A security researcher showed in a live demo today how he can intercept cell phone calls on 80 percent of the world’s phones with just about $1,500 worth of equipment.
Chris Paget, who also showed yesterday how he can hack into radio frequency identification tags (RFID) from a distance, created a fake cell phone tower, or Global System for Mobile communications (GSM) base station. GSM is the protocol for 80 percent of the world’s phones and is used by T-Mobile and AT&T in the U.S. The demo was not, Paget said, a malicious attack in any way.
Military and intelligence agencies can intercept cell phone calls with their wiretapping technology. But Paget simply wanted to show how vulnerable the cell phone network is and how hackers could intercept calls for a small amount of money. He used a couple of large antennae (pictured with Paget) and a laptop with some other equipment.
“There’s a good chance you won’t even know about it when it happens,” Paget said during a talk at the Defcon security conference in Las Vegas. (See our roundup of all Black Hat and Defcon stories).
Paget’s system disables the encryption in the system, and the GSM network complies and never sends a warning message. Paget’s talk got some attention in advance because Federal Communications Commission authorities contacted him about his planned demonstration. They asked whether he would be violating wiretapping laws.
Paget consulted his legal help from the Electronic Frontier Foundation and decided to go forward with the live demo of cell phone call interception. He posted notices at the event saying he would be intercepting calls on the GSM network in the area during the talk. That gave him some legal protection.
In the demo, he turned on his interceptor and immediately had 15 people on his network. The interceptor he created could intercept phones in a small area covered by one cell site. Dozens more phones were intercepted in the course of the talk. He inserted a warning message saying that he was intercepting calls, and some phones displayed that they were on the Defcon 18 cell phone network during the interception. He could take over a give area by broadcasting a stronger signal that was available from AT&T or T-Mobile in that given area.
“It’s not particularly difficult to do,” he said.
Paget said that he could easily create a noise generator that could disrupt all calls in a given area. He chose not to do that demo, as it would have knocked out all cell phone coverage for most of Las Vegas, he said.
“I am not turning this on,” he said. “The thing about band jamming is there is no way to defend against it.”
Check out the video excerpt of Paget’s presentation: