I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

Presented at DEF CON 21 (2013), Aug. 2, 2013, 10 a.m. (45 minutes)

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.

This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.

The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.

During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.

Presenters:

• Tom Ritter - Senior Security Consultant, iSEC Partners
  Tom Ritter (@TomRitterVG) is a Senior Security Consultant at iSEC Partners, a frequenter of @nysecsec, and has far more ideas than time. He is interested in nearly all aspects of cryptography, privacy, anonymity, and pseudonymity; security; and traveling. He is located corporeally in New York City, virtually at http://ritter.vg, and meta- physically has been lost for quite some time.
• Doug DePerry - Senior Security Consultant, iSEC Partners
  Doug DePerry (@dugdep) is a Senior Security Consultant at iSEC Partners in New York City. In addition to his day-to-day consultant duties, Doug is also responsible for helping manage employee/new hire training as well as the summer intern program. At iSEC Doug has recently taken a deeper interest in iOS and crypto assessments as well as architecture reviews and embedded systems. He has also written a whitepaper on HTML5 titled, 'HTML5 Security:The Modern Web Browser Perspective'. Prior to joining iSEC, Doug worked for various defense contractors and the US Army.

Links:

• https://defcon.org/html/defcon-21/dc-21-speakers.html#DePerry
• https://infocon.org/cons/DEF CON/DEF CON 21/DEF CON 21 video and slides/DEF CON 21 - Doug DePerry and Tom Ritter - I Can Hear You Now - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=886kXEhE90I

Similar Presentations:

• Black Hat USA 2013 / I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell
• Black Hat USA 2013 / Do-It-Yourself Cellular IDS
• Black Hat USA 2011 / Femtocells: A poisonous needle in the operator's hay stack