I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

Presented at Black Hat USA 2013, July 31, 2013, 2:15 p.m. (60 minutes)

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.

This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.

The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.

During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks, and explain how we were able to clone a mobile device without physical access.

Presenters:

• Andrew Rahimi - iSEC Partners
  Andrew Rahimi is a Security Engineer for iSEC Partners in New York. He is a recent graduate of Bucknell University with an undergraduate degree in Computer Science & Engineering. His interests primarily include CDMA mobile phone research, satellite TV/Radio, WiFi, and other consumer network-oriented technologies.
• Doug DePerry - iSEC Partners
  Doug DePerry is a Senior Security Consultant at iSEC Partners in New York City. In addition to his day-to-day consultant duties, Doug is also responsible for helping manage employee/new hire training as well as the summer intern program. At iSEC Doug has recently taken a deeper interest in iOS and crypto assessments as well as architecture reviews. He has also written a whitepaper on HTML5 titled, 'HTML5 Security:The Modern Web Browser Perspective'. Prior to joining iSEC, Doug worked for various defense contractors and the US Army.
• Tom Ritter - iSEC Partners
  Tom Ritter is a Security Consultant at iSEC Partners, a strategic digital security organization, performing application and system penetration testing and analysis for multiple platforms and environments. He graduated from Stevens Institute of Technology with a Masters in Computer Science; prior to iSEC, he has worked as a Security Engineer at a lead security consulting company and a Team Lead in .Net and SQL Server Development for a Financial Services Company. He has presented at security conferences in Europe, North and South America and is involved in IETF Working Groups relating to the internet-standard secure protocols. His research interests are centered around cryptography, anonymity, and privacy.

Links:

• https://www.blackhat.com/us-13/archives.html#Ritter
• https://www.youtube.com/watch?v=WGxF1N3RESQ

Similar Presentations:

• DEF CON 21 (2013) / I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell
• Black Hat USA 2013 / Do-It-Yourself Cellular IDS
• Black Hat USA 2011 / Femtocells: A poisonous needle in the operator's hay stack