Extremetech reports that a MITM attack was conducted against all 4G and CDMA transmissions in and around the DEFCON venue in Las Vegas. Apparently the MITM attack allowed attackers to obtain full access to some Android and PC devices, and was able to monitor data and telephony sessions.
The Register is also reporting that Security Research Labs has developed a way to monitor GPRS conversations by exploiting weaknesses in the protocol. Demonstration software is expected to be released at CCC 2011. (In 2009 SRL’s Chief Scientist also coordinated release of a rainbow table to assist in cracking GSM, and in 2010 other cryptographers where able to defeat 3G encryption).
Lockpicker Toby Bluzmanis inserts a wire into the LED readout of Kaba’s E-Plex 5800 to open the lock.
To open a door fitted with the latest U.S. government-certified lock from high-end Swiss lock manufacturer Kaba, an employee must both enter a code up to eight digits long, then swipe a unique identity card coded to comply with a new standard that requires an extra layer of security, one designed to track individual staffers and make covert intrusion harder than ever.
Or, as lockpicking expert Marc Weber Tobias will show a crowd of hackers Friday, you can stick a wire in the tiny display light above the keypad and instantly render all of that “security” irrelevant.
At the Defcon security conference in Las Vegas, Tobias and his partner Toby Bluzmanis plan to demonstrate a series of simple hardware hacks that expose critical security problems in Kaba’s E-plex 5800 and its older 5000. Zurich-based Kaba markets the 5800 lock, which Bluzmmanis says can cost as much as $1,300, as the first to integrate code-based access controls with a new Department of Homeland Security standard that goes into effect next year and requires identifying credentials be used in secure facilities to control access.
In demonstrations for me and in videos they plan to show the Defcon audience, the lockpicking duo use one method called “rapping” to open the lock by simply hitting its top surface or lever handle with a mallet, compressing an internal spring that then decompresses and pushes open a latch that releases the lock. In another bypass, they insert a wire into a silicon cover for an LED light that blinks red when the user enters an invalid code. That wire can ground a contact on the circuit board behind the light that triggers a function intended to allow the door to be opened with a remote button, bypassing all its security measures.
A third attack allows an insider to open the back side of the lock and insert a wire that flips a microswitch intended as an override for power failures. That trick resets the lock’s software, tampering with its audit trail and allowing it to be reprogrammed with different codes. Bluzmanis demonstrated in a video that the more elaborate microswitch attack could be performed in under a minute.
“The issue is simply insecurity engineering,” says Tobias, who works as a consultant to several major lock firms and contributes blog posts to Forbes.com. “They simply don’t get it.”
How do one ex-Air Force official and one former airplane hobby shop owner, both of whom happen to have decades of experience as network security contractors for the military, spend their weekends? Building a flying, unmanned, automated password-cracking, Wi-Fi-sniffing, cell-phone eavesdropping spy drone, of course.
At the Black Hat and Defcon security conferences in Las Vegas next week, Mike Tassey and Richard Perkins plan to show the crowd of hackers a year’s worth of progress on their Wireless Aerial Surveillace Platform, or WASP, the second year Tassey and Perkins have displayed the 14-pound, six-foot long, six-foot wingspan unmanned aerial vehicle. The WASP, built from a retired Army target drone converted from a gasoline engine to electric batteries, is equipped with an HD camera, a cigarette-pack sized on-board Linux computer packed with network-hacking tools including the BackTrack testing toolset and a custom-built 340 million word dictionary for brute-force guessing of passwords, and eleven antennae.
“This is like Black Hat’s greatest hits,” Tassey says. “And it flies.”
On top of cracking wifi networks, the upgraded WASP now also performs a new trick: impersonating the GSM cell phone towers used by AT&T and T-Mobile to trick phones into connecting to the plane’s antenna rather than their carrier, allowing the drone to record conversations and text messages on a32 gigabytes of storage. A 4G T-mobile card routes the communications through voice-over-Internet or traditional phone connections to avoid dropping the call. “Ideally, the target won’t even know he’s being spied on,” says Tassey.
That GSM hack is based on a demonstration that security researcher Chris Paget performed at Defcon last year, showing that with a powerful enough antenna placed close enough to target phones, the victims’ handsets can be tricked into connecting to Paget’s setup instead of the carrier’s tower. Perkins and Tassey have implemented the same tools in their airborne hacking machine, and like Paget, used a portion of the radio frequency band set aside for Ham radios to avoid violating FCC regulations. They don’t plan to demonstrate the phone-hacking trick at the conference, and tested it only in isolated conditions to ensure their flying contraption wasn’t illegally eavesdropping on random strangers’ phones. “We want to make sure we’re not stepping on any cell providers’ toes,” says Tassey.
And why build a digital spy drone? Perkins, an Air Force contractor focused on cybersecurity who once owned a airplane hobby shop, and Tassey, an ex-Air Force consultant with Engineering Systems Solutions, say they wanted to demonstrate the vulnerability of government and corporate facilities to a nimble eavesdropping machine that can cover large distances and circle above a target. Though it requires remote control to take off and land, WASP can be set to fly a pre-programmed course once airborne and loiter around any chosen area. “We wanted to bring to light how far the consumer industry has progressed, to the point where public has access to technologies that put companies, and even governments at risk from this new threat vector that they’re not aware of,” says Perkins.
A military base like Area 51, Tassey points out, is surrounded by more than 25 miles of empty land to obscure it from outside snoops. “With WASP, we can cover that distance in about 20 minutes,” he says. “With radar designed specifically not to see birds, it’s very difficult to protect yourself from an object coming out of the sky and flying low.”
WASP’s design, complete with two eyes and a black-and-yellow striped paint job, isn’t not exactly designed for stealth. But aside from showing real-world security risks, Tassey and Perkins also shared a goal just as appealing to Black Hat and Defcon’s crowd: pulling off a fantastically elaborate hack. “The number one reason we did this was because we were told it wouldn’t be possible,” says Perkins. “Neither of us like hearing that.”
Chances are you’ve never heard of TruePosition. If you’re an AT&T or T-Mobile customer, though, TruePosition may have heard of you. When you’re in danger, the company can tell the cops where you are, all without you knowing. And now, it’s starting to let governments around the world in on the search.
The Pennsylvania company, a holding of the Liberty Media giant that owns Sirius XM and the Atlanta Braves, provides location technology to those soon-to-be-merged carriers, so police, firefighters and medics can know where you’re at in an emergency. In the U.S., it locates over 60 million 911 calls annually. But very quietly, over the last four years, TruePosition has moved into the homeland security business — worldwide.
Around the world, TruePosition markets something it calls “location intelligence,” or LOCINT, to intelligence and law enforcement agencies. As a homeland security tool, it’s enticing. Imagine an “invisible barrier around sensitive sites like critical infrastructure,” such as oil refineries or power plants, TruePosition’s director of marketing, Brian Varano, tells Danger Room. The barrier contains a list of known phones belonging to people who work there, allowing them to pass freely through the covered radius. “If any phone enters that is not on the authorized list, [authorities] are immediately notified.”
It can also work other ways: pinging authorities when a phone used by a suspected terrorist or criminal enters an airport terminal, bus station or other potential target. And it works just as well in monitoring the locations of phones the suspect’s phone calls — and who they call and text, and so on.
For the past four years, TruePosition has quietly taken that tracking technology global. In the U.S., Varano says, TruePosition sells to mobile carriers — though it’s cagey about whether the U.S. government uses its products. But abroad, it sells to governments, which it won’t name. Ever since it came out with LOCINT in 2008, he says, “Ministries of Defense and Interior from around the world began beating down our door.”
That’s got some surveillance experts and mobile activists worried. Keeping suspected terrorists away from nuclear power plants and discovering their networks of contacts is well and good. But in the hands of foreign governments — not all of whom respect human rights — TruePosition tech can just as easily identify and monitor networks of dissidents.
For a company that can do so much to find out where a mobile user is, few outside of the surveillance industry know much about TruePosition. That’s a deliberate strategy on the company’s part, to keep a “low profile from jump,” Varano says. It grants few interviews — a little-noticed Fox News story from 2009 is a rare exception — and discloses little about its foreign clients. Several surveillance experts contacted for this story were unfamiliar with the company.
The result, says Christopher Soghoian, a graduate fellow at Indiana University’s Center for Applied Cybersecurity Research, is to make TruePosition the most important global geolocation company you’ve never heard of. “It’s like that line about Keyser Soze from The Usual Suspects — the greatest trick the devil ever pulled was convincing the world he didn’t exist,” Soghoian says. “They’ve done the same thing. Staying entirely below the radar.”
CAMPINAS, Brazil — On the night of March 8, cruising 22,000 miles above the Earth, U.S. Navy communications satellite FLTSAT-8 suddenly erupted with illicit activity. Jubilant voices and anthems crowded the channel on a junkyard’s worth of homemade gear from across vast and silent stretches of the Amazon: Ronaldo, a Brazilian soccer idol, had just scored his first goal with the Corinthians.
It was a party that won’t soon be forgotten. Ten days later, Brazilian Federal Police swooped in on 39 suspects in six states in the largest crackdown to date on a growing problem here: illegal hijacking of U.S. military satellite transponders.
“This had been happening for more than five years,” says Celso Campos, of the Brazilian Federal Police. “Since the communication channel was open, not encrypted, lots of people used it to talk to each other.”
The practice is so entrenched, and the knowledge and tools so widely available, few believe the campaign to stamp it out will be quick or easy.