Background
A couple of weeks ago, to my surprise, a Massachusetts local news station issued a report claiming that law enforcement has been driving and/or flying around civilian districts with mobile network hijacking equipment for the purpose of intercepting mobile phone connections in order to spy on the populace. Although I knew this type of attack is easy to perform these days, this report sounded a little bit far fetched to me, mainly because this is the type of relevant news that seldom makes it to the mainstream media. The technology certainty exists, and the attack is nothing new; it is simply a MITM (man-in-the-middle) attack on a mobile network. However, it's far easier to pull off on a cellular network than a secured WiFi network because cell towers offer no authentication to the phones.
Proof Of Concept: MITM Attacks & Lack of Tower Authentication
The concept is exactly the same as MITM attacks that occur on insecure, often public, and generally open WiFi networks. I know how easy it is to perform these kinds of attacks on any given network, because I have tried it out myself in the past (on my own network, of course.) Using simple ARP redirection, and even on a secured WPA2 network with a 63 character ASCII PSK, I have successfully injected custom malicious JavaScript into html web pages requested by the devices I was experimenting on.
Using the aircrack-ng suit, a WiFi chipset capable of packet injection, and a Linux machine, it was very easy to perform the following attacks:
-- Simple access point impersonation & redirection attacks. This attack impersonates the AP's mac address and LAN IP address, causing the device to connect to the internet through the rogue (fake, hostile) network adapter. This then allows the attacker to run a "Dumpcap", or in other words a program that logs all of the client's data packets to my hard drive, for the purpose of future analysis and data extraction. Typically, the analysis would consist of searching all of the stolen data packets for sensitive information, such as passwords, credit card numbers, personal information, etc.
-- After ARP redirection is established, "session hijacking" can then occur. The idea behind this attack is quite simple: cookies* are often used to store data on a client's computer (or browser cache) for easy authentication confirmation of a pre-established secure web session. Once the victims connection is compromised, cookies may be easily stolen, particularly when accessing non-secure web sites (http, as opposed to https. Pay attention to the URL's of the sites you visit. Browsers like Firefox warn you when an HTTPS connection is compromised.)
*Cookies were not invented with security in mind. A cookie is a tiny text file stored on your computer by a web server, which allows personal settings specific to the web site to remain on the client's machine. General reasons for this are: Either for convenience (like remembering personal settings or speeding up loading web pages you frequently visit), and also for authentication reasons as discussed above. For example, when you log into Facebook, a cookie is stored on your computer, which allows you to stay logged in even if you close the browser tab, so that every time you pull up Facebook again, you do not have to re-enter your password. The cookie tells Facebook's servers that you are already logged in, thus keeping the secure session open, and preventing you from having to enter your password every time you access the site. This is how many, many web servers keep track of authenticated sessions these days.
-- DNS hijacking and cross-site reference attacks can also be performed by a savy attacker on your local network. D.N.S. (Domain Name Service) is basically like the phone book of the internet. Every time you go to Google.com, your computer has to figure out where google's server is; this is called domain-resolution. Each domain name on the internet corresponds to one or more IP addresses. Just like you need a phone number to call someone, a computer needs an IP address to be able to connect to the requested server. DNS hijacking is the process of either spying on internet users simply by logging DNS requests (to see what sites you are visiting, even if your connection is encrypted, this is called a DNS leak), or by providing the victim's device with a false IP address, in order to connect them to a rogue server. Here is a classic example of this attack:
You need to check your bank account balance, so you grab your computer or phone. You then open a browser and go to http://www.yourexamplebank.com, but rather than actually accessing the banks real website, the attacker returns false DNS information, which causes your computer to connect to a malicious web site. It's not uncommon for malicious hackers to create official looking clones of real web sites, which look exactly the same as the site you think you are accessing. The victim, not knowing any better, logs in with their username and password, and the attacker logs that information, and then has access to the victims bank account. (This actually happened to my mother at the New Ipswich, NH town library a couple years ago. About $1000 was stolen from her bank account. Nobody helped or cared, including the police.)
-- Installation of malware. Most people tend to trust the sites that they use every day, and many do not think twice when their browser tells them that they need (for example) a new version of Adobe Flash Player to watch a video. The naive user follows the download link, installs the malware, and then unbeknownst to them, their entire system becomes infected, and compromised. Sometimes this happens without the user even knowing that they installed something, particularly when the victim is running an old version of Microsoft Windows.
-- Many, many other malicious things.
In addition to poisoning the data connection, all voice calls and sms messages can be intercepted too easily these days. GSM technology was designed to be defective and allow warrantless wiretapping. When cell phones were invented, the GSM protocol was supposed to use 128 bit keys for encrypting voice calls. However, governments wanted to be able to spy on eachother, so a compromise was reached, and the key size of A5/1 (original GSM encryption, still used today on many networks) was reduced to 56 bits. This may have been sufficient back in the 80's, but today the encryption protocol is totally broken. Often times cellular networks do not even use any encryption, whatsoever. To make matters worse, when you turn on your phone, it connects to whatever cell tower has the strongest signal. The phone authenticates itself to the tower, but not the other way around. Unlike HTTPS and other modern day encryption protocols, cellular networks offer no authentication to the users. This makes it far too easy for anyone with a little bit of money and time to intercept your communications. Furthermore, the authentication that identifies your device to the network has been cracked, allowing easy impersonation.
Networking In A Nutshell
The attacks explained above can be performed on any type network, including mobile networks. A mobile network functions similarly to a WiFi or local area network (such as your home or office's private network).
To understand how this works, a basic understanding of internet protocol and networking is helpful. The internet is just a bunch of networks connected together. These individual networks are often called Intranets, which I've always assumed translates to an 'internal' or private network.
Most households have one internet line, with one IP address, connected to a router, which the household members all connect to. The router also acts as a firewall, only allowing incoming connections from the websites that an internal client requests (as opposed to allowing all of the incoming traffic to simply pass through). In order to properly route the traffic to the correct device (for instance you probably don't want your router sending your porn stream to your mothers computer by mistake...), the router assigns a private, local, and unique internal IP address to each device connected, so that multiple devices may use the connection at the same time without interruption, while sharing the same public IP address.
The local IP should not be visible or identifiable to a specific device outside of the private network. All traffic coming from the household's network, regardless of which device it originated on, will appear to have the same public IP address. This is how the internet works. It is simply a pool of private networks (subnets) that are connected together through internet service providers and their main data hubs.
Mobile Networking
When your phone is in range of a cell tower, it identifies itself to the network using a unique code, typically known as an ISMI, or International Mobile Subscriber Identity. The phone then authenticates with the cell tower, in a manner similar to the process that occurs when you connect to a secured WiFi network. If you have mobile data enabled, your device is then assigned a unique local IP address, on the same subnet as the network operators entry gate (again, this is no different than the way a LAN works). Your phone is then connected to your cellular carriers network, behind their firewall, identified by the unique local IP address assigned by the DHCP server.
DHCP is a protocol for assigning IP addresses to clients on private networks. A DHCP server assigns all of the clients on the network a unique, temporary IP address. This allows many devices to connect through the same internet line, or public IP address, because the router (as the name suggests), is able to route the packets to the correct devices. As with WiFi or Ethernet networks, from outside the mobile network's firewall, the public IP address of each device connected to the network will share the same public IP address (except in cases when the network has several different IP addresses to compensate for more devices on the network, or when you are driving or moving from cell to cell and accessing different networks).
It is also important to note the different types of mobile networks, and why different protocols are more secure than others. For instance, 2G networks are far less secure than newer 3G networks, and 4G networks are likely the most secure networks available. This is because each generation of mobile networking protocols uses newer, more secure encryption standards than the last. Just like WEP WiFI network security can be cracked in about 1 minute with the correct equipment and software, 2G network encryption is old, and thus inherently insecure. I would advise disabling 2G data all together, because the security is so bad. In fact, one common tactic used for hijacking mobile network connections is to jam the 3G and 4G channels, which forces the device to revert to a 2G connection, which can then be very easily cracked, allowing an attacker easy surveillance or interception of your communications.
It is also important to understand the difference between the main cellular protocols, GSM & CDMA (also UTMS, but that's not terribly important right now).
GSM, or the Global System for Mobile Communications, is the protocol used on about 90% of the world's cellular networks. GSM phones have removable SIM cards, which allows a user to easily switch networks and phone numbers, simply by swapping the SIM card. Examples of GSM based provides in America are AT&T and T-Mobile, as opposed to Verizon or US Cellular, which strictly use CDMA.
GSM is generally considered less secure than CDMA networking, although over time GSM networks have adopted W-CDMA protocol for most 3G and 4G networks. If this makes no sense to you, don't worry about it too much.
CDMA, or Code Division Multiple Access protocol has a few advantages over GSM protocol, but generally speaking, CDMA phones are locked to a specific carrier, and rarely can be used on any network other than the one that the phone is programmed to. This is a major disadvantage compared to GSM, because when you purchase a phone from Verizon, that phone will only ever work on Verizon's network, where as a GSM phone can usually be carrier-unlocked, and than used with almost any other GSM carrier in the world, simply by swapping the SIM card. This is a personal necessity for me, and the reason why I recently switched to AT&T and purchased a carrier unlocked phone. If I get tired of AT&T, I can always switch carriers, and I'll never be locked into a contract again. It gives you freedom of choice.
IMSI Attacks & Fake Mobile Base Stations
Okay, so now that you understand the background, let's get to the point. In recent years, devices have been developed that can act as a cellular signal amplifier. These devices are very convenient for people who live in rural areas with bad service coverage. Anyone can now purchase a cell service amplifier for their property, to improve their cellular reception at their homes or businesses. At least, that was the original idea. Even more recently, it was discovered that by modifying one of these devices, one can effectively turn the amplifier into an IMSI Catcher, or "cell connection hijacker", or "fake mobile base station" (fake cell tower, in other words). It did not take long for law enforcement to embrace this technology, and now mobile phone user security has been seriously compromised for everyone. It is now common for police to drive around with one of these devices in an SUV, or fly around with one in a helicopter, for the purpose of intercepting citizens mobile communications.
Just like a man in the middle attack on a WiFi network, these devices effectively trick your phone into connecting to them, rather than the actual cell towers, and then routing your internet connection through the rogue base station. This allows the foe to perform the same types of malicious attacks on cell phone networks as one can do on a WiFi network; including ease-dropping, stealing personal data, installing malware on smart-phones, and intercepting and decrypting your phone calls and sms messages on the fly.
Most people do not even notice a thing when this is happening. I for one believe that cellular providers need to development ways of protecting their customers against these types of attacks, because as far as I know, there is no native feature present on any unmodified cellular device sold today that even alerts the user when this is happening to them, or offering counter attack security measures. Since 2009 security minded people have requested that Google add a feature to Android to inform the user when no encryption is being used on the network. For whatever reason, it has not happened.
However, there is software in the beta stages of development available, written by concerned members of the open source community, that can detect this type of attack and warn the user.
This software works by comparing the geolocation of your phone to a constantly updated database of real cell towers, examining the cell ID's of the towers your phone is connected to, and making sure that these towers are supposed to exist. It also will detect if the cell tower appears to be moving, which for obvious reasons is a major red flag... cell towers do not just get up and start running around for fun. In other words, a moving cell tower is likely a fake cell tower.
This particular program, AMSICD, also gives you the option of anonymously uploading the data your phone picks up to the OpenCellID database, so that other people know where suspicious activity is occuring, and so that the program can warn you if the area you are in is a hostile network. This concept works quite well, because, well... last I checked, once a cell tower is erected, it stays in the same place forever.
If AMSICD detects a rogue base station or hostile service area, it will warn you. You can also set it to automatically turn Airplane mode on if this happens, which immediately shuts off all of your cellular radios, effectively protecting you from being compromised. The more people that run this app, the more accurate the data-base will be, and thus cellular networks will be safer for everyone.
In order to fully bennifit from this AMSICD, you will need to get an OpenCellID API key, so that you can access the database of known, legitimate cell tower locations, and also to contribute to the database (if you want to, that's not mandatory at all).
Conclusion
It is clearly a very sick society that we live in, considering these types of police operations are completely unconstitutional and thus illegal... Unfortunately, that does not seem to make a difference to law enforcement. As I watch all of our rights go down the toilet, the least I can do is spread awareness of what we are up against. Please spread the word, and be safe. Remember, there is nothing more personal and vulnerable than your cell phone. Be safe, and good luck.
No comments:
Post a Comment