Was it Only Faith-Based Mobile Security?

Most people consider their mobile phone voice and SMS conversations private.  Carriers have been telling us they “use encryption” for years.  We have no reason to worry about conducting non-public business over our mobile phone, do we?

Well, first, privacy is not an on-or-off concept.  There are degrees-of-privacy — less if you are screaming over a voice connection and flailing about in a crowded room, and more if you are virtually alone, speaking in a low voice or texting in a large, almost empty hotel lobby.  That seems like an easy to internalize risk management rule-of-thumb.

Think again.  Not all mobile phone connections are equally secure.*

When it has options, your mobile phone connects to the strongest radio frequency (RF) signal source (it is more complex than that, but additional detail will not change this argument).  If that signal source is under the control of hostile parties, your privacy likely just disappeared.

Some of you might be familiar with low-power cellular base station — sometimes called a mobile network extender.  If you live or work in an area having little to no signal from your mobile carrier, one option has for years been connecting a small box (a femtocell) to your Internet ​service that will behave like the standard cell towers you cannot reach — only at a much lower power and range.

These mobile network extenders have been the target of hacker attention and modification for years.  Earlier this month two researchers demonstrated how they modified a couple different types of Verizon network extenders in ways that enabled them to intercept all voice and SMS text traffic using them.  It is an excellent, brief demonstration, and is worth a quick watch.

“Hackers Turn Verizon Box into Spy Tool.”
http://www.youtube.com/watch?feature=player_embedded&v=y9WU0Y03A9g

This hack is small enough to carry around in a backpack, and it can intercept and record all calls, text messages, and data sent by mobile devices within range.

Characterizing this risk is a challenge.  Whenever you are in a predictable location doing sensitive business using a mobile phone, you are above zero risk.  If you are having a strategic planning meeting and need to conference some participants in, maybe using a mobile phone is no longer risk-appropriate.  If you are working through a deal that will (at least potentially) have a material financial impact on your organization, and you are in your office or the office of a partner and either of you is a known “deal-maker,” maybe a mobile phone is no longer risk-appropriate.  The key might be to ask, “Would it be OK if this conversation or text were shared with my competitor, my regulator, my boss, or the public?”  If the answer is a consistent “yes,” then you might be OK.  If the answer includes one or more “no” responses, then maybe there is another channel for communications that would better serve your company.  This is a frustratingly vague risk issue.

Over time, the vulnerable equipment will tend to age-out of the environment.  Until then, though, this situation will present a low-probability, but potentially-high impact risk for all of our financial services companies.

 

*Lets set aside the issue of government data-harvesting and analysis for today.  That is the topic for another blog entry.

REFERENCES:

“Hackers Turn Verizon Box into Spy Tool.”
http://www.youtube.com/watch?feature=player_embedded&v=y9WU0Y03A9g

“UPDATE 1-Researchers Hack Verizon Device, Turn It Into Mobile Spy Station.”
http://www.reuters.com/article/2013/07/15/verizon-hacking-idUSL1N0FL08620130715
Mon Jul 15, 2013

“Researchers Reveal Way To Hack Into Verizon’s Network.”
http://www.crn.com/news/security/240158359/researchers-reveal-way-to-hack-into-verizons-network.htm
By Robert Westervelt, July 16, 2013

“Verizon Femtocell Hack Intercepts Calls, Data Transmissions.”
http://threatpost.com/verizon-femtocell-hack-intercepts-calls-data-transmissions/101309
by Michael Mimoso   July 16, 2013 , 12:28 pm

 

For those with technical interest in this subject:

 

“What is a Femtocell.”
http://en.wikipedia.org/wiki/Femtocell

“Vulnerability Note VU#458007 — Verizon Wireless Network Extender multiple vulnerabilities”
Original Release date: 15 Jul 2013 | Last revised: 23 Jul 2013 (this includes some of the command-line details)
http://www.kb.cert.org/vuls/id/458007
“Multiple Verizon Wireless Network Extender CVE-2013-4877 Multiple Security Bypass Vulnerabilities”
http://www.securityfocus.com/bid/61393/discuss
“Verizon Wireless Network Extender CVE-2013-4875 Local Privilege Escalation Vulnerability”
http://www.securityfocus.com/bid/61394/discuss
“Verizon Wireless Network Extender CVE-2013-4874 Local Privilege Escalation Vulnerability”
http://www.securityfocus.com/bid/61395/discuss
Credit:  Doug DePerry and Tom Ritter of iSEC Partners

Verizon network extenders have been the targets of hacker modification for years.

“Hacking the Verizon Network Extender.” February 28, 2010
http://va7drm.wordpress.com/2010/02/28/hacking-the-verizon-network-extender/
“After a few late nights of hacking/programing he had an AVR re-creating the GPS serial signals as it was in the US!”
“Hacking the Verizon Network Extender — Part 2.” March 28, 2010
http://va7drm.wordpress.com/2010/03/28/hacking-the-verizon-network-extender-part-2/
“Cellular, Radio, and Hacking.” April 19, 2012
http://va7drm.wordpress.com/2012/04/19/cellular-radio-and-hacking/
“Several months we discovered that the “HDMI” port on the bottom allowed for serial access to the Linux OS. One of our guys was able to gain Root access to the device.  So I’m sure it’s possible to do all the hacking from a totally software aspect…”

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: