Cell phone eavesdropping

December 2, 2007

in Geek stuff, Security

People at Ashley’s Chrismukkah party

Analog cellular phones are absurdly vulnerable to eavesdropping. Anyone with a radio that can be tuned to the frequency used by a particular phone can listen to all calls being made, and anyone with a transmitter that would operate on that frequency can make calls that will be billed to the subscriber’s account. At a church sale while I was in elementary school, a friend of mine picked up a radio scanner capable of monitoring nearby cell calls for $20. Things improved with digital cell technology, notably the GSM standard common in Europe and the CDMA standard used in North America. As well as allowing more efficient usage of radio spectrum, the digital technologies made it such that someone with nothing more than a radio could no longer make or overhear calls.

GSM phones, the more common sort globally, employ a number of cryptographic features. The first is the use of a SIM card and a challenge-response protocol to authenticate the phone to the network. This ‘proves’ that calls are being made by the legitimate account holder and not by someone impersonating them. GSM can also utilize encryption between the phone and base station as a form of protection against interception.

Unfortunately, a design flaw in the GSM standards somewhat undermines the value of the latter. While the phone must prove to the network that it is authentic, no such thing is required in the other direction. As such, anyone with the resources and skill can build a machine that looks like a cell phone tower, from the perspective of a phone. The phone will then dutifully begin encrypting the conversation, though with the malicious man in the middle monitoring. The device impersonating a cell tower to the phone impersonates a phone to a real cell tower, allowing the person using the phone to make calls normally, ignorant of the fact that their communications are being monitored.

Of course, anyone who has access to the phone company’s network can do all this and more. This includes law enforcement personnel conducting legal surveillance with warrants. Unfortunately, it also includes potentially unscrupulous people working for the cell phone company and anyone with the capability to break into their networks.

Report a typo or inaccuracy

{ 15 comments… read them below or add one }

R.K. December 2, 2007 at 3:17 pm

There is an especially acute mismatch between today’s photo and the content of the post.

. December 2, 2007 at 10:54 pm

Kuwaiti oil fires

USAF aircraft of the 335th Fighter Squadron (F-16, F-15C and F-15E) fly over Kuwaiti oil fires, set by the retreating Iraqi Army as part of a scorched earth policy during Operation Desert Storm in 1991. Nearly 800 oil wells were set ablaze and the fires were not fully extinguished until eight months after the end of the war.

. December 3, 2007 at 1:55 am
. May 9, 2008 at 10:22 am

Cell Phone Spying

By schneier

A handy guide:

A service called World Tracker lets you use data from cell phone towers and GPS systems to pinpoint anyone’s exact whereabouts, any time — as long as they’ve got their phone on them.

All you have to do is log on to the web site and enter the target phone number. The site sends a single text message to the phone that requires one response for confirmation. Once the response is sent, you are locked in to their location and can track them step-by-step. The response is only required the first time the phone is contacted, so you can imagine how easily it could be handled without the phone’s owner even knowing.

usman November 19, 2008 at 3:59 pm

whom may it concern ,
how are you, i want to buy gsm bug round up gs 101 where can i get it for eavesdropping ,and i want to listen my enimies cell phone what should i buy to listen because my enimies killed my brother.there please help me which eavesdropping device or software will be good for me

. February 13, 2009 at 10:59 am

Obama’s BlackBerry brings personal safety risks
February 12, 2009 7:27 AM PST
by Chris Soghoian

Before we dive in, let’s take a moment to note that each mobile phone has a unique serial number, known as an IMEI, or MEID. This unique number is transmitted in clear text, every time the phone communicates with a nearby cell tower. Thus, while the contents of a phone call or the data session (for e-mail) are usually encrypted, anyone with the right equipment can home in on a particular IMEI and identify the location of the source of that signal.

The most common device used to locate a phone by its IMEI is a “Triggerfish”, a piece of equipment that is routinely used by law enforcement and intelligence agencies. This kind of device tricks nearby cell phones into transmitting their serial numbers and other information by impersonating a cell tower.

The devices, which are actually fairly low-tech, were used to hunt down famed hacker Kevin Mitnick back in the 1990s. Most interesting of all, according to Department of Justice documents, Triggerfish can be used to reveal a suspect’s location “without the user knowing about it and without involving the cell phone provider.”

. September 2, 2009 at 3:55 pm

Guarding Against Electronic Eavesdroppers
August 15, 2005

Our Aug. 10 article discussed vulnerabilities in the use of analog cellular and cordless phones. Quite frankly, those who do not want the entire world to be able to listen into their conversations should get rid of their analog cell and cordless phones. Also, if their cellular provider does not have a 100 percent digital network — there most often is a “D” on the phone’s screen that shows a phone is operating on a digital network — one must assume that anyone can listen in. Even digital phones can be compromised, but the eavesdroppers must be determined professionals.

. September 8, 2009 at 4:20 pm

Militants and the Latest Mobile Phone Technology
December 9, 2004

Norwegian police said Dec. 8 they want to stop the sale of cell phone cards that allow the caller to remain anonymous. Their fear is that criminals will exploit these cards to avoid detection. This concern, which has been raised by law enforcement agencies elsewhere, could — and should — be extended to terrorists.

Cell phones used in the planning and execution of attacks pose a serious obstacle to the security and counterterrorism forces charged with disrupting militant activities. These phones allow militants to communicate with one another while in the field, in real time and over long distances using cheap and readily available technology. Couple those advantages with the latest technology — camera phones — and law enforcement faces a walking, talking terrorist workshop.

On the other hand, a phone is another link in the militant chain, presenting the opportunity for law enforcement to detect — and thwart — an attack before it takes place. Technology does allows security and law enforcement agencies to determine who places a phone call or sends an SMS text message, and to track the call to its source. This kind of evidence has been presented in a number of criminal cases around the world, most recently in October in a U.S. case involving a fake kidnapping in Massachusetts.

Then again, there are ways to avoid detection.

The cheapest and most effective method is through the use of multiple Subscriber Identity Modules (SIM) cards — the digital fingerprint of a mobile phone. Authorities can track a cell phone user by tracking the SIM card — even if the user has not made a call. In order to avoid detection, a savvy militant will use the SIM card only once — to decrease the number of chances for detection and association — and then toss it away. High-ranking Hamas officials allegedly use this tactic to avoid identification and targeting by Israeli authorities. Indian authorities warned earlier this year that militants in the Kashmir region were using pre-paid phones (presumably with different SIM cards) to coordinate and plan operations.

. January 24, 2011 at 6:16 pm

GSM eavesdropping demo’d in Berlin

Rob Beschizza at 11:01 AM Tuesday, Dec 28, 2010

Wired’s John Borland writes that researchers demonstrated GSM cellular decryption today at the Chaos Computer Club (CCC) Congress in Berlin: “a start-to-finish means of eavesdropping on encrypted GSM cell phone calls and text messages, using only four sub-$15 telephones as network sniffers, a laptop computer and a variety of open-source software.”

. January 24, 2011 at 8:13 pm

Eavesdropping on GSM Calls

It’s easy and cheap:

Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software.

The encryption is lousy:

Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

Shawna May 1, 2011 at 4:23 pm

I am having some huge issues. I am continueously looking for someone who really can help or send me in the right direction. I need some advise. Please E-mail a phone # I could call you on. Or call me and I will return the call from a different phone. 419 203 6221.ty

Ina May 29, 2011 at 7:35 am

I need something to listen in on cell phone conversations like a scanner or something like that.

. August 10, 2011 at 5:14 pm

“At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it’s real or not.”

. August 10, 2011 at 5:20 pm

Coderman’s report suggests that, like Wi-Fi MITM, which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device. If you’ve seen “fake AV” pop-ups while surfing the web, then that’s a good analogy for what this man-in-the-middle attack is capable of. Once the rootkit (or similar backdoor) is installed, it’s simply a matter of connecting to the exploited device via SSH. Coderman says the attackers could also monitor conversations, which suggests that not only can packets be injected, but they can also be sniffed and decoded in real-time.

. September 17, 2011 at 1:46 pm

BlackBerry messages are widely thought to be tightly encrypted. But that is the case only for BlackBerrys tied to corporate networks. The security on BlackBerrys sold to individuals is no tighter than for normal phones, according to Richard Clayton of the University of Cambridge; and copies of the messages sent on them should still exist.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

{ 2 trackbacks }

Previous post:

Next post: