 So, welcome to practical cell phone spying. Before we start, a couple of notes on privacy. First off, cellular phone calls will be recorded during the talk. Surprise. If you do not want your cell phone calls recorded, turn your phone off. If you're on Sprint or Verizon, you're not GSM. My system is not going to talk to your cell phones at all, so don't even worry about it. Having said that, I would encourage people to keep their phones on during the talk, especially if you've got a GSM handset, because the whole point of this is to show how your phone calls can be intercepted, and if you're not using your phone, then that kind of doesn't work. Okay. This is the machine that's actually running the demo. I don't know if you can see this big gap here where the hard drive should be. It's actually booted from this USB key, and at the end of the talk, I'm going to be cutting that USB key in half with a Leatherman. So, I'm recording all kinds of very, very sensitive information, all kinds of settings about your phone, logging phone calls, all this kind of stuff, but it is all going to be destroyed at the end of the talk, so don't worry about that too much. Let me just get my power back in here. Thank you. Okay. Finally, I do have backhaul in place here. I'm currently connected to my Verizon Droid, which is giving me voice over IP backhaul, so if you do connect to the network, generally the only way that you'll know that you're connected to the network is when you try and make a call. If you do make a call from the network, you'll get a recorded message saying you're being intercepted, yadda, yadda, yadda, so effectively keep your phones on during the talk, and every so often just dial a number, see what happens. If you hear that recorded message, then you're attached to my system here. If you don't hear the message, you're fine. In either case, anytime that anyone is connected to this network, a best effort is going to be made to connect calls subject to the limitations of asterisk going over voice over IP, going over Verizon, and given that Verizon is the only cell phone network that, well, one of two, we may have unpredictable results, but we'll see. Okay. So the whole idea of the talk is, I'm talking about IMZ catchers, but in order to know what an IMZ catcher is, you need to know what an IMZ is. An IMZ is an international mobile subscriber identity. You can think of it kind of like a GSM username. It's one of two parts of the two things that live in your SIM card that authenticate you. Your IMZ is like your username. KI is the secret key that authenticates you into the network. So IMZ lives on the SIM card, obviously. It's somewhat protected. When you connect to a network, one of the first things that that network does is it'll say, stop using your IMZ, use this temporary IMZ instead. And what I'm going to be showing you on the demo a little later is how many of these TIMZs have been allocated as a way of seeing how many people are associated with the base station. So an IMZ is kind of a secret. The ICC ID, the long string of numbers that's printed on your SIM card, it's fairly closely related. For most U.S. networks and a lot of networks around the world, actually, you can derive the IMZ from the ICC ID and vice versa. So it's not really that secret. Other places do it slightly better and the ICC ID is just a random number. Either way, the ICC ID doesn't really play too much of a part. I only mention it because you can derive the IMZ from it in the United States, at least. So what's an IMZ catcher? Basic idea is that it's a spoofed GSM tower. It's a fake base station. The idea is that when your phone is looking for a signal, it'll look for the strongest tower. It'll connect to the tower that offers it the best signal. And in this case, because I'm right in front of you with high gain antennas pointed directly at you, I'm going to be your strongest signal here. I'm only emitting about 25 milliwatts here. A tiny, tiny, tiny amount of power. But because I'm so close and because I'm using these directional antennas, hopefully I'll be your strongest signal and you should come over to my network and have some fun. Another thing to bear in mind is that in GSM, it's the base station that picks all of the settings. So when you connect to my tower, it's my tower that gets to instruct whether or not to use encryption, whether or not to use frequency hopping, all of this kind of stuff. If I decide not to enable encryption, then I just disable it and your phone just goes oh, you've disabled encryption? That's fine, I'll talk plain text. Seriously, it's that simple. There's all kinds of stuff that the base station can instruct the handset to do. Please take my word on it that I'm not doing anything malicious here. This test is for functionality only. There should be no permanent changes made to your phones whatsoever if you do connect to the network. But if I wanted to, there's all kinds of stuff I could do. I could update your SIM card, all kinds of fun to be had. So essentially, if you've got the ability to deliver a reasonably strong radio signal and your base station will negotiate A50, which is plain text, you're pwned. There's nothing you can do about it. And there's a good chance that you won't even know about it. If I'm the tower, then not only am I your network, but I also control your handset as well to a pretty significant degree. The actual idea of an IMZ catcher has been around almost as long as GSM has. It was originally patented by Rodin Schwartz in Europe in 1993. I've never seen reference to any US patents for it, but either way, patents in Europe are just as public as they are here. So all of the details of this is all public. The main important point about this is that if you were to go to Rodin Schwartz and say I want to buy an IMZ catcher, they'll charge you a couple of million dollars. The equipment that I have laid out on the table here, by far the most expensive part is the laptop. Second up is the USRP at about 1500 bucks. And then I think the next most expensive thing is this $20 instant messaging device. So the whole point is that using these techniques, you can intercept phone calls for a thousand times less money than the commercial systems that do exactly the same thing. So quick note about the crypto involved in IMZ catchers. If I'm the attacker and I create the base station, you have a cell phone that connects to my base station. I just say disable crypto. I don't need to break crypto. I don't need any rainbow tables. I don't need any solid state hard drive for fast lookups. Nothing. I just say turn off encryption. It's that simple. In reality, the GSM specification does actually say that when your handset connects to a network that does not use encryption, it has to put up a warning message. But then if you read further in the spec, there's another place where it says, if you want to disable this warning message, set this little configuration bit in the SIM card. So every SIM card that I have ever seen in my entire life, and I've seen a few from various networks around the world, every single one of them has that bit set. Every single operator that I've ever seen, disables that warning message. So no phone. I've never seen a warning message on a cell phone that actually says you're connected to an unsyford network, even though the GSM specification requires it. So this is a deliberate choice on the part of the operators. The idea of it is that if you go to a country like India, in India, they don't support cell phone encryption. It's actually illegal. So obviously, you want to be able to roam in India, you want to be able to make cell phone calls. So your phone has to support A50. And if you're getting a warning every time that you connect to a new tower in India, you're going to be wondering what the hell is going on and hassling AT&T or whoever. So it's one of those areas where functionality and security are directly at odds. So note on spectrum usage. One of the issues that was raised with this talk in the press is that operating a transmitter on a US cellular frequency is a very big FCC, no, no. You get in a lot of trouble for doing that. Fortunately, we don't actually need to. The reason for this is there's four bands used for GSM around the world, A50, 900, 1800, 1900. A50 and 1900 are the two that are used in the USA, 900, 1800 are used in Europe. If you actually look at the size of those bands and the frequencies that they cover, there is an overlap between European GSM 900 and the United States ISM band at 902 to 928 megahertz. So I'm actually running my transmitter here as a legal ham radio transmitter in the, I call it the ISM band, but it's technically a ham radio band. And as far as your cell phones are concerned, I'm just a European radio transmitter. I'm a European tower. Your phones don't care that I'm in the States. They don't care that they're in the States. They don't care that they're on a completely inappropriate band for the location that they're in. They're just quite happily, hey, there's a tower, let's party. It's pretty crazy. So if you've got a European phone, if you've got a quad band phone, you'll see the network. If you've got a US phone that only works on US frequencies, you will not see the network. So the ISM band, industrial scientific medical, the idea of it is it's for very low powered devices that use very low utilization in a very low actual time on the air. They change frequency very rapidly, generally designed to be very non interfering. But if you look at the regulations, ISM is actually secondary in the band. It's a ham radio band. Ham radio operators don't tend to like it because all this ISM crap cluttering up the place. So the noise is too much of a problem for most ham radio applications, so most hams dismiss it. But for our purposes here, we can run a GSM base station on a GSM frequency within a ham radio band. How do we do that? Well, first thing we need is a license. This URL is great. The licenses for the question set for the ham radio exams are all public. So if you go to this website, what they do is they just keep asking you the questions over and over and over and over and over again until you get them right. And if you keep getting it wrong, they'll keep asking you and if you get it right, they'll stop asking you. And it just beats the right answer into you. And you can sit down with this site for a few hours and walk into a ham radio exam and just pass it. I'd recommend that if you do want to get into this stuff, take the time to learn it, take the time to understand. I certainly learned a lot from taking my ham tests and I'd recommend it to all of you. As we're a ham radio operator now, we have a 1.5 kilowatt power limit. That's a lot. I have another amplifier that I've been using for RFID that's 600 watts. And I've yet to turn that on because it's a terrifying amount of power. Even 600 is too much. So 1500 should be plenty for anything. In terms of what we're actually allowed to transmit, technically we're transmitting an unspecified digital code. It's bits going back and forth between your phone and my tower. So in ham radio terms, you're allowed to transmit an unspecified digital code as long as the specification is public. And in this case, all of the specs for all of the various GSM protocols, they're all public. So it's all good. You're also not allowed to use cryptography. You're not allowed to obscure the meaning of the message in any way. So I guess by law, if I'm running my BTS in a ham ad, I have to disable crypto. Damn. No limits on antenna size, antenna gain. Basically if you can get your hands on it and run power to it, you're golden. The only thing you ever need to be careful of is RF exposure limits. The FCC publishes guidelines for what absorption rate people can tolerate safely. In this case, I am nowhere near those limits. This side is my transmit antenna. I think it's this side. And it's putting out a total of about 25 milliwatts. To put that in perspective, your cell phones, if they're on the European, if they're on the higher bands, the 1800 and 1900, they'll be putting out a watt. That's 40 times more. If they're operating on the lower bands, the 800 and 900, they're putting out two watts. So that's 80 times more. So the phone in your pocket is exposing you to significantly more RF than my big scary antennas. The only other real requirement that we have is that the station has to identify itself every 10 minutes. That's actually pretty easy to do because to be a ham compliant call sign ID, it's straight carrier wave, morse code, every 10 minutes, just more something else. We could have integrated into the USRP. Certainly the USRP is capable of it, but that's doing it the hard way. There's an easier way to do it. That being, you take a second transmitter, you tune it to the same frequency, you make sure that the power level of that second transmitter is slightly higher so that whenever that transmitter is on, it's effectively DOSing the GSM signal with a ham radio call sign. So all we need is an easily scriptable 900 megahertz transmitter. And as it turns out, this little pink instant messaging device is perfect. This is called the IMME. This was brought to me by Travis Goodspeed. They're fabulous little devices. They have reasonably good power output. Obviously, keypad and screen is helpful. No firmware security. You can program them with a good fat. Unfortunately, they don't come standard with JTAG and RF connectors, but that's easy enough to add. So yeah, we can write firmware for this. We can match the frequency because we've got control over that in software. And then we just need to mux the signals together and amplify it up. So I'll actually pause there for one quick demo. No, actually I'll come back to that one. So in terms of the BTS itself, so we've got the IMME for the ham radio side. What do we need for the GSM side? It's actually pretty easy. You need a USRP, universal software radio peripheral. These things are available online. They go for about $1,500 with the two daughter boards that you need. I'd also recommend if you're going to get into GSM, check out the clock tamer. The URL is up here. The thing about clock tamer is that in GSM, the handsets derive their timing from the base station. So the base stations have extremely accurate clocks and the handsets figure out how much their own frequency is drifting compared to the tower. So if I come along with a third party tower, if my frequency stability doesn't match that of the local towers around me, all of your phones are going to be calibrated to those local towers and you're not even going to see my tower because I'm, you know, maybe just a few kilohertz off. Clock tamer actually gives me plus or minus 100 hertz accuracy at 1.9 giga hertz. That's in its out of the box configuration. It's about 0.26 parts per billion accuracy. And then you can get a GSM, I beg your pardon, a GPS module that drops it down to, you know, something ridiculous. Crazy, crazy, crazy accuracy. And it's all programmable and very flexible. It's highly recommended. On the software side, just a laptop computer, Debian Open BTS and Asterisk. Open BTS provides the soft, the GSM stack and then Asterisk takes the calls in from Open BTS and sends them out over the back hall as voiceover IP. It's a fairly basic base station. It does do voice, it does do SMS, it does not do data. And in fact for the purposes of this, this demonstration, I've even disabled SMS. Purely because there's no way I can get your caller ID easily. So when you send an SMS, yes I can route it out through the internet and connect it to where it goes, but the person who receives it is not going to know who it's from and they're not going to be able to reply. So I figured it was just easier to disable it, but the system does support it. So let's get the BTS going here. So I wanted to see if we can get some video here. Is there a camera we can get up on stage or do you need me to turn the screen around? Okay. So I'm actually just going to plug in my USRP now. That's all on. And then start the base station. Or try to if it would actually. Let's try this again. There we go. So Open BTS is up. I don't know how much detail you're going to be able to see on the screen here with the camera zooming in. One thing I do want to show you is the Timzies command. So I don't know if you can actually make that out on the screen. The command I typed was Timzies, T-M-S-I-S. What that shows me is a list of all of the temporary ImZs that have been allocated by the base station. In other words, how many people are currently associated with it. So you can see right at the bottom here, zero Timzies in table. So I've started it up clean. There's, you know, nothing there. Nobody's connected. A couple of other things I'm going to show you as well. I'm just going to turn this around so I can type. So a couple of other commands that I've typed here. Cell ID. That shows you that my mobile country code that I'm using at the moment is 001. In the GSM specification, country code 1 is test. I'm then using a mobile network code, an MNC of 01. So again, that's test. So I'm a test network in a test country. I'm operating on a non-European cellular, sorry, a non-American cellular frequency. And then if you look at the bottom here, the short name of the network that I'm starting is called Defcon 18. Some phones will display that, others won't. But the point that I want to make across is that at the moment this is in a non-hostile configuration. It's in a test mode. It's not advertising any known network. It's not operating on a U.S. cellular frequency. And certainly as it started up, nobody was connected to it. So I'll leave that running for a few minutes. If people really want to do a scan for the network, you can. But I prefer people to just leave their phones alone. Just, you know, take it out of your pocket every couple of minutes, try and make a call, see if it's actually handed over. Because we'll, I'll come back to this in just a second and, you know, show you how easy it is to make phones hand over here. So we've got the BTS in test mode. How do we then make this into an IMZ catcher instead of just a random cellular network? Well, the way that cell phones identify the network is by two values. I mentioned them already, the mobile country code, mobile network code. Mobile country code, 310 for USA. There's a full list on Wikipedia for every country around the world. Three digit number, not really that hard to spoof. Mobile network code, again, two digit number, maybe a three digit number that you can look up on Wikipedia. Not really much security there. It's pretty trivial to change it. You can, I'll show you in a sec how to do it on open BTS. It's not hard. It's really not hard. And then once I've set the MNC and the MCC, I can change the network name as well. So that when it displays on your phone instead of seeing DEF CON 18, you'll see whatever network it is that I want you to see. In most cases, well, in some cases I've noticed that handsets will not hand across to the base station unless the short name of the network, the network name is entered case correctly. So it's kind of sad when the security of your cell phone calls comes down to a case sensitive string comparison. Not much security there. So that's really always involved in spoofing a network. So let's come over here and actually do it. Before I do, I'm just going to type Timsy's again. Wow. That's 15 people. 15 handsets are currently connected to my tower. And that's without spoofing any cellular network. So 15 people in this room are currently having their cellular phone calls intercepted by me and my BTS is not advertising any known network in the world. It's in a test mode. It's on a non-frequency and you're still connected. One quick thing, raise your hand if you have an iPhone. Okay, if you do not have your hand in the air, you're probably not connected to my network. In my experience, it's generally the iPhones that connect most easily. It's actually been quite the bane of my existence trying to keep the damn iPhones away. I kid you not, it's impossible to get rid of the damn things. So, okay. So we have, oh wow, we now have 30 Timsy's in the table. You know, people are still handing over to this. So in the few seconds that it took me to explain why there's 15 people, 15 more people connected. It's insane. It's really easy to do. So let's spoof an MNC and an MCC. So I mentioned the cell ID command. So that shows you the MCC, MNC, location area code and cell ID. I can then do cell ID. Quick question for the audience. Raise your hand if you'd like me to spoof T mobile. Okay. Raise your hand if you'd like me to spoof AT&T. Should have seen that one coming. Okay. So I'm just going to turn this round. All I do is I type cell ID and then I give it the mobile country code. Well, we're in the state. So our mobile country code here is 310. And then I give it a mobile network code. Well, AT&T's mobile network code. They have several, but the most common one that they use is 410. So let's type that in. And then I'm going to leave the location area code and the cell ID the same. So that's going to be 666 and 10. That's it. I'm now spoofing AT&T. I could be a little more careful about it. I can do config. So here. The cell ID command here, 310, 410, 666, 10. That sets my mobile country code and my mobile network code. And then this command down here, config gsm.shortname AT&T. And as far as your cell phones are concerned, I am now indistinguishable from AT&T. So the question was how long does it take to hand over? That's kind of the point of the talk in all honesty. From this point, so at this point, we have an emcee catcher. I can sit here and over the next 20 minutes, half an hour, every AT&T cell phone in the room will gradually hand over to my network, gradually start giving me all your traffic. So from this point on, the only question becomes how can we make phones hand over more rapidly? In practice, it might sit here for an hour before any significant number of phones connect. So we want some techniques to speed it up. So at this point, we do have a simple emcee catcher. We're spoofing a cellular network. Clearly handsets in the audience are handing across to me. Does anyone actually try to make a call and hear the recorded warning message yet? One here, another at the back, another over here. So yeah, I mean clearly you guys are handing over, you know, you're connecting to my network. I'm getting all of your traffic. So how do we filter this down? Well, firstly, I now know you're emcees, so I can filter based on emcee. If I know the emcee of the specific person that I want to target, I can exclude everyone but that emcee. Likewise, I can do the same with the IMEI, which is the equipment serial number, the equipment identifier. I can say, you know, only allow knockiers to connect or only allow iPhones to connect. I'm not sure you can quite get it down to that level of granularity, but so you can say this particular IMEI is allowed to connect and nobody else is. So I could restrict it down to a limited set by, you know, various different parameters. As I mentioned, it takes time for people to migrate across. We can make it faster. I'm going to talk about some techniques for that in a sec. One major limitation that this current system has, it only intersects outbound calls. So when you're attached to my tower, as far as T-Mobile, AT&T is concerned, your phone is off. It has no signal. It's, you know, whatever. It's just not there because you're not connected to one of their towers. So when a call comes in, it'll just go straight to your voice mail. We can, we can get around this. I'll come back to that, but for the moment we've got, you know, outbound calls getting recorded. So how do we speed up handover? You know, we don't want to be sitting here all day watching everyone's phones handover. So, you know, what techniques have we got to speed up that process? Well, there's actually a few. Neighborless, changing lag, band jamming, receive gain. I'm going to talk about all of these individually. Some of them I'll demo, some of them I won't. But there's lots of different ways to do it. The first one is GSM neighbors. So each tower, each GSM tower, when a phone connects to it, the phone will retrieve from it a list of neighbors. And what that means is each GSM base station is on a specific channel, obviously. The, the base station will say there are base stations nearby on these other channels. And what your phone will do is it'll take that list of neighbors and it will monitor all of those channels and it will keep watching, you know, the signal strength on all those, those neighboring towers. And when one of those neighboring towers becomes a stronger signal, it'll hand over. So how can we use this to our advantage? Well, all we need to do is we know that the, the cell phone is going to be monitoring these neighboring frequencies. So if we do a survey of the local area and find out what neighbors are around, we can then compare that to what frequencies the phone can actually see, what towers it can connect to and, and whatever. And eventually we can find a channel that is advertised as a neighbor but perhaps is on the other side of the tower. So you can't actually see it from here. So I can put up my, my tower on a frequency that I know your phones are listening to and that I know there isn't a tower there. So that, you know, the moment that base station pops up, your phones are all going to go, oh, okay. We must have driven down the street and this tower is now closer. So I'll just hand over to it. So how do we do this? It's actually pretty easy. You get a Nokia DCT-4 phone, I believe. The 3310 does the two European bands, the 3390 does at least one of the US bands. What these do is they support a thing called network monitor mode. And what network monitor does is it effectively dumps a log of every GSM thing that the cell phone does. Every packet that it sends to the base station, every, every burst that it receives from the base station, everything. Every single thing that cell phone does gets logged. Doesn't allow you to interact with it, doesn't allow you to control it other than, you know, beyond what you can do on the handset already. But it does at least give you very, very detailed insight into what your phone sees on the GSM network. So you get one of these phones, you get neither a special F-Bus, M-Bus switching cable and a program called Gamu. Gamu is open source, it connects to the phone over this cable and just dumps out a trace in XML, which you can open up in Wireshark. I was going to demo it, but my 3390 has gone wandering. So what I'm going to do instead is just show you what the traffic looks like. So this is a capture that I recorded last night. This was of a handset connecting to T-Mobile. And I actually called it only partway through the boot sequence. So there's a bunch of traffic that was, you know, hanging off the top here. But you can see you've got all of the various GSM messages in here. And if I click on the right packet, let's try system information type two, which is that one. You can see Wireshark breaks it down nicely. And within this packet it actually says, here's my list of neighbors. So literally, you just take this phone, you turn it on, you connect the cable, you run Gamu, and then you look at the Wireshark trace and you've got a list of channels. You then compare that, you know, just literally turn a radio receiver on to each of those channels and see if you get a signal on them. It's not hard. And using this, you can find an advertised neighbor that's not actually in use in the local area and speed off handoffs by taking advantage of that. Now, I'm not actually going to demonstrate that today because that would require me to, you know, transmit on an AT&T frequency. And I don't want to do that. Certainly an attacker would have no such compulsion and could easily take advantage of this to his benefit. So we can find GSM neighbors and we can take advantage of that. Another way to speed up handoffs is the location area code. The idea of the LAC is it groups together a bunch of cells. So you'll have, you know, a whole bunch of cells in one specific area that advertise the same LAC. And in general, those will go to, you know, the same higher level controllers as well. But what happens is when the phone is, you know, monitoring all of these neighbors and, you know, if it just sees another tower or whatever reason it is to look at that secondary tower that it's seen, it'll see that if that tower is advertising a different location area code, that means that the cell phone has moved, at least as far as the cell phone is concerned. And if the cell phone's moved and it's moved into a new area, then it should really do a handoff. So from open BTS here I have complete control over the LAC. So I can just change the LAC and everyone's phone will go, oh hey, LAC's changed. We must have driven 50 miles down the road. Let's hand off to the new tower. So the more you change the lack you can, you can keep rolling the lack every, every few minutes just to entice more handsets. It's, it's not particularly difficult to do. I'll give you a quick demo of it. First up, let's, let's see how many handsets. So before we, we started spoofing AT&T, we had about 30 handsets connected. Now that I've got AT&T's network name, MNC and MCC, let's see how many handsets we have connected now. 24. Don't quite know how that went down. Timsy's due time out. So another command that I can try is load. And this is telling me, oh this is telling me that there's 24 Timsy's in use as well. So not too sure what's going on there, but we've certainly got a bunch of handsets connected. And then we can use the cell ID command again to, to roll the location area code. Turn this around a second so I can actually see. So my location area code was 666. I guess I should change that to 31337. And I keep the cell ID at 10. In fact I'll change the cell ID as well just so that the handsets know it's a new tower. And it's that hard. That's how to roll the lack. Not a complex operation at all. And then like I say, that will encourage handsets to, to, you know, believe that they've changed location and that should entice more handsets to, to camp across to the new network. We'll, we'll come back to that when, when we do the next stage and we'll see how successful that was. So what happens when the handset turns on? How does the, the handset first find its very first tower? When it, obviously when it boots up it knows nothing. It knows, it doesn't know where it is, it doesn't know what frequency it's on, doesn't have any neighbors to look for, doesn't know the current lack, nothing like that. So it does a very, very long scan over the entire band. And whatever towers it finds, the, the, it checks the MNC and the MCC tries to make sure that, you know, those are allowed networks based on, you know, what the SIM card will actually connect to. And then the signal strength as well. And it'll just, you know, connect to the strongest tower. Once it starts finding some towers, it limits the size of their scan. It performs a much smaller scan much more rapidly because it has some information about, you know, what bands are in use, what towers are in use, what channels to look for, all this kind of stuff. So an attacker can actually use this to, to his advantage because if you DOS, the cell phone system, in order to, to, you know, make people lose signal, when those handsets connect back up again, they're gonna perform this long scan. They're gonna perform this, this much wider band scan and have a much higher chance of, of connecting to the attacker's tower. So, how can we do this? Well, first off, we're only talking about second generation GSM, 2G. 3G has much better security, much, much, much better security. So if we jam the GSM band, then when we turn the jammer off, your handset's gonna perform a wider search. It's gonna perform a slightly slower search, a bit more chance of finding the tower. However, if you're on 3G, there's really nothing I can do. The, the 3G protocols are much, much stronger than GSM and it's a lot harder to intercept a 3G phone call. So we really don't want people using 3G if, if we're trying to intercept phone calls. So what we have to do is, is jam the 3G bands. If we jam the 3G band, your phones lose the ability to connect to a 3G tower and they quite happily drop down a 2G. So all you have to do, literally, is broadcast noise and block the ability to talk to 3G, at which point everyone drops down to, to 2G in plain text. It's like saying, well, if you, if you can't connect to port 22, then I just fail over to port 23. Seriously, you can, you can think of 3G as, as, you know, equivalent to SSH and, and GSM as equivalent to Telnet in this situation. So, yeah, it would be an accurate analogy to say that, you know, if you can't connect to the SSH port, just drop down to Telnet. That's effectively how, how cell phones work in this situation. So the question is, how hard is it to jam a cellular band? Really not very. All you need to do, really, is transmit noise. And when I, when I say noise, I mean a very specific thing. I don't just mean, you know, randomness. I mean, completely flat spectral noise such that there is, you know, equal amounts of power in each octave and, you know, it's, it's a nice flat spectrum and it makes sure to cover the entire band, cover every channel. Effectively, what we're doing is, is instead of, you know, removing the tower completely, we're just removing the ability to see the tower. We're, we're masking that with, with noise. Noise generators really aren't very expensive. I have one over here. Little, little thing, if I can do this without squishing my ninja badge. Second? No, it's all good. So this is a, this is a noise generator. This was $450 on eBay. And if I connect this to a power amplifier and I have a power amplifier upstairs and then connect the power amplifier into an antenna and I have antennas clearly, if I turn that on, that's rather a large disruption to cell phone service. I can, I can, I mean, the noise generator itself was, as I say, as it says, 450 bucks on eBay. The power amp was 400 bucks on eBay. Not, not on eBay, on the internet at least. That's a hundred watts. A hundred watts of wideband noise is a huge, huge, huge disruption. This is what it looks like. This particular noise generator has two modes. It has one for the, the 900 megahertz bands and one for the 1900 megahertz bands. So what you're looking at here is the trace from a spectrum analyzer. The lowest frequency on the left is about 500 megahertz and the highest frequency on the right is 2.5 gigahertz. And then as the line goes up, there's, there's obviously more power at whatever frequency that corresponds to. So you can see on the left, we've got a really big fat block around 900 megahertz. That, that is effectively this thing transmitting on every possible frequency in every possible, you know, channel between about 850 and 950 megahertz. Turn that thing on and, and yeah, 850 and 950 just stops working. Likewise in 1900 mode. You can see again that the major peak is a little further over. It's, it's pretty clear that this does what we need it to do. So what happens when you jam a cellular band? What happens when, you know, I turn this thing on and, and, you know, broadcast 100 watts of noise? Of course I haven't done it. I'm not stupid. If you were to do this, if I was to plug this thing into my 100 watt power amplifier and I was to connect it to an antenna and turn the whole thing on, it would probably knock out GSM, CDMA, 3G, Verizon, you know, pretty much every cell phone service there is for most of Las Vegas. If not further. So yeah, I, I'm not turning this thing on. The main reason that I have this is because it's a fabulously useful piece of test equipment. If you're trying to classify filters, you put white band noise into a filter and as long as it's nice and smooth, you can compare what comes out and, and very, very accurately characterize your filter. That's what I use this for, not for, for, for DOS. The thing about band jamming is that there is no way to defend. It's impossible, cannot be done. Short of swamping it with, with more and more power. You do only need a short burst, few seconds, but it's still way, way, way too offensive for, for what I'm doing here. So as I said, 100 watt of amplifier and a reasonable antenna would probably knock out Las Vegas cell phone systems. So another technique that we can use to, to make handsets hand over. There's a, a command that the BTS can send the handset that basically says, treat my signal as if it was stronger than it actually is. Meaning that, if, if I just, let's, let's say, you know, on a, on a scale of, you know, plus 50 to minus 100. Let's, let's, um, anyone who knows RF will, will understand why I'm, I'm choosing that range. Um, but plus 50 to minus 100. Um, let's say my signal is coming in at minus 80. Really, really low. Um, I can say to your handsets, just, just add a hundred to that, would you? And I'll go, oh, okay, you've got a, you know, 20 dBm signal. Ah, it's fine. You're the strongest tower around now. I'll connect to you. It's, it's ridiculous and it's, it's, again, it's another great example of some of the instructions that a BTS can send a handset. Um, so, you know, I don't even necessarily need to be the strongest signal. I just need to have a signal that you can pick up and be telling you that I'm the strongest signal. It's, it's ridiculous and the handset will comply. It has to comply because that's how GSM works. When the handset gets an instruction from the tower, it complies with it. Um, the, of course the attacker can make use of this. Um, you know, of course it, it means that he has to use less RF power to, to, to win the strength competition with the local towers. Um, Open BTS doesn't actually support it yet. Um, so I, I, I won't demonstrate it here. Um, this is actually the, the essence of the Rodent Schwartz patterns on IMZ catchers. There was a, a case in the UK where someone was selling IMZ catchers. Um, Rodent Schwartz sued and it, it effectively came down to this one technique. Um, spoofing MNCs, MCCs, network names, it's, it's all trivial but, you know, this, this one technique is the, the, the one that's patented. So I mentioned earlier that we, we don't see inbound calls. We, we only see outbound calls. Effectively the IMZ catcher is a completely isolated cellular network. Um, as far as your carrier's concerned, your phone is off, it has no signal, it's just, it's not there. So of course they're going to send calls inbound to your voicemail. Where else are they going to send it? Your phone's off. So the attacker doesn't see the, uh, the inbound calls. So the way that we get around this is obviously if you're connected to my, my tower, um, my tower has to authenticate you, therefore it, it will ask for your IMZ and your phone will quite happily supply it. So I know your IMZ. What I can then do is I can, you know, go to AT&T and say, hey, here's my IMZ. I'm, I'm spoofing this guy over here but you don't need to know that. This is my IMZ. And I know that this guy's not on the network because he's on my network, therefore it's perfectly safe to do this without you seeing two phones. So I, I claim this IMZ. The problem with that is that we don't know the secret key in the SIM card. We don't know K.I. Um, and what's going to happen is the, the, when I claim that IMZ to AT&T or T-Mobile, um, they're going to send me a random number, a 32 bit number, just a challenge. And what normally happens is that challenge gets passed to your SIM card, gets encrypted with your secret key and then split into two parts, half gets returned to, to the tower or it's just kind of proof that you know the secret key and the other half is used as the ciphering key. Well, what I can do to exploit this is I can just pass that random challenge along to your phone. Whereupon your phone will happily, you know, encrypt your secret key with it and all the rest of it and send the result back to me. But the result doesn't come back to me as, you know, here's the, here's the answer. Um, the, the, the, the session response I do get just kind of here's the answer but the, the secret key I have to crack. And, and here's the, the, the great thing about IMZCatchers as opposed to, you know, crack in an air probe and those kind of things. Um, crack in an air probe, how many folks saw that release at Black Hat, the, the A51 cracker? So the, the big limitation that that thing has is that it doesn't work on frequency hopping base stations which virtually every base station in the civilized world is. So it, it kind of doesn't have real world applications. Well, in this instance, I'm the base station. I set the hopping sequence. So I can just say to you, okay, let's negotiate A52 because I can break that really easily. And then let's disable hopping so that, you know, I, I don't have to worry about that. And then I can use these rainbow tables to crack your secret key. Whereupon I recover the session key. I now know the session key and the, the session response, which was the authentication response and I can just reuse it all to the carrier. And as far as the carrier is concerned, okay, it took a few seconds for me to, you know, establish a challenge to your handset and then crack it and all the rest of it. But at the end of the day, I provided the right response to the carrier. So hey, I must be you. It's, it's, it's not implemented in this system yet, but it's, it's definitely possible to do. It's, it's the technique that commercial MCCATS, MCCATS is used to catch inbound calls. Certainly, yes, I, I cannot do that on this system currently, but it is absolutely possible with MCCATS. So just a little more on breaking that session key. It is the only time when you're using an MCCATS that any cryptography is needed at all. The majority of the time I just configured my base station to just negotiate A50, just disable encryption. What do I care? If I negotiate A52, A52 is very, very easy to crack, much easier than A51. So, you know, that gives me a very quick way into your handset. Alternatively, you may reject A52, regard A51. Well, clearly A51 is, is still, you know, crackable and we can still do that. But in either case, any calls that originate from your phone come to me as plain text. So what's the solution to all of this? You know, how do we, how do we fix this? The reality of it is that there, there is no good solution. Not in the context of GSM. GSM is broken. It is the telnet of cellular systems. In order to fix GSM, you'd have to redesign GSM. And if you're redesigning GSM, you have to upgrade every handset. You have to change every tower. You have to change the networks that live behind them. So, why bother if you're going to that much effort to redesign everything? Why don't you just move to 3G? The, the solution here is 3G and, and later protocols. 3G authentication is much better. Obviously it's three and a half G, 3.9G, LTE, all of the, the, the subsequent protocols build on that as well. The primary solution here is turn off 2G. Unfortunately, how many people have Android phones? You've seen the setting that says use only 2G networks. Yeah? Supposedly saves battery? How many people have ever seen a setting in a phone that says use only 3G networks? Okay, BlackBerry has one. Certainly Android doesn't, iPhone doesn't. So, how can we be secure here? Certainly 3G is, is, it's showing cracks. It's not been broken broken. The, the Kasumi cipher has been somewhat broken. But the, the 3G protocol hasn't. So, yeah, just use 3G. Look for that icon on your screen with a little 3G. If you see that, then you're, you're pretty good. Alternatively, just treat it like a data network. Just, you know, layer another, put another layer of crypto on top of it. Treat it like voice over IP. Just use it as a data network. Treat it like the internet. Encrypt everything that goes across it. Just, just don't trust it. And then in the long term, the, the, the big solution is to just turn off 2G. Which will happen eventually as, you know, three and a half G and 4G are deployed more widely. Hopefully, you know, now that, that, you know, I've demonstrated this, there'll be a little argument that, you know, it's totally possible to intercept 2G phone calls. So hopefully we'll, we'll spurs some uptake of 3G and, you know, we'll see where it goes. So one final demo. Let me just see how many Timzies we have connected here. 17. Okay. So people are actually handing back to the normal network. That's unusual. Certainly there was a lot of handsets connected to start out with. It's possible that I actually, you know, mistyped AT&T. I think there's some spaces in there. So it's entirely possible that your handsets are connecting to me and going, oh, you're, you're not spelling AT&T correctly. I'm out of here. So, by the way, certainly, you know, feel free to, to make some calls through it. The only limitation is that you have to dial one in front of the number or, you know, whatever country code you want, you're only limited by the, the $20 of credit in my SIP account. Feel free if you've, if you've not heard the recorded message, then you know, like I say, connect to the network and, you know, have a play. It's, it's, it's there for the next couple of minutes while I take some questions. So yeah, have fun.