Computer security researcher Chris Paget has built a device for just $1,500 that can intercept GSM cell phone calls and record everything that’s said, reports the AP.
The attack showed Saturday at the DefCon conference in Las Vegas, illustrated how he could intercept phone calls made by fellow hackers in the audience. Paget said he hopes his research helps spur adoption of newer communications standards that are more secure.
“GSM is broken – it’s just plain broken,” he said.
GSM is considered 2G, or “second generation”. Phones that run on the newer 3G and 4G standards aren’t vulnerable to his attack, says the AP.
Paget’s device tricks nearby cell phones into believing it is a legitimate cell phone tower and routing their calls through it. Paget uses Internet-based calling technology to complete the calls and log everything that’s said.
Paget didn’t record or play back any calls, but he could have. His IMSI catcher can get around cell phone encryption by simply telling the connecting phones to drop encryption. “If I decide not to enable encryption I just disable it,” he said. “It’s that simple.”
The International Mobile Subscriber Identity (IMSI) is a unique number associated with all GSM and UMTS phones. It is stored in the SIM inside the phone and is sent by the phone to the network. It is also used for acquiring other details of the mobile. To prevent eavesdroppers identifying and tracking the subscriber, the IMSI is sent as rarely as possible and a randomly-generated Temporary Mobile Subscriber Identity is sent instead.
Cell phone interception is illegal in the U.S. And while the FCC had raised questions about his talk, Paget believes that his demonstration was legal because his device was operating in the 900MHz band used by Ham radio devices. Coincidentally, that 900MHz band is used by GSM devices in Europe “As far as your cell phones are concerned I am a European radio transmitter.”
Paget also demonstrated Extreme-Range RFID (pdf), with a distance of 217 feet, which, he believes, is a world record. “My equipment is capable of far more, says Paget. That 217 feet used just 10W of RF power; my current amp is rated at 70W and will probably deliver a hundred watts if it’s cranked right up – it should be plenty capable of 500+ feet,” said Paget.
Gen2 RFID tags operate in the 902-928MHz band. Many retail chains such as Walmart use Gen2 to tag high-value items. They are currently being issued as part of the Western Hemisphere Travel Initiative; this includes the US Passport Card, the NEXUS, the FAST tag (used by the DOD and Walmart), and SENTRI border-crossing cards, as well as the Enhanced Drivers Licence that is currently being issued by several US states and many Canadian provinces. Paget increased the range to hundreds of feet by using 13dB gain antennas and a 70 watt linear amp.
Whereas GPS tracking requires an active cellular or satelite link, RFID tracking can be active or passive. It works like radar, but bounces back a unique identity number.
Paget concludes:
Finally, we must consider the theoretical limit for such a system. The largest parabolic dish in the world is the 300-meter Arecibo radio observatory; at 900MHz this dish has an effective gain of around 70dBi. Applying a legal-limit amateur radio transmitter (as is sometimes allowed) of 1500 watts to this dish gives a read range of around 317 miles – well into the range of low-earth orbit.
NROL-26 reportedly packed a 100 meter dish. The 5-to-6 ton eavesdropping satellite was launched on January 18, 2009, and designed for monitoring terrorists, with a 350 foot antenna. Bigger antennas would likely require bigger rockets. Blimps may prove to be more cost/effective for tracking Walmart merchandise, of course.
The second-generation UHF RFID standard (Gen 2 RFID) from EPCglobal, is also used by Wal-Mart for tracking socks, undershirts and underwear carrying Electronic Product Codes (EPCs). They are typically deactivated on purchase. You are what you wear!
Many species of animals have been microchipped with RF-ID tags, including parrots, horses, llamas, sheep, pigs, rabbits, deer, ferrets, snakes, lizards, alligators, turtles, toads, fish, mice, and prairie dogs — even whales and elephants. The U.S. Fish and Wildlife Service uses microchipping in its research of wild bison, black-footed ferrets, grizzly bears, elk, white-tailed deer, giant land tortoises and armadillos.
USGS and USFWS are tracking fish movement in the Columbia River by implanting juveniles with radio tags, which are more effective in shallow water.
Related RFID stories on Dailywireless include; RFID Meetup, RFID: Bigger Than Ever, Geosync Spies, Tracking Salmon on the Columbia River, RFID: Feared and Praised, Tracking al-Qaeda, Man on the Moon: Later, Tracking Tags: Push & Pull, RFID Talks Trash, 2009 Boston Marathon, Sensor Nets Get Social, Cardiac Telemetry via Bluetooth, Researcher Clones RFID Passports While Driving, Partnerships for RF-ID/WiFi Monitoring Expand, WiFi Tracking Tags from AeroScout, PanGo & Ekahau, and 101 Mobile Healthcare Applications.
