I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell

Presented at DEF CON 21 (2013), Aug. 2, 2013, 10 a.m. (45 minutes).

I have a box on my desk that your CDMA cell phone will automatically connect to while you send and receive phone calls, text messages, emails, and browse the Internet. I own this box. I watch all the traffic that crosses it and you don't even know you're connected to me. Welcome to the New World, where I, not them, own the towers. Oh, and thanks for giving me the box... for free.

This box is a femtocell, a low-power cellular base station given or sold to subscribers by mobile network operators. It works just like a small cell tower, using a home Internet connection to interface with the provider network. When in range, a mobile phone will connect to a femtocell as if it were a standard cell tower and send all its traffic through it without any indication to the user.

The state-of-the-art authentication protecting cell phone networks can be an imposing target. However, with the rising popularity of femtocells there is more than one way to attack a cellular network. Inside, they run Linux, and they can be hacked.

During this talk, we will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.


Presenters:

  • Doug DePerry - Senior Security Consultant, iSEC Partners
    Doug DePerry (@dugdep) is a Senior Security Consultant at iSEC Partners in New York City. In addition to his day-to-day consultant duties, Doug is also responsible for helping manage employee/new hire training as well as the summer intern program. At iSEC Doug has recently taken a deeper interest in iOS and crypto assessments as well as architecture reviews and embedded systems. He has also written a whitepaper on HTML5 titled, 'HTML5 Security:The Modern Web Browser Perspective'. Prior to joining iSEC, Doug worked for various defense contractors and the US Army.
  • Tom Ritter - Senior Security Consultant, iSEC Partners
    Tom Ritter (@TomRitterVG) is a Senior Security Consultant at iSEC Partners, a frequenter of @nysecsec, and has far more ideas than time. He is interested in nearly all aspects of cryptography, privacy, anonymity, and pseudonymity; security; and traveling. He is located corporeally in New York City, virtually at http://ritter.vg, and meta- physically has been lost for quite some time.

Links:

Similar Presentations: