The $1,500.00 Cell Phone Call Interceptor Demo'ed

Researcher Chris Paget pulled off a stunt at the Defcon security conference Saturday that required as much legal maneuvering as technical wizardry: eavesdropping on the cell phone calls of AT&T subscribers in front of thousands of admiring hackers.

With about $1,500 worth of hardware and open source software, Paget turned two on-stage antennas into a setup capable of spoofing the base stations that connect the GSM cell phone signals used by AT&T and T-Mobile. Paget set his hardware to impersonate an AT&T signal, and dozens of phones in the room connected to his fake base station. "As far as your cell phones are concerned, I'm now indistinguishable from AT&T," he told the crowd.

Paget invited anyone with an AT&T phone to make a call, and using his GSM hijacking trick, routed their calls through a voice-over-Internet system that connected their calls even while recording the audio to a USB stick--which he promptly destroyed with a pair of scissors to make sure he hadn't violated any privacy laws. The hack, after all, was intended to show the fundamental insecurity of GSM cell signals--not spy on callers. (more)

P.S. This works on G2 protocol systems, not G3.

The GSM Association responded in a statement that lists the limitations to Paget's method: the eavesdropper would have difficulties identifying or targeting any specific user, the interception only works within a certain range, in some cases, the call's encryption could prevent eavesdropping, and GSM phones are designed to alert users when encryption is removed by a base station. (Paget said in his talk that no device he's tested--including iPhone and Android phones--has had this option enabled.)

In summary, the GSM Association spokeswoman writes, "The overall advice for GSM calls and fixed line calls is the same. Neither has ever offered a guarantee of secure communications.  The great majority of users will make calls with no reason to fear that anyone might be listening.  However users with especially high security requirements should consider adding extra, end to end security features over the top of both their fixed line calls and their mobile calls."

Phone Eavesdropping in Vogue Again

The huge rise in physical data security measures has inadvertently triggered a new line of attack for criminals: phone correspondence.  

With traditional identity theft channels now closing, fraudsters are increasingly targeting unprotected voice conversations to obtain confidential insider information, passwords and PIN codes without detection. Voice correspondence is almost always uncharted territory for business security armour under the false assumption that phone hacking is a highly sophisticated and expensive means of attack.

The days of phone fraud involving thousands of pounds of equipment and an extensive army of technology experts are long gone. Only in December it was revealed that a computer engineer had broken the algorithm used to encrypt the majority of the world’s digital mobile phone calls online, and published his method...

...when assessing the threat posed by phone fraudsters and criminals, we need look no further than the regular examples of celebrity phone eavesdropping that is becoming commonplace. Even high profile national newspapers like the News of the World have become embroiled in the scandal, resulting in one of their reporters being jailed for listening in on calls between members of the royal family. Liberal Democrat Lembit Opik recently went public saying he was concerned his phone calls were being intercepted and PR guru Max Clifford settled a hacking dispute out of court for a six-figure sum. And who can forget the case of Tiger Woods, who found himself in hot water after several voicemail and text messages fell in the lap of numerous national newspapers and celebrity magazines.

These celebrity incidents are serious enough, but business leaders and public sector chiefs now need to readdress their approach to voice and message security, to protect themselves against this growing threat. 

Increasingly, phone fraudsters are being hired or trained by rival businesses, getting insider information and critical data without ever being suspected. (more)

Information about Cell Phone Privacy is available with a google search. Businesses, however, require additional assistance with making sure their phones (analog, digital and VoIP digital) remain untapped. Quarterly inspections by a TSCM security specialist are the norm. For additional information about these services click here, or contact the company who provided this link to Kevin's Security Scrapbook.

GSM Bug Prices Continue to Drop!

A few months ago, we found GSM bugs being sold on ebay in the $19-$60 range. Today, direct-from-the-manufacturer samples are advertised for $13.05. (Quantity pricing is even lower.)

Finding these normally dormant eavesdropping bugs is problematic. Digital Surveillance Location Analysis™ (DSLA™) is one very effective detection technique.

Business executives – You can no longer skate on the chance that one of these won't end up in your Boardroom. 

Quarterly eavesdropping detection audits are more important than ever. Be sure your TSCM provider is aware of this new threat, and can effectively deal with it. (Click graphic to enlarge it.)

(Update) One of our sharper colleagues noted the logo on this thing and mused... "Wonder what they think about the use of their logo?"

Hummmm... I seem to recall (this) (and this). But, nah. That would be too much of a stretch :)

Turkish Tappy - Update

This is an amazing story. A private large-scale illegal wiretapping ring - busted. The ring included cell phone company employees, businessmen, a sports writer, a sports figure, former policemen and others! 

Although unusual, it is not unheard of... remember Rupert Murdocks' newsboys' caper last year?

Turkey - Teams from the Istanbul Police Department Organized Crimes Unit decided to take action after receiving over 100 complaints of illegal tapping. After conducting a detailed investigation for over two years, police forces initiated a simultaneous operation in four different districts yesterday morning at 07:00. Two high-level administrators and a staff member of a Global Systems for Mobile Communications Company as well as five well-known businessmen, a sports writer, former national footballer Ridvan Dilmen and six former police officers were amongst the total 26 detained...

According to the allegations, the businessmen detained were claimed to have used the assistance of a telephone tapping organization to listen to other businessmen, and used prior records of messages and conversations to their advantage as extortion. Allegations also surfaced against Ridvan Dilmen that he listened in to former footballer Tanju Çolak due to claims he was interfering in his relationship with his girlfriend. Supposedly, reports of over 100 different telephone calls were found in his e-mail address. Meanwhile, the five businessmen were detained yesterday in connection to allegations they used an illegal tapping organization to track their girlfriends. 

The telephone tapping organization is claimed to have worked in conjunction with a security company which offers private detective services.

The illegal organization is claimed to have worked with the GSM company administrators that were detained and were able to keep tabs on their victims, by listening in on their phone conversations, sharing their messaging information and by obtaining information from the base station were able to track their locations and times of calls. Supposedly the organization had specific rates for famous figures they conducted this service for, such as 3-5 thousand dollars for one to three months of tracking and 5-15 thousand dollars for three to six months of tracking. (more)

A tip worth repeating... High profile individuals and prominent executives - Hire a reputable specialist to check for bugs, taps and spycams on a regularly scheduled basis. Be sure to investigate your specialist's background and credentials. You really don't want to hire an organized crime "front company" to conduct your sweep.

GPS Tracker (with audio eavesdropping) Update

About 3 years ago the Security Scrapbook alerted you to a tracking device with eavesdropping capabilities. 

The folks at GoPass Technology Corp. have been really busy since then...

Their latest real time GPS trackers – with eavesdropping capabilities – can now...

• Store data when out of cell range, and burst it back when it comes back in range.
• Can send to two different computers. (Convenient home and office surveillance.)
• Automatically snitch when the vehicle is moved.
• Locate with assisted GPS. (Garage parking won't save you.)
• Remotely immobilize the vehicle. (By killing the ignition... or the oil pump, which they suggest, but "don't recommend" in an Eddie Izzard sort of way.)
• Send back data based on the preset time internal or based on the distance driven.
• Read the voltage data by SMS message inquiry.
• Get position data via a phone call. 
• Set a timetable to send back data automatically. 
• Snitch mode. (Teens will hate this.) Only sends data when a preset speed limit is exceeded.
• And, a remote Sleep Mode. 

Need a "personal" tracker (with eavesdropping capabilities)? GoPass has you covered. "Don't leave home without it."

Why do I mention these things?

So you will know what you are up against.

P.S. Suspect you have something like this on your corporate vehicle (car, plane or boat)? Give me a call. I can help.

"How small are GSM bugs?"

A. They can be as small as a Compact Flash card.

This is a question I hear frequently, along with...

"How expensive are they?" 

($20 to $80)

"Where are people getting these?" 

(ebay and on-line spy shops)

"How do they work?" 

Plug in a SIM card and hide it. Call the listening device using any phone, from anywhere in the world. Or... some models will call, or text, you whenever it hears someone in the vicinity talking!

"How do you find them?" 

In 2009, Murray Associates developed a proprietary test - Digital Surveillance Location Analysis™ (DSLA™) - which plots the location of these normally dormant devices on a computer screen map, using triangulation.

Rutgers Outsmarts the Smart Phones

Experiments by Rutgers University researchers show how your smart phones can be hacked. 

Using malware known as "rootkits," the researchers showed how a smart phone can be attacked. Rootkits attack a computer's operating system.

The researchers found the following:

• The phone's microphone can be turned to eavesdrop.
• A phone user's location can be tracked.
• A phone's battery-draining apps can be turned on to kill the battery.

All of these things can happen without the phone owner knowing about it. 

The Rutgers researchers say they conducted the experiments to raise a red flag. The next step will be to work on defenses. (more) (video)

Can't wait to see what they will do with the new iPad and other tablets.

GSM Bugs, or Cell Phones Gone Wild

If you are not already familiar with GSM Bugs, I could go over it again, or you could listen to this dangerous-sounding woman...
(These bugs are flooding the market; less than $60. on eBay.)

By the way...

New for 2010 at Murray Associates, is our in-house designed GSM Bug locator.

Our instrument instantly detects and plots the location of GSM Bugs on a computer map. Without this technology, mostly-dormant GSM Bugs range from difficult to impossible to find.

Murray Associates new investigative technique (Digital Surveillance Location Analysis™) is now part of our advanced TSCM inspection audits. Bonus... our new instrumentation also locates rogue Wi-Fi stations on our client's networks.

Not a client, yet?
Become one.
You won't find this level of security elsewhere.
Start here.

Karsten Nohl showed how easy it is to eavesdrop on GSM-based cell phones

This week brought some bad news for mobile phone users. German security expert Karsten Nohl showed how easy it is to eavesdrop on GSM-based (Global System for Mobile Communications) cell phones, including those used by AT&T and T-Mobile customers in the U.S.

Q: What does this mean for users of GSM phones? What is the real-world threat?
Nohl: Cell phone calls can be intercepted--not just since this week, but more cheaply every month. Sensitive information, say, from politicians, can be overheard from, say, foreign embassies. Others willing to cross the line into illegality and listen in on a call could be industry spies or even private snoops. (more)

GSM Cell Phone Encryption Code Broken

A German computer scientist has cracked the encryption algorithm that secures 80% of the world's mobile phones, but it's far from a practical attack.

Researcher Karsten Nohl, a former graduate student at the University of Virginia, revealed his decryption methods this week at the Chaos Communication Conference in Berlin, the largest hackers conference in Europe. Nohl and a team of two dozen other experts worked for five months to crack the security algorithm that protects Global System for Mobile communications.

To break the code, Nohl and the other researchers used networks of computers to crunch through the trillions of mathematical possibilities. The result was the development of a code book comprising 2 TB of data that's compiled into cracking tables. The tables can be used as a kind of reverse phone book to determine the encryption key used to secure a GSM mobile phone conversation or text message.

Before the latest hack, hundreds of thousands of dollars of computer equipment was needed to break the GSM code, mostly limiting hacking to government agencies. Nohl told the conference that someone with the code book could eavesdrop on GSM communications using about $30,000 worth of computer gear, making such illegal activity possible by many more criminal organizations. (more) (a5/1 Cracking Project)

The Future of GSM Digital Cell Phone Taps

If you're still using a cellphone based on early digital standards, you better be careful what you say. The encryption technology used to prevent eavesdropping in GSM (Global System for Mobile communications), the world's most widely used cellphone system, has more security holes than Swiss cheese, according to an expert who plans to poke a big hole of his own.

Karsten Nohl, chief research scientist with H4RDW4RE, a Sunnyvale, Calif.-based security research firm, is mounting what could be the most ambitious attempt yet to compromise the GSM phone system, which is used by over 3 billion people around the world. Others have cracked the A5/1 encryption technology used in GSM before, but their results have remained secret. However, Nohl, who earned a Ph.D. in computer science at the University of Virginia and is a member of Germany's Chaos Computer Club (CCC), intends to go one big step further: By the end of the year, he plans to make the keys available to everyone on the Internet. (more) (video - search HAR2009 GSM)

New - GSM Audio Video Bug

from the manufacturer's advertising...
Specifications
• See your monitoring place anywhere, anytime by your mobile phone
• Wire tap your monitoring place by your mobile
• Know the urgent things in first time by your mobile
• Wireless installation, can move freely
• Can control the camera with your mobile to get the monitoring place image by MMS anywhere
• Successfully combine moving detect technology and GSM wireless network transmission technology apply in defense and security area, it break the distance and electrical wire restriction compare with normal defense and security products
• Any changes or dangerous in the monitoring place, camera will notify you by calling, SMS, or MMS
• Can dial the preset emergency number once the sensor active
• With cute appearance, practical functions, and bright design
• Applicable in family, office, factory, store etc place, especially for garage, stock house, and more where fixed lines are hard to reach
• With monitor, can see your home any time, know your child arrive home in first time, and know your office is safe during holiday

Functions:
• Mobile alarm: capture images and send to your mobile phone by MMS
• SMS remote control: control the camera by sending SMS commands
• Real time audio: call the camera and listen in
• Motion detection: detect any motion within the monitoring area and send alarm
• External connection: connect wireless sensors (maximum of 15), such as door magnet, PIR sensor, smoke sensor, gas sensor, and more
• Camera can report alarm from all sensors connected
• Infrared light: built-in IR light enables the camera to capture images in dark environment
• Resolution: 300 pixels CMOS camera
• Watch images directly
(more)

Why do I mention it?
So you will know what you are up against.

Alert: Low-Cost GSM Bugs Flood Ebay

GSM bugs are simply tiny cell phones without keypads. Insert a SIM card, hide it, call its phone number and eavesdrop from anywhere in the world.

The lowest cost we've seen is 99 cents, plus $21.99 shipping.

This is a major development in illegal electronic surveillance; amazing as it is scary. Anyone can be a high-tech spy for less than $25.00.

In addition to being packaged as tiny self-contained bugs, they are also being sold on Ebay (and many other Internet locations) hidden in every-day office items like power strips.

Search Ebay to see them... (1) (2)

What Murray Associates is doing about this for their clients...
Digital Surveillance Location Analysis™ (DSLA)

With this new capability we pinpoint and solve several of the most serious information security challenges...
• cellular bugs
• GPS/GSM tracking devices
• rogue equipment and access point loopholes

DSLA is a Murray Associates exclusive -- Sample plot map... (enlarge)

Our new graphic triangulation technique may be...
• employed during our regular Eavesdropping Detection Audits,
• monitored by your security/IT staff on a 24/7 basis,
• or, monitored by Murray Associates for you.
The system is Internet compatible; easily monitored from anywhere.

Security Directors at businesses and government agancies (only) are invited contact us for further details.

Spying on BlackBerry Users for Fun

The 7th annual instalment of the Hack in The Box Security Conference in Malaysia (HITBSecConf) has secured some of the most exciting mainstream and underground ICT security experts who will present on a range of highly relevant hardware and software security topics, on the 7th and 8th of October 2009....

Sheran Gunasekera, Head of Research & Development at ZenConsult will present Spying on BlackBerry Users for Fun - a talk which will demonstrate that BlackBerry handhelds can be compromised to sniff user’s email (and optionally instant messages, web browsing traffic, and SMS messages). The presentation will also see the release of the “Bugs & Kisses” toolkit. Bugs, the interceptor can be deployed on BlackBerry handhelds to sniff emails, while Kisses the detector can be used on the device to detect the presence of Bugs or other ‘Bugs-like’ applications. (more)

Security Director Alert - GSM Pen

Your CEO is holding sensitive negotiations, thinking the playing field is level. It isn't.

The opponent has an invisible team of advisers helping out... in real time. Your side is stymied at every move, thwarted at every turn, every advantage you thought you had, evaporated.

What happened? How did they do it?
How can YOU stop it from happening again?

Here is what you might be up against (from the seller's web site)...

"All you have to do is to connect the pen to your cell phone (via Bluetooth); make or receive calls like you do regularly. The GSM pen connects to the phone as a regular Bluetooth headset. The spy earpiece receives the signal from the phone through the GSM pen (via wireless induction).

Arrange with your partner - outside the area - who will be giving you all the necessary information, using any phone (cell, home or public phone).

Put the spy earpiece into you ear and just before you enter the room make a call to your partner.

The microphone located on the GSM pen is very sensitive. It lets your partner hear everything you say, even a whisper.

Their answer can be clearly heard by you, but nobody else. After you are done you can easily take the earpiece out from your ear with the help of the ejection cord."

This Alert also applies to:
• Educators. Final Exam time is near.
• Proctors at professional certification exams.
• Police surveilling suspects who may be secretly communicating.
How YOU can stop this from happening again...
Call me.

GSM Bugs Keep Getting Smaller

from the seller's web site...
The PLM-JNGSMTX08, a true technological jewel, is the smallest GSM transmitter implemented to date. The technology of listening to the most advanced GSM concentrated in an incredibly small size of only 43 x 34 x 17mm. Simply insert the SIM and call the number to listen to what happens in your absence.

Thanks to its reduced dimensions, the PLM-JNGSMTX08 can be hidden for almost everything in the home, office and car and is even small enough to be hidden in a purse or a briefcase.

The PLM-JNGSMTX08 offers the best quality audio possible thanks to a new circuit for filtering and a new Digital Sound Processor.

A charging of internal battery operation makes the PLM-JNGSMTX08 for up to 6 days standby or 6 to 8 hours of asocoto high-quality audio. For long-term operations, the device can be connected to 220V power or a 12V car power supply via (optional).

Code: PLM-JNGSMTX08
Price: € 1299.00 (VAT included) (more with video)

GSM bugs are one of the newest and fastest-growing class of eavesdropping devices. Basically, they are tiny cell phones, without a keypad or fancy options. All an eavesdropper has to do is plug in a SIM card, hide the GSM bug, and call the phone number whenever they want to listen-in.

This type of device has been very difficult to discover, until now. Murray Associates has a proprietary detection protocol aimed specifically at detecting GSM bugs. Concerned businesses and government agencies are invited to call us for further details.

When a butterfly flaps its wings from China...

...you won't know it.
From the seller's web site...
Dualband GSM 900/1800 Spying Bug Audio Transmitter
$33.98, Free shipping!

Model: XF-168 - Ultra easy to use: simply insert SIM card and turn the device on. After the "phone" registers on your cell phone network, simply dial the SIM card's phone number to start listening.

- Perfect for monitoring home and office environments
- Fills the curious mind of eavesdroppers (note the law in some countries requires you to inform people you are eavesdropping on)
- Works silently to prevent exposure
- No location and no distance constrains. Works as long as there is GSM 900/1800 cell phone coverage
(an even cheaper model)

Last year, this was a very difficult eavesdropping attack to detect - even when the bug was transmitting.

Murray Associates developed a special detection technique. It is very effective. We use it on our corporate and government sweeps.

GSM Bugs
$33.98!
Free shipping!
Internet distribution!
You know these bugs are out there.
"What have you done to protect your company?"
Call us, before someone else asks you that question.
Like, your boss.

Things Your Sweep Team Should Look Into...

What is that other phone jack really connected to?

A hidden USB memory stick, perhaps?
A GSM Bug?
A microphone?

What is that USB connector on the UPS power strip really connected to?

A GSM Bug?!
A hard drive?!?!
A SpyCam?

If your sweep team is not disassembling these common ports, they are not finding these common covert data vaults and bugs.
Time for a clean sweep? Call me.
~Kevin

Guyana's Cell-Phone-Surveillance Loophole Buster

Guyana's parliament has passed two controversial bills that would authorize wiretapping and force cell-phone providers to register clients to fight crime. (more) (background) (GSM Bugs)

Why is this important?
The wiretap part is commonplace. The know your customer part, however, is new and innovative.

This legislation was created to eliminate anonymity. It closes a crater-sized government surveillance loophole created by promotional SIM-card giveaways and pre-paid cell phones.

This is also the very same loophole which allows GSM bugs and trackers to operate with impunity. Even if discovered, you don't know to whom they belong.

FutureWatch...
• Guyana's new law will kick-start legislation rewrites worldwide.
• GSM bugs and real-time trackers will become riskier to use.
• Criminals will use fake ID's or alternate communications.
• Expect a run on current pre-paid phones and SIM cards.

Same Day.
Different country...
UK - Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance.

Phone buyers would have to present a passport or other official form of identification at the point of purchase. Privacy campaigners fear it marks the latest government move to create a surveillance society.

A compulsory national register for the owners of all 72m mobile phones in Britain would be part of a much bigger database to combat terrorism and crime. Whitehall officials have raised the idea of a register containing the names and addresses of everyone who buys a phone in recent talks with Vodafone and other telephone companies, insiders say.

The move is targeted at monitoring the owners of Britain’s estimated 40m prepaid mobile phones. They can be purchased with cash by customers who do not wish to give their names, addresses or credit card details. (more)

Spouse Spying Causes More Problems

New Zealand - Suspicious spouses who use spy software to track phone calls and text messages on their cheating partner's cellphone may be breaking the law.

One website to offer the spyware service, Flexispy, allows people to download the software to a suspected adulterer's internet-capable phone for a fee. The virtually undetectable software tracks every text and phone call made from the phone and a summary can be viewed online. But New Zealand Institute of Professional Investigators president Trevor Morley says use of the software would amount to phone-tapping, which is illegal in this country.

"Even if it was not an offence under the... Crimes Act provisions to use that software, we suggest that its use would definitely be a breach of various provisions of the Privacy Act.

Assistant privacy commissioner Katrine Evans said there were cases where spying or surveillance by a parent of a child or within a couple did not breach privacy laws. (more)

The same is generally true in the United States of America.