Can you hear me now? Yeah, hacked Verizon device can nab your texts and photos too

So you are out and about, minding your own business, texting, sending images and making calls on your smartphone via Verizon Wireless. Although you might not ask, “Can you hear me now?” two security researchers will assure you, “Yes, I can hear you now.” They can not only hear you, but they can also nab any photos or texts you send if you are within about 40 feet of their Verizon femtocell. It’s a network extender device about the size of a wireless router that acts like a miniaturized cell tower to boost your signal. And it may be a dream come true for NSA surveillance wannabes.

Hacking Verizon Network Extender into surveillance device to intercept photos, texts, hear calls

iSEC Partners Tom Ritter and Doug DePerry will be presenting “I Can Hear You Now: Traffic Interception and Remote Mobile Phone Cloning with a Compromised CDMA Femtocell” at Def Con.

The duo demonstrated for Reuters “how they can eavesdrop on text messages, photos and phone calls made with an Android phone and an iPhone by using a Verizon femtocell that they had previously hacked.” Ritter told Reuters, "This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people."

They said that with a little more work, they could have weaponized it for stealth attacks by packaging all equipment needed for a surveillance operation into a backpack that could be dropped near a target they wanted to monitor.

David Samberg, a Verizon spokesman, said the flaw was fixed by an "over-the-air software push." In March, Verizon Wireless released the Linux software update “that prevents its network extenders from being compromised in the manner reported by Ritter and DePerry.” He further claimed, "All of the devices received the software upgrade. Anyone who tried to block the fix on their femtocell would be disconnected from the network.” To Reuters, he added, “There have been no reports of customers being impacted by the bug that the researchers had identified.”

Still, that doesn’t ring true after NPR’s Laura Sydell said her phone was “broken into” a moment after she stepped into the hackers’ hotel room. The phone automatically connects without any indication to the user, but Ritter said a person “has to be within around 40 feet of the femtocell for it to tap into their phone.” However, it is small, portable and “can pick up signals through most walls,” meaning anyone could have one almost anywhere.

NPR said the total cost for the hack was about $300, based on $250 Verizon femtocall and $50 antenna. Yet eBay has dozens of femtocalls listed for cheaper than that, as well as various low price Wilson Electronics antennas like the security researchers used. Besides that, DSL Reports added that Verizon’s femtocall service “isn't a particularly great value at $250 (a price Verizon never reduces), given it eats away at your plan minutes despite using your bandwidth to ease tower congestion. The device also doesn't let you set the security settings on your own device, meaning you can't control how many strangers get to use your bandwidth to make phone calls.”

Oh, and if you're not on Verizon Wireless, don't feel left out. The researchers told Reuters that "equipment of some 30 other carriers" are also vulnerable to this type of hack. Additionally, Verizon is vulnerable to other hacks.

It might be a good time to subscribe to the theory of not sending anything over your phone that you wouldn’t want your mother to hear about in court. "I make sure that I don't send anything over the phone that I wouldn't be comfortable with someone else seeing," Ritter said.

According to DePerry and Ritter, during their Def Con talk, “We will demonstrate how we've used a femtocell for traffic interception of voice/SMS/data, active network attacks and explain how we were able to clone a mobile device without physical access.”

Def Con 21 and Feds

Speaking of Def Con, when Dark Tangent said, “Feds, we need some time apart,” the lyrics “Hit the road, feds, and don’t ya come back no more, no more,” started ringing through my head. Like many, I do not approve of NSA domestic spying as if we are all potential terrorists or criminals.

But Dark Tangent, aka Jeff Moss who is the founder of Def Con and of Black Hat security conferences, and currently on the Homeland Security Advisory Council, didn’t say that. Instead, for the first time in Def Con’s 21 year history, he only suggested a “time-out.” On the Def Con website, he wrote, “When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a ‘time-out’ and not attend DEF CON this year.”

Moss told Reuters that “it was ‘a tough call,’ but he believed the Def Con community needs time to make sense of recent revelations about U.S. surveillance programs.” He added, "The community is digesting things that the Feds have had a decade to understand and come to terms with. A little bit of time and distance can be a healthy thing, especially when emotions are running high."

It immediately hit the fan, with Secure Ideas then announcing it wouldn’t be presenting on attacking SharePoint at Def Con. As the controversy over “banning” the feds stirred, Def Con organizers clarified that Dark Tangent never used the word “ban.”

There is a lot of tension in the community right now and he was asking politely for feds to consider not attending this year.

If you are on your own dime pursuing your own personal interests in hacking and not assigned to be there working your federal Intel job, then don't consider yourself a Fed! We want motivated people to attend! 

No worries as you can "spot" a plethora of feds at Black Hat, which has no such "time-out" request. As he did last year at Def Con, NSA Chief General Keith Alexander will deny NSA spying deliver the keynote at the Black Hat USA hacking conference.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies