At the Defcon conference later this week, Chris Paget, a well-known security researcher who focuses on wireless and RFID issues, will give a demonstration of a technique that enables him to intercept calls made on GSM wireless handsets without any interaction with the user’s handset.
The technique, which Paget will reveal at Defcon in Las Vegas over the weekend, involves using a device called an IMSI (International Mobile Subscriber Identity) catcher, which is used in some law-enforcement intercept operations. The IMSI catcher takes advantage of a known flaw in the way that the GSM wireless protocol operates that enables an attacker to set up a device that appears to the handset to be a GSM base station.
“I’m planning to give a pretty spectacular demonstration of cellphone insecurity at Defcon,
where I will intercept the cellular phone calls of the audience without
any action required on their part. As you can imagine, intercepting
cellphone calls is a Very Big Deal so I wanted to announce at least some
of the plan to reassure everyone of their privacy,” Paget said in a blog post about the talk.
The GSM protocol requires that any handset that wants to join a network authenticate to the GSM network. But, the protocol doesn’t mandate that the network authenticate itself to the handset. So an attacker using an IMSI catcher that is pretending to be a GSM base station can force handsets in range of the device to connect to it and then intercept their calls. The device also has the ability to force handsets to connect without encryption.
During his talk at Defcon, Paget plans to intercept calls from GSM handsets in the room as part of the demonstration. In his blog post about the talk, Paget said that he is taking a number of precautions to ensure that people in range of the device are aware of the demonstration and also that none of the data captured during the demo is kept. There will be signs warning users about the demo and listing the times during which the calls will be intercepted. And Paget, who worked with the EFF on the parameters for the demo, also plans to give the data from the demo to the EFF for destruction.
“The demo itself will be performed from a machine with no hard
drive, only a USB key for local storage. At the end of the demo this
USB key (including all logs, recordings, and other data) will be handed
over to the EFF for destruction. No logs, recordings or other data will
be exported from the machine except as necessary to connect calls
during operation,” Paget wrote.
Paget’s demo comes several months after a pair of researchers at the SOURCE Boston conference in April showed off a technique that enabled them to hijack GSM data, locate handsets and identify the subscribers behind specific cell phone numbers. The research, by Don Bailey and Nick DePetrillo, raised major privacy and security concerns about GSM networks. The problems that the pair identified were architectural and also included issues with the way that network providers handle subscriber identities.
“They can do little if anything about this,” Bailey said at the time. “The providers
can stop putting subscriber information into the database, but it’s not
likely. The providers might be making money in other ways from it. They
may not want to get rid of it. They can’t restrict it much. The HLR is
just part of the GSM and telephony protocols as a whole. The information
is exported worldwide. If you have access to the network, you can see