Chris Paget demonstrated his creation for more than a thousand people crammed into a grand room at a DefCon gathering of hackers in Las Vegas, warning them to turn off their phones if they wanted to be spared.

"I can intercept cell phone calls with 1,500 dollars worth of radio gear and a laptop," Paget said after the talk.

"You handset thinks I'm your cell phone tower and I get to control your calls. These attacks used to cost millions of dollars, now you can do it for a lot less."

The gear included an antenna and radio equipment and broadcast a GSM signal that imitated a legitimate telecom service tower, prompting handsets to automatically connect.

A hacker could then pretend to be the telecom service provider, forwarding calls to intended recipients and listening in.

"I can target specific people if I want to spy and I can command only certain types of phones to connect," Paget said. "An attacker could easily take advantage of this."

Mobile phone snoops with this gear could snag credit card or account information from calls made to shops or banks. Companies could be staked out in the hope insiders would reveal valuable information during calls.

His creation worked only on mobile phones using the GSM network and not more secure 3G, third generation, networks.

"GSM is broken," Paget said. "It is up to telecom providers when to shift from GMS to 3G networks. GMS is widely deployed with millions of handsets in use."

However, someone could use a noise generator and a power amplifier could easily jam a 3G network and prompt handsets to resort to GSM systems commonly used as backup systems, according to Paget.

He gestured to a noise generator he bought online for 450 dollars and a power amplifier purchased on the Internet for 400 dollars.

"I'm not turning this thing on," Paget said. "It would knock out pretty much every cell phone there is for most of Las Vegas."

The system only grabs outgoing calls since it has fooled handsets.

Since the phones have disconnected from real telecom service providers, they are considered gone from the networks and incoming calls are routed directly to voice mail boxes.

There is a way for hackers to use credentials from duped handsets to impersonate the phones to carriers, according to Paget.

His talk was almost scuttled by the US Federal Communications Commission, which reached out to him with concerns about the danger it might pose or statutes it might violate.

"There was so much shenanigans involved making sure I could get on stage," Paget said after the DefCon briefing. "The good news is that it is all over and I haven't been arrested."

earlier related report
Hackers crack high-tech locks
Las Vegas, Nevada (AFP) July 31, 2010 - Security maverick Marc Tobias showed hackers on Saturday how simple it is to defeat some of the world's top high-tech locks.

"These locks might be winning awards but they are forgetting the basics," Tobias said while giving AFP a first-hand look at how to crack several models. "They might be clever, but they aren't secure."

A Biolock model 333 designed to scan fingerprints and unlock for chosen people was opened by simply pushing a paper clip into a key slot.

An Amsec ES1014 digital safe was breached by sliding a flat metal file folder hangar through through a crack at the edge of the door and pressing an interior button allowing the access code to be reset.

Tobias grew passionate when it came to an award-winning electromagnetic lock made in China for Finland-based iLoq.

The innovative iLoq used the action of a key being pushed into the lock to generate power for electronics that then checked data in a chip on the key to determine whether the user is cleared for access.

Tobias and lock-cracking colleague Tobias Bluzmanis pointed out that the iLoq design counted on a small hook being tripped to reset the devices as a key was removed.

In what they referred to as a viable inside attack possible on locks geared for office settings, someone could borrow a key and shave tiny bit of metal from the tip and it would no longer catch the iLoq reset hook.

A pocket-sized tool available in US stores for about 60 dollars could be used to grind down the hook in seconds, the men demonstrated.

With either method, the result would be that once a valid key is used to open the iLoq it will yield to any key or even a screw driver stuck in the slot because it remains stuck in the unlocked position.

An audit trail left by a compromised iLoq would stop at the person whose key legitimately opened the lock.

"It is really clever, but it is also very defective," said Tobias, a longtime advocate for tougher standards in the lock industry.

"Electromechanical locks are more secure if done right. The question is whether the technology is implemented properly."

The security.org crew opened a Kwikset programmable "smartkey" lock with a key blank, a screw driver and a vice grip tool.

Tobias and his team consistently show up at the annual DefCon gathering in Las Vegas to pop locks with wires, magnets, air, shock, screw drivers and other improvised tools.

Their presentation this year was met with hoots and applause.

Lock-picking holds a natural appeal to hackers, who thrive on bending hardware or software to their wills.

del.icio.us	Digg	Reddit
YahooMyWeb	Google	Facebook

Memory Foam Mattress Review

SPACE MEDIA NETWORK PROMOTIONS Solar Energy Solutions Tempur-Pedic Mattress Comparison ... Newsletters :: SpaceDaily :: SpaceWar :: TerraDaily :: Energy Daily XML Feeds :: Space News :: Earth News :: War News :: Solar Energy News