Hacker builds $1,500 cell-phone tapping device
A computer security researcher has built a device for just $1,500 that can intercept some kinds of cell phone calls and record everything that's said.
The significance of Chris Paget's work is that it shows how cheaply such devices, which have been around for decades and are often used by law enforcement, can now be built by hobbyists with equipment easily found on the Internet.
Paget's attack involves tricking nearby cell phones into sending their outgoing calls through his device, instead of legitimate cell phone towers. He can then route them using Internet-based calling technology, which allows him to log everything that's being said.
Paget planned to show off his research during a talk at the DefCon hacker conference here. But he was reconsidering the demonstration, which involved intercepting conference attendees' calls, after federal authorities told him it might violate wiretapping laws.
There are some caveats to his attack. One is that not all cell phones and wireless networks are vulnerable. Another is that recipients of intercepted calls might notice that the calls aren't coming from familiar numbers. Paget claims it would be easy to upgrade the software he's developed to also fool the recipients' Caller ID.
Commercial versions of such "IMSI catchers," which refer to the unique International Mobile Subscriber Identity numbers that phones use to identify themselves to cellular networks, can cost hundreds of thousands of dollars.
The devices act as rogue cell phone base stations and trick nearby phones into connecting to them by offering a stronger signal than towers that are farther away.
Paget's attack only works on phones that use the GSM, or Global System for Mobile communications, standard, which is considered "second generation" cell phone technology, as opposed to third- and even fourth-generation technologies now being used. In the U.S., AT&T Inc. and T-Mobile USA are two cellular operators whose networks include GSM.
There are more than 3 billion GSM users and the technology is used in nearly three quarters of the world's cell phone markets, according to the GSM Association, an industry trade group. A representatives for AT&T had no comment. T-Mobile and the GSM group didn't immediately respond to e-mails Saturday from The Associated Press.
Paget said he hoped his talk would spur increased adoption of more secure cellular technologies.
"GSM is broken — it's just plain broken," he said.
Consumers can protect themselves from the type of attack he described.
His attack won't work on calls that are sent over so-called 3G technology, for example. So if the 3G icon in your iPhone or other smart phone is displayed, your conversations will be protected. He also said BlackBerry phones have a layer of encryption on their calls that also thwart the attack. He warned though that many regular phones that don't clearly specify the technologies they use are often vulnerable.
One security expert, Nicholas DePetrillo, said such devices haven't been built as cheaply in the past because the hardware makers have closely controlled who they sell to. Only recently has the necessary equipment become available cheaply online.
Another security expert, Don Bailey, a GSM specialist with iSec Partners who also wasn't involved in Paget's research, called it "hugely significant" because of how much he brought down the cost of developing one of these devices.
"That's a significant change for research — it's a major breakthrough for everyone," he said.