Practical Cellphone Spying
Slides (OpenOffice) from my Defcon talk – hopefully video will be coming soon as well.
A few notes about the demo and results.
Firstly, power output. I was transmitting a total of 25 milliwatts – for a point of comparison that’s about as much power as a typical LED while a small flashlight consumes over a hundred times more. My antennas have 13dBi forward gain, giving me an EIRP of half a watt. That’s really not much power at all; I’ve heard from several people that the signal couldn’t be picked up at the back of the room. This was deliberate – I kept the effective range as small as possible to limit the chance of catching a cellphone whose owner hadn’t been informed about the demo. I suspect that many, many more handsets would have connected if I’d used even marginally more power.
During the talk at least 30 handsets connected to my tower; there were probably many more than this but the logs were all destroyed on-stage (I broke the USB key into several pieces – last I heard Agent X had the remains). Logged data included IMSI, IMEI, all numbers that were dialed, and of course audio recordings of all calls made (a total of 17 calls were connected during the talk). I don’t know how many calls were attempted; it’s possible that many more people may have heard the warning and hung up before Asterisk tried to connect the call. I’ve not heard from anyone that they saw any kind of warning on their handsets despite the lack of encryption on my network.
A couple of defenses: AT&T apparently have a service offering voice & SMS encryption, I can’t find much more info on it and it’s reportedly only available to business and government users. I’d very much like to see it deployed more widely; it’s a good approach to the security problems in GSM (assuming it works as stated). Blackberry is another good option – they add a second layer of crypto for data (not sure if it adds anything for voice) and I’ve been told they have a setting to disable 2G. This is a Very Good Thing; I’d love to see someone add this setting to Android as well if it’s at all possible. In the medium to long term GSM simply needs to be turned off; it’d be more work to fix it than it would be to upgrade (given that 3G/3.5G/3.9G/4G are all available, are being deployed now, and offer far superior security).
Some points about the legal shenanigans that surrounded this talk. I never heard first-hand that AT&T were planning to sue; the rumour certainly came to me from a credible source (meaning I had to take it seriously) but I’m very glad it turned out to be incorrect. I’d like to thank the FCC for taking the time to talk to me on such short notice; while it certainly would have been nice if they had expressed any kind of opinion about the demo I at least appreciated the opportunity to hear their concerns about the talk and explain the mitigations that had been put in place. Talking to the feds in advance of such a big event is always a great option, and I was glad to have the opportunity to do so here.
Finally, I’d like to say a really big thankyou to the EFF; without their assistance the talk would not have gone ahead (the demo certainly wouldn’t have). If you want to see more work like mine at more venues like Defcon, go ahead and donate. They’re worth it
//edit: I also owe a big thankyou to the Goons (many of whom aren’t actually listed on that page). They did an absolutely superb job with helping me lug all my gear around, find places to set up and people to assist, and generally making everything go. Ply them with alcohol at every possible opportunity – they put in an amazing amount of effort at Defcon and really don’t get to enjoy the show much. Thanks, guys