Android Phones (Possibly) Hacked At Defcon On CDMA & 4G (HSPA)

Use Netsparker


It seems like some major ownage was layed down at Defcon, I was very interested by the thread coderman posted in Full Disclosure earlier:

DEF CON 19 – hackers get hacked!

Especially when some people did chime in with supporting opinions and agreeing that it does seem like they got hacked. Basically someone setup some bogus CDMA/4G cell towers (probably with OpenBTS) and hacked a bunch of Android phones (that’s what is being claimed anyway).

And just to clarify – there’s no REAL 4G or LTE hacking involved – in the US they call HSPA 4G.

Claims that both CDMA and 4G networks were compromised at the recent Defcon security event in Las Vegas have raised little surprise, but the vulnerability of handsets is hotly debated.

The claim was made by coderman, a stalwart of security conferences, who reports that he witnessed an advanced man-in-the-middle attack operating on both CDMA and UMTS networks and masterminded by an amalgam of Anon and Lulz. This attack was apparently able to identify connected devices and run through known exploits before falling back to ask the user’s permission to install.

The symptoms of infection include “3G/4G* signal anomalies”, “Android [device] at full charged plugged in, but dropping to <50% charge once unplugged", "Android services that immediately respawn when killed" and "a hard freeze, and then take[ing] a long time to reboot". Android users might recognise that as SNAFU, but according to coderman it indicates the user has fallen prey to hackers from the usually-desperate groups Anon and Lulz. Other attendees are less certain, with many asking for more evidence (we did too, with equal lack of success). While it's hard to see if the attack happened as described much of it is plausible and follows a steady erosion of the security around cellular networks, which have stood the test of time well but are now recognised as weakening. Critically the 2G networks do not authenticate both ways – the handset authenticates to the network, but not the other way round – so it's relatively easy for an attacker to set up a femtocell and intercept communications. Handsets will also drop the encryption level on request by the network, which is required for use in countries where strong encryption is still verboten but provides an opportunity for the attacker to simply switch off the encryption.

Now there’s a lot of claims flying around here including the hacks, how advanced they are and who they were perpetrated by (Anonymous and LulzSec?).

Yes, cell network hacking has moved forward a lot in the last couple of years and the processing power of the average laptop is more than enough to own most cellular networks – but did this really happen? Right now no-one know, and really who is going to come forwards with evidence?

“Hi, I’m a l33t hacker and my phone got raped at Defcon 19” – yah sorry but that’s not going to happen.


Handsets are supposed to display such a change of status to the user, but they don’t.

Faking a call is still very hard, the secret shared between the SIM and the network authentication centre remains secure and hard to crack as ever, but once the encryption is off then data can be intercepted and false updates can be pushed out to smartphones.

In most cases such updates will require user permission to install, and will need to be signed or present additional dialogs, but users will generally agree to anything they’re presented with. The Defcon attendees might be more cautious, but the technique should be expected elsewhere.

Certainly there are numerous reports of strange cell sites popping up during the conference.

Our man on the ground, Dan Goodin, didn’t see any himself, but as handsets automatically connect to the nearest base station with the right operator code there’s no obvious notification and little to stop calls and data being intercepted.

3G networks, including HSPA, are a lot more secure and authenticate in both directions. That makes interception harder, but not impossible. Interception is then dependent on the encryption being used; A5/3 is mandated in Europe and really hard to break, but not widely used. The USA still seems to be using A5/2, at best, for some reason.

So interception of cellular data is eminently plausible, and faking updates is also plausible, but when it comes to inserting malicious code into handsets one is just as dependent on the mobile OS as if one were connecting over a Wi-Fi connection.

The whole thing is plausible? Yah definitely, but Defcon attendees are not your average drones (I hope) – and have at least some security smarts.

The delivery mechanism for this attack is the same old story, pushing out malicious updates and hoping the user installs them. For an average joe – yes this will work, for anyone who works in infosec? I find that unlikely.

I really hope more research is done on these attacks and we get to see some evidence of what really went down.

Source: The Register

Posted in: Exploits/Vulnerabilities, Privacy

, , , , ,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


2 Responses to Android Phones (Possibly) Hacked At Defcon On CDMA & 4G (HSPA)

  1. 802.16 August 15, 2011 at 3:06 am #

    The 4G WiMAX networks were in fact being MitM’d, I’ve confirmed with several security contacts close to Clear.

    • Darknet August 15, 2011 at 11:25 am #

      Thanks for the confirmation.