1. _StephenBB81's Avatar
    4G and CDMA Reportedly Hacked At DEFCON - Slashdot

    "At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it's real or not."

    4G and CDMA reportedly hacked at DEF CON | ExtremeTech

    t the DEF CON 19 hacking conference, which took place between August 4 and 7, it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations.

    For now the only evidence that such an attack occurred is the report of Coderman on the Full Disclosure mailing list. Coderman seems to be a relative veteran of security and open source mailing lists, though, and he says he has attended six DEF CONs. If heís telling the truth, then this attack would represent the first ever man-in-the-middle attacks on two networks that have so far proven to be unhackable. For the ailing and nigh-stillborn CDMA this isnít such a huge issue ó but if 4G has fallen, just as AT&T, Sprint, Verizon, and cellular companies around the world begin to plow huge dollars into its roll out, this could be a massive blow.

    Codermanís report suggests that, like Wi-Fi MITM, which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device. If youíve seen ďfake AVĒ pop-ups while surfing the web, then thatís a good analogy for what this man-in-the-middle attack is capable of. Once the rootkit (or similar backdoor) is installed, itís simply a matter of connecting to the exploited device via SSH. Coderman says the attackers could also monitor conversations, which suggests that not only can packets be injected, but they can also be sniffed and decoded in real-time.

    Without more information from Coderman, another savvy DEF CON hacker, or from the hackers themselves, itís hard to prove that this attack actually occurred. Itís still very early days, too ó Coderman only posted his findings to the mailing list a few hours ago ó but if we see some more activity on the mailing lists or a reaction from a cellular carrier with an interest in 4G, then weíll be sure to update this story. Itís also worth pointing out that we donít know which version of 4G has been hacked. HSDPA, WiMAX, and LTE all use different transport layers and security methods, and the repercussions will depend on which one has fallen.
    Full Disclosure: DEF CON 19 - hackers get hacked!

    DEF CON 19 - hackers get hacked! From: coderman <coderman () gmail com>
    Date: Wed, 10 Aug 2011 02:21:58 -0700

    while most were enjoying libations or talks a very interesting event
    was taking place at the conference.

    we're all familiar with the hostility of WiFi and GSM networks at DEF
    CON, however, this year the most hostile network on earth was not
    802.11; it was CDMA and 4G!

    on Friday some parts of Anon and Lulz made appearance. by early
    Saturday morning a weapon was deployed.



    some characteristics:

    - full active MitM against CDMA and 4G connections from Rio to carriers.

    - MitM positioning for remote exploitation to ring0 on Android and PC.

    - fall back to userspace only or non-persistent methods when
    persistent rootkit unattainable.

    - many attack trees and weaponized exploits. escalation from easy pwns
    up to specialized techniques and tactics until success is achieved.

    - simultaneous attack across CDMA and 4G connections using full power
    in these LICENSED bands.

    - operated continuously (except for outages from early Saturday
    until 8am Monday.

    - designed with intent: mass exploitation, reconnaissance,
    exfiltration, eavesdropping.



    how to tell if you met the beast at Rio:

    - did you accept an upgrade for Android, Java, or other applications? (oops)

    - did you notice 3G/4G signal anomalies, including full signal yet
    poor bandwidth or no link?

    - did you notice your Android at full charged plugged in, but dropping
    to <50% charge once unplugged?

    - did you notice 4G download speeds at quarter of usual, yet uploads
    over twice as fast?

    - did you notice Android services that immediately respawn when
    killed? (Voice Search?)

    - does your Android no longer connect to USB debugging yet adbd is alive?

    - does your PC have an sshd that cannot be kill -9'd?

    - did your Android crash - a hard freeze, and then take a long time to reboot?

