”someone can send a message straight to your base station to operate the camera in your phone, and the firewall will show you that the camera has been actuated [even though] the user hasn’t pressed a button to do it.”
You've got to be kidding me. The GSM/HSPDA specs provide for the ability to remotely control my cell phone camera? What other gems do the spec provide for that ATT/Verizon/Phantom Cell towers can do that people aren't aware of?
In addition to the use of IMSI catchers for MITMing calls and text messages, and the use of IMSI catchers for detecting the presence of devices, there's the use of IMSI catchers for delivering baseband exploits.
Heh. We've come full circle. The "sources" for that second link include a comment thread on HN that was later deleted. Fortunately somebody at WSJ was kind enough to blog about it so you still have something to link to.
No, they're talking about an exploit for the phone's baseband software. All the radio signal processing and the lower layers of the cellular network stack in a cell phone happens on a dedicated chip, the baseband processor. Presumably, they deliver an exploit for its software, e.g. by exploiting a buffer overrun in the baseband processor's HSDPA stack, to install malware code of some kind on this processor.
Because it's not on the CPU, it's invisible to the phone's main operating system and bypasses all its security and process isolation. And, since these chips run real-time operating systems, a low-priority task is guaranteed to never interrupt a higher priority running on the chip, so the payload would not affect cellular communications (cellular protocols have tight timing constraints).
Because the baseband processor is also attached to the phone's system bus (that's how the CPU sends it commands), it can use it to control other devices on the bus, such as the camera.
This is a very devious attack because it's almost impossible to detect, and allows deep access to the phone's hardware.
Very scary that such buses are multi-master to begin with, that's simply asking for trouble. It makes every device on the bus a potential target for exploits, after all, once you have gained a beach-head on the baseband processor you can use that to attempt to exploit the other devices (in so far as that is still a requirement, but possibly there are other buses not directly visible from the baseband processor) at will.
Back in the days there was a HF hack that allowed a remote operator to listen in on conversations in the room by using the fact that such signals would totally ignore the 'on hook' disconnect of old style 'wired' phones ('POTS'), these baseband processors are a much worse instance of the same phenomenon. Not that it matters much, after all, if you have access to the cell phone towers you can listen in on whatever you want, making pictures is of a lower threat level (to me) than listening in on random conversations in the vicinity of the phone.
The buses aren't multi-master. They're often USB, or SDIO. They would use the bus to deliver another exploit directly to CPU driver which is often running in supervisor ring, i.e. kernel privilege.
Atleast for some of the Samsung Phones which are becoming quickly popular for custom Android-based operating systems.
Some setups with an independent USB to a baseband module can still control the bus to other devices by exploiting USB host modes. (i.e. if the log output indicates it can no longer control/communicate with the usb, or the usb disconnected, then it is very likely the usb bus was hijacked by another device).
Others phones still have some type of bus overlap, and they provide no way to block the baseband chip from accessing other devices on the shared bus.
Even then, this is not an easy task as the baseband chip would be competing with the processor chip in accessing devices.
edit: It is possible in future revisions, SoC Chips in mobile phones in the US will include capabilities to control the phone irrespective of the running soft OS. As of now there are very few phone manufacturers that include open access to the phone's hardware, and the processor. It's a hunch the US companies will try to blockade open phones, as foreign phones, particularly Samsung/LG/HTC, are providing a way for secure phones to be developed. Apple's attempts and level of aggression to blockade Samsung all around the world was incredibly suspicious, to say the least, and only S.Job sycophants tend to think it was for 'competitive' value. The US is fast becoming a strange place.
How would it distinguish from mobile cell sites[1], which are deployed by carriers to areas where temporary higher capacity necessitates their use, and IMSI catchers operated by law-enforcement?
It does mention protection against attacks which downgrade secure connections to insecure connections, which is good.
There are a few different strategies for detecting IMSI catchers (though I'm not convinced that everybody working in this space has completely thought the threats through: some of the tools seem very focused on a single attribute they expect to see from the IMSI catcher). The mobile sites may conceivably still have proper encryption support, so if the feature you're looking for is "ciphering absent or downgraded", you shouldn't necessarily get false positives from them.
which is a new academic paper on catching IMSI catchers. Their Table 1 (on page 5 of the paper) lists 12 possible ways of detecting IMSI catchers.
I suspect there are still others, but that list is pretty thorough! I would add "implausible service area overlap" (the basic case being seeing a tower of carrier A and a tower of carrier B simultaneously, when carrier A and B serve different countries that don't have territory within 50 km of one another). For example, there was a report that a Uganda Telecom tower was seen near the Ecuadorian embassy in London, where Julian Assange is staying. Even without a tower-by-tower location database, you could conclude that Ugandan and UK base station signals shouldn't be observed at the same location.
Not exactly a dupe; while both describe the tech in question, the Venture Beat story is more focused on wondering who's running these "rogue" towers. Both articles are quite informative.
Since this seems to be happening to a lot of people in US, since the base stations attack everyone in range, I would think it's a pretty high security priority for both Google and Apple, and they should implement protections against this sort of attacks in their operating systems.
He says he can envision a consumer-level app in the future that could be installed on phones by individuals. Although such an app wouldn’t have all of the same functionality as the robust firewall has, it would still be able to alert you to a rogue cell tower. There are currently no plans for an app, however.
So a friend of mine who knows more about this technology says this is all BS, and the company has not in fact demonstrated that rogue cell towers trying to intercept your calls is what is being identified, rather than normal functioning of the cell network.
I don't know enough about the tech to judge.
But I bet someone here does. Anyone have a comment?
This was posted yesterday on a similar story. It really comes down to detecting cases where the IMSIcatcher operates differently than the normal towers. But a lot of those are lost in the noise of different carriers. One of the stronger signals is a forced downgrade to GSM, with no encryption.
22 comments
[ 2.8 ms ] story [ 88.1 ms ] threadYou've got to be kidding me. The GSM/HSPDA specs provide for the ability to remotely control my cell phone camera? What other gems do the spec provide for that ATT/Verizon/Phantom Cell towers can do that people aren't aware of?
http://online.wsj.com/articles/smartphones-become-next-front... http://blogs.wsj.com/digits/2014/08/01/can-this-israeli-star...
In addition to the use of IMSI catchers for MITMing calls and text messages, and the use of IMSI catchers for detecting the presence of devices, there's the use of IMSI catchers for delivering baseband exploits.
Because it's not on the CPU, it's invisible to the phone's main operating system and bypasses all its security and process isolation. And, since these chips run real-time operating systems, a low-priority task is guaranteed to never interrupt a higher priority running on the chip, so the payload would not affect cellular communications (cellular protocols have tight timing constraints).
Because the baseband processor is also attached to the phone's system bus (that's how the CPU sends it commands), it can use it to control other devices on the bus, such as the camera.
This is a very devious attack because it's almost impossible to detect, and allows deep access to the phone's hardware.
Back in the days there was a HF hack that allowed a remote operator to listen in on conversations in the room by using the fact that such signals would totally ignore the 'on hook' disconnect of old style 'wired' phones ('POTS'), these baseband processors are a much worse instance of the same phenomenon. Not that it matters much, after all, if you have access to the cell phone towers you can listen in on whatever you want, making pictures is of a lower threat level (to me) than listening in on random conversations in the vicinity of the phone.
Some setups with an independent USB to a baseband module can still control the bus to other devices by exploiting USB host modes. (i.e. if the log output indicates it can no longer control/communicate with the usb, or the usb disconnected, then it is very likely the usb bus was hijacked by another device).
Others phones still have some type of bus overlap, and they provide no way to block the baseband chip from accessing other devices on the shared bus.
Even then, this is not an easy task as the baseband chip would be competing with the processor chip in accessing devices.
edit: It is possible in future revisions, SoC Chips in mobile phones in the US will include capabilities to control the phone irrespective of the running soft OS. As of now there are very few phone manufacturers that include open access to the phone's hardware, and the processor. It's a hunch the US companies will try to blockade open phones, as foreign phones, particularly Samsung/LG/HTC, are providing a way for secure phones to be developed. Apple's attempts and level of aggression to blockade Samsung all around the world was incredibly suspicious, to say the least, and only S.Job sycophants tend to think it was for 'competitive' value. The US is fast becoming a strange place.
It does mention protection against attacks which downgrade secure connections to insecure connections, which is good.
[1] http://en.wikipedia.org/wiki/Mobile_cell_sites
https://www.sba-research.org/wp-content/uploads/publications...
which is a new academic paper on catching IMSI catchers. Their Table 1 (on page 5 of the paper) lists 12 possible ways of detecting IMSI catchers.
I suspect there are still others, but that list is pretty thorough! I would add "implausible service area overlap" (the basic case being seeing a tower of carrier A and a tower of carrier B simultaneously, when carrier A and B serve different countries that don't have territory within 50 km of one another). For example, there was a report that a Uganda Telecom tower was seen near the Ecuadorian embassy in London, where Julian Assange is staying. Even without a tower-by-tower location database, you could conclude that Ugandan and UK base station signals shouldn't be observed at the same location.
I don't know enough about the tech to judge.
But I bet someone here does. Anyone have a comment?
http://www.sba-research.org/wp-content/uploads/publications/...