it been fixed? Well, two reasons come to mind. It would be a lot of work. At the very least a means of challenging the validity of the roaming connection between phone and tower at each tower and requiring new smarts in the phone as well - would it be backwards compatible with phones still vulnerable? The second is a theory only, but I don't believe law enforcement want it to be fixed. It represents a very simple method of capturing information from mobile devices in range, and that is both valuable and of extreme merit in fighting legitimate crime and terror.
Hope this helped - and you're not naive. You're right to think something we rely upon every single day is free from known and serious exploits - or at least that it should be!
Who replies to text messages from numbers they don't recognise or people who won't identify themselves?
The same people who click on links in spam and phishing emails, and hand over credentials to third parties. We wouldn't see any of those "attacks", if there weren't enough stupid "customers".
I would have said the same people who pick up memory sticks that someone appears to have 'lost' in the corporate car park and then proceeds to plug them into a computer.
I plug 'em into a computer. Just not my computer, or any computer on my network. I tend to pick computers which have been left logged in and unsecured and all alone for this kind of thing, which usually means that if there wasn't something roaming loose on that USB stick before I plugged it in, there is now.
For some reason the number of computers left alone and logged in tends to fall when I'm around. I can't imagine why this would be.
"The same people who click on links in spam and phishing emails, and hand over credentials to third parties...."
Phone-based MITM attacks are potentially incredibly powerful, effective even against not-incredibly-stupid users. For example:
1) Send legitimate-enough looking texts to unsuspecting-but-well-educated target claiming to be a bank having detected fraudulent activity, and for them to call the number listed on the back of their card
2) Reroute any/all calls to common bank numbers to your nearest criminal call centre where you harvest their security answers but otherwise take no obvious fraudulent action. Forward all other traffic over GSM to a legitimate base station.
3) Call their bank, take their money.
Imagine the internet without any kind of TLS. That's what we're talking about.
Or rather, we're talking about the internet where the person you're talking to can force you to remove any and all security measures and the only thing that determines who you're talking to is *how loud they're shouting back at you*.
"Who replies to text messages from numbers they don't recognise or people who won't identify themselves?"
I do as it's usually some idiot texting to the wrong number and I respond with the most bizarre thing I can think of (the metropolitan area I live in has four local area codes so right number but wrong area code calling is common).
@Frank N. Stein,
That wouldn't help. They control the network, so they can make an incoming call look as though it's from any number. If they know, say, the switchboard number for your work (which would be in your contacts list) then it'd show up as the office calling.
Or, as suggested above, if you've got a number for your bank then they can text using that number and have you call the number on the back of your card- normally good security practice- and intercept that call or parts of that call.
Your whitelisting is little protection against this unfortunately.
"I was expected to read how one "spied on boss" by capturing print jobs."
That's easy...unless your boss has a directly attached USB printer and you haven't been able to install a print queue interceptor. If the printer is on the network, security is not, to say the least, brilliant.
Could this faux-base be made to link to the printer's NIC, potentially using the company Internet for back-haul?
Having worked in a second sub-basement surrounded by dirt, concrete, and steel I could see the benefit of a small portable base-station; but the Networks guys usually object to something like that. It may take them a bit longer to identify the strange and excessive packets coming out of the printer than it would take them to see a new, unauthorized device on the network.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