    ...many other indicators, but for now that's sufficient to express the point.



    if you met the beast, it seemed to have a nearly perfect success rate;
    your odds not good. in fact you probably didn't even notice as it
    pilfered bytes off your devices and monitored your conversations.

    i have waited over six DEF CONs to meet an adversary of this skill.
    i was not disappointed.

    did the talks suck this year because the good stuff is under NDA?
    clearly a lot of you are selling out...



    to those who got pwned, i would be interested in your experiences and binaries:
    ID 9B65F087 , FP = 1029 E3E0 F22A C73D B2D6 468F 2798 76BB 9B65 F087
    gpg --keyserver pool.sks-keyservers.net --recv-keys 9B65F087
    gpg --keyserver subkeys.pgp.net --recv-keys 9B65F087
    gpg --keyserver pgp.mit.edu --recv-keys 9B65F087

    to the beast operators, i hope to see you next year!
    (and get your availability deficiencies and network anomalies worked
    out. kind of a shame you spent so much time and money only to have
    your kit fall over again and again. and thanks for the 0days


    until next year,...

    IF media people actually pick up on this, this will bring far more talk about security to the mobile space, giving RIM another head start on the pack
    08-10-11 09:25 AM
  2. CranBerry413's Avatar
    Great Post. This is a scary thing, especially since it will not get mainstream coverage. There was a story on Endgadget a while back that said the same.

    New Android trojan can record phone calls, expose your embarrassing fantasy baseball talk -- Engadget

    I'm still trying to figure out how to paste it as a link from my BlackBerry...it's a bit clumsy still...

    EDIT: I figured it out.
    Posted from my CrackBerry at wapforums.crackberry.com
    08-10-11 09:50 AM
  3. StaticFX's Avatar
    am I to assume correctly that Blackberry CDMA's were not hacked?
    08-10-11 10:50 AM
  4. Zizzzzy's Avatar
    am I to assume correctly that Blackberry CDMA's were not hacked?
    From my understanding its a network hack, not a device hack. this is good for BlackBerry case as BES is all encrypted before it goes out to the world, so this hack would give no access to readable data unlike the other devices.
    08-10-11 12:52 PM
  5. _StephenBB81's Avatar
    am I to assume correctly that Blackberry CDMA's were not hacked?

    CDMA was hacked, which is not device specific,

    BUT BlackBerry encrypts the data leaving the handset, so when it is captured it must then be decrypted further before it can be used.

    That is the complaint the Indian Government has about RIM is that they can capture BES data but it is useless to them because it is encrpyted, they have the decrypt keys for BIS,
    08-10-11 01:02 PM
  6. jlb21's Avatar
    08-10-11 01:09 PM
  7. 01itr's Avatar
    08-10-11 01:22 PM
  8. papped's Avatar
    Shouldn't be too surprising. GSM security has always been a joke and carriers have basically done nothing.

    4G rollout has been haphazard at best, so I doubt security is even something they are striving for right now...
    08-10-11 01:30 PM
  9. sam_b77's Avatar
    @deRusset,
    But the question is how many people really care about security?
    I have seen many posters here on crackberry who say that "they will take their chances"
    Apparently playing angry birds is more important for them than data security.
    I guess RIM really needs to emphasize their security at the marketing level. Because most people are strangely stubborn regarding security.
    With all the doom and gloom surrounding RIM, it would really be a sad day if the most secure platform was acquired by an open source platform which will not give any option to people who care about security.
    Thing is security is a non-issue with people till they become victims.
    My wife's bank account was subject to a phishing account and this when she herself is a Master's in Software engineering and works as a software tester ( I won't go into the grief I gave her about that).
    The people who say that they will take their chances seem naive to me. I guess a monetary loss is the best teacher for these people.
    For me the blackberry platform gives me peace of mind.
    I know I can do online transactions without the fear of having my banking details hacked into.
    I only wish that RIM somehow finds a way to emphasize this fact.
    Last edited by sam_b77; 08-10-11 at 01:58 PM.
    08-10-11 01:31 PM
  10. StaticFX's Avatar
    I asked because the article said that the android set had to download a root kit file.. then it worked....? no?
    08-10-11 03:06 PM
  11. _StephenBB81's Avatar
    @sam. People don't care YET.
    But as attacks happen more people care more, it is like anti virus software more and more people use it now than ever before because media say you should, and sales people sell it to you

    Posted from my CrackBerry at wapforums.crackberry.com
    01itr likes this.
    08-10-11 04:10 PM
  12. papped's Avatar
    People in general are stupid and they won't until AFTER 100,000+ people have reported data theft and the media reports it all over.

    But the bottom line is they are morons and should care prior to this...
    08-11-11 02:17 PM
LINK TO POST COPIED TO CLIPBOARD