Android security mystery – ‘fake’ cellphone towers found in U.S.

[Renegade]

Android security mystery – ‘fake’ cellphone towers found in U.S.

http://www.welivesec.../android-security-2/

Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.

The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology - but the surprise is that they are in active use.

The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.

Its American manufacturer boasts that the handset has a “hardened” version of Android which removes 468 vulnerabilities from the OS.

Uh, yeah. Ok. More at the link.

[mwb1100]

I'm not sure what's going on with the towers mentioned in the article, but a related concern that I've heard next to nothing about (and nothing at all as far as a security concern) are the network extender devices that are available, such as:

  - http://www.verizonwi...etwork_extender.html

What is the Verizon Wireless Network Extender?

The Network Extender enhances indoor calling and 3G data coverage to provide better service for your Verizon Wireless mobile device. It’s an extension of our network placed directly in your house or small business office. The Network Extender is compatible with all Verizon Wireless devices and works like a miniature tower. It plugs into your existing high-speed Internet connection to communicate with the Verizon Wireless network, which makes it easy to install.

These things are essentially small network towers with limited range and capacity that plug into an internet connection.  The intended use is for when you have poor cell coverage at your home, you can get one of these things and your cell phone will see it as  a tower and the cell communication will be routed over your internet connection.  As far as your cell phone is concerned, it's just another tower that it's connecting to.

So say a black hat gets one of these - now they can see all traffic between the extender unit and the internet.  Presumably that traffic is encrypted (though I haven't seen anything from the vendors that explicitly say that), but how often have we seen such embedded encryption be done in a way that can be cracked?

Also, since the unit is relatively cheap (a couple hundred dollars?), an enthusiast is very likely to be interested in tearing one down - who knows how easy or difficult it might be for them to tap into something that leaks information before it's routed to the internet?

Anyway, some food for thought.  I don't think you need access to an actual cell tower to have some (or even a lot) of the capability that the article hints at.

Actually, after a quick search, here's a white paper that seems to describe just this sort of attack:

  - https://media.blackh...obile_Attacks-wp.pdf
 

[SeraphimLabs]

Without even tearing one down it is fully possible to man in the middle a cellphone using those range extenders.

Heck I already have one configured that way at work. It sits in a forgotten corner of the building, and quietly logs who connected where when on the off chance people are messing around with their phones when they should be working. Since the building actually has utter garbage signal in the 1-2 bar range, every phone to get near it links up no questions asked.

Didn't have to open it either. I just used a traffic sorting rule on the building network to log certain types of traffic coming from the device. With most of the workers having their names visible in their phones hostname on the network, its a piece of cake to see who is doing what at a glance.

[J-Mac]

Stingray effects?  https://en.wikipedia.org/wiki/Stingray_phone_tracker

Jim