Pwned or paranoid? Phone weirdness at Defcon
Random error messages, suspicious voice message numbers, fuzzy screens, and jammed networks had some hackers worried.
Every year at Defcon there are rumors of some network being hacked. It would be unusual if such tales didn't crop up at the world's largest hacker conference. But this year there were reports from a number of credible sources of strange behavior on phones -- reports that had people more paranoid than normal.
Here's what people said they were seeing last weekend, along with some possible explanations for the scenarios:
Voice mail messages that led to unknown numbers instead of to the standard phone number that points to the user's automated voice message recovery system.
Strange text messages that appeared to have been sent from a given smartphone but that the phone's user insisted he or she hadn't sent.
These oddities could be the result of someone using an OpenBTS (Open Base Transceiver Station) -- software that serves as a GSM (Global System for Mobile Communications) access point. GSM calls can be intercepted because the connection to the base station isn't authenticated.
"Someone could have set up infrastructure to make it look like they are a carrier. They make your phone connect to it and put their BTS into a mode that accepts all phones and turn off encryption," said Don Bailey, a mobile expert at Capitol Hill Consultants. "The phone thinks it's connected...and they can intercept outgoing phone calls, listen in, and record the call, and SMS messages. They can forward them to the real network or put them into a black hole, which is more likely." One way to tell if a call has been intercepted by a fake BTS station is if the number is either blocked or incorrect, he said.
Mobile security expert Collin Mulliner reported that he too had issues but suspected that it was because of too many connections on the network. "Today it is fairly easy to set up a fake base station and send strange messages to everybody who connects," he said in an e-mail. That "works well indoors because of bad reception where phones jump on the bad network without jamming. The most likely thing at Defcon is pulling pranks. SMS is an easy path for pranks. Basically, I have built a setup to do this in my lab. The best defense is to switch to 3G only. Attacking 3G is harder compared to GSM."
A mobile application programmer, who asked not to be named, told CNET he had overheard people talking late one night about how they were trying to "mess with" the GSM network and do a man-in-the-middle attack to intercept communications but were having technical difficulties pulling it off. "They were capturing traffic and tricking peoples' phones into connecting to the wrong tower, but they couldn't complete the man-in-the-middle (attack) because they couldn't talk to the real tower on the other side," he said.
Overheating of phones and batteries running down much faster than normal.
There were numerous reports of problems accessing the cell networks. Many people said they could use their phones in the mornings just fine but had problems in the afternoon. This makes sense because after a late night of drinking and carousing, most hackers like to sleep in. This year the network-access issues were particularly bad. "It wasn't this disruptive last year," said Nico Sell, one of the organizers of Defcon. "I've never been frustrated to this level with my communications on the phone. It's much worse than last year."
This could have been caused by the increased numbers of people using the networks, said several mobile experts. There were about 15,000 attendees this year, compared with 12,000 or 13,000 last year. But there's also the possibility that someone was using a Femtocell, which is a small, low-power cellular base station, to trick the smartphones in the vicinity into thinking he or she was a legitimate cell network. This scenario is actually quite plausible, since someone was seen walking around the event with a Femto cell in his backpack.
Someone using a Femtocell "is going to attempt to pose as a legitimate cell network, but is probably just jamming the networks unintentionally," said Bailey. What happens is that phones act funny because they're trying so desperately to connect to what they think is the cell network and think they have a connection but they don't.
The phones "try to keep re-associating back to the Femtocell, thinking it's got a good connection when it doesn't," he said. "It's an intensive process, so it drains the battery. It's using its strongest power to search for any cell station on any channel. Once you get in that loop, it's going to drain your battery very quickly."
Famed hacker Kevin Mitnick said his phone on AT&T service was downgraded to Edge and that he wasn't sure whether it was because the spectrum was saturated or that there was a base station radio hack or cell jammers were being used. "I suspect both attacks. Low cost. Effective. Put radio in backpack and walk around," he said in a text message. Adding, "nothing can be confirmed without testing."
Charlie Miller, principal research consultant at Accuvant and a mobile security specialist, said he too had noticed some funny business, but that he wasn't worried. "Yeah, my phone was acting up, but I think that's pretty typical Defcon behavior," he said in a text message. "My phone didn't have data access for a day, and when I rebooted it at the airport, I suddenly received a bunch of SMS's I was supposed to get the previous day. That said, I doubt it's anything to be concerned about."
One hacker said his phone had been displaying weird messages like "SD Card Removed" or "SD Card Reformatted or Corrupted" for no apparent reason, and another was convinced something was wrong when the display of his GSM-based Android, a
Bailey, however, was fairly certain that was because of a hardware issue. "GSM users fight for the same time slot, and if there are too many people fighting for the same channel, it will cause a failure for the phone to react accordingly, so you will get intermittent pieces of data flying back and forth between your phone and the cell tower and it will have to sync constantly," he said. "Because of that problem, you will see more bugs turn up than normal because phones typically aren't stressed to those limits in normal environments.... When the base band gets confused and has too much to do, it can cause memory faults that affect the application processor in unexpected ways. It's not so much a security issue as it is an engineering and stability issue, though it certainly can turn into a potential security issue in the right hands. But that's speculative."
Meanwhile, a report of a suspicious over-the-air push from Verizon was actually a legitimate update, according to a Verizon representative. "We regularly send the latest software updates to a customer's device for download by the user and we believe the over-the-air push at issue was legitimate," a spokeswoman said in an e-mail to CNET.
It can be very difficult to parse reality from myth at an event like Defcon, which serves as a petri dish for testing offensive and defensive techniques. But unless someone takes the time and effort to verify a hack -- in between all the sessions, games, and partying -- a rumor remains just that. Last year's rumor that Android phones on CDMA and 4G were hacked faded like so much spilled beer on a cheap carpet. One cellular engineer I talked to this year about that alleged hack insisted that it wasn't hackers, it wasn't the feds, it was something much more mundane and explainable, but he declined to comment further.
One thing is for sure, hackers are a paranoid lot, partly because they know so much about security weaknesses and partly out of projection. If it's possible, someone will try it, right? But the cellular network isn't the Internet.
"Most people don't really understand what's going on with their phone. It's the point at which intelligence meets ignorance. You've got a lot of really smart people that don't technically understand what's going on in their phone, so they perceive things that may not be happening," Bailey said. "The first instinct is to jump to the conclusion that it's a security related issue, when it's probably not."
Updated 2:54 p.m. PT with Verizon statement.