14667466
story
Comments: 126 + - IT: AT&T Won't Block Black Hat Eavesdropping Demo on Wednesday July 28, @10:37PM
Posted
by
samzenpus
on Wednesday July 28, @10:37PM
from the enough-rope-to-hang-yourself dept.
from the enough-rope-to-hang-yourself dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicit.gif); width:75px; height:61px;
it
snydeq writes "AT&T says it won't interfere with a highly anticipated talk on intercepting cell phone calls at the Black Hat conference this week. Hacker Chris Paget last week said that he plans to demonstrate on Saturday how to set up what's essentially a fake cell tower that allows him listen in on nearby mobile calls. But Tuesday, he wrote on his blog that he had 'heard that AT&T may be considering suing me to stop my talk.' AT&T, however, has insisted it has no plans to interfere with the talk."
Related Stories
I like work; it fascinates me; I can sit and look at it for hours.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
AT&T Doesn't Care (Score:5, Insightful)
But what about the types of people that actually enforce the wiretapping and interception laws?
Ya forget AT&T, ask the FBI (Score:5, Insightful)
I'm still not very convinced this is legal, and you want to be sure. While they might well say "It isn't like he caused any harm, just let it slide," they also might now. The law is the law and all that. Plus maybe some company pressures them in to it. Some provider who gets mad says "Hey, you need to charge this guy, he broke wiretapping laws!"
When you are doing something all on your own equipment in a controlled environment, then sure you are good to go. So having a lab with what you need and trying it on your own stuff, that is legal. However intercepting random people in the area of your tower? Don't think that is legal, doesn't matter if you are doing it as a demonstration or not.
Parent
Re:Ya forget AT&T, ask the FBI (Score:5, Insightful)
It's definitely NOT legal. If nothing else, he'll be transmitting without a license on frequencies he's not authorized to use. When you use a cell phone normally, it's transmitting under the carrier's license authorization. If he sets up his own "cell site," there's not a license to be found anywhere. It doesn't matter how much power is used, or how far the signal can travel, if it's an intentional radiator, it's illegal.
Parent
Re:Ya forget AT&T, ask the FBI (Score:5, Interesting)
"I'm still not very convinced this is legal...So having a lab with what you need and trying it on your own stuff, that is legal." It's definitely NOT legal. If nothing else, he'll be transmitting without a license on frequencies he's not authorized to use. When you use a cell phone normally, it's transmitting under the carrier's license authorization. If he sets up his own "cell site," there's not a license to be found anywhere. It doesn't matter how much power is used, or how far the signal can travel, if it's an intentional radiator, it's illegal.
I had the impression that you could, without a license, transmit on frequencies that require a license so long as it's extremely low power, to the point that beyond X number of feet (300?) no meaningful reception of your transmission is possible.
Before CD players in cars were common, you could get standalone CD players that broadcast the audio in the FM band. The car's radio/tape-player could be set to FM and turned to that frequency to pick up the audio from the CD. This was acceptable because the transmitter is in the same vehicle as the FM radio, so tiny power levels were sufficient.
I admit that I am not a lawyer and don't know much about FCC regulations. I get the impression they're not an agency with a sense of humor, and one you wouldn't want to have to deal with. Still, would cell frequencies be given some special treatment that is not given to FM radio frequencies?
Parent
Re: (Score:2)
If you'd run the whole experiment inside a Faraday cage, then it would be legal I suppose. But then, in order to get the point of this experiment proven, AT&T must cooperate (i.e., put one or more of their towers inside the cage).
Re:Ya forget AT&T, ask the FBI (Score:4, Informative)
I had the impression that you could, without a license, transmit on frequencies that require a license so long as it's extremely low power, to the point that beyond X number of feet (300?) no meaningful reception of your transmission is possible.
Nope, not as a general rule. What you're thinking of are the small FM radio band transmitters (such as used for iPod to car radio), which the FCC allows under a specific rule (47 CFR 15.239 [gpo.gov]) which limits their output. No such rule is available for someone wanting to operate their own cell site. It's illegal, regardless of how low the power or how short the range. Another poster mentioned a Faraday cage; still illegal (even though you'd be unlikely to get caught).
Parent
Re: (Score:3, Informative)
Authority for subscribers to operate mobile or fixed stations in the Public Mobile Services ... is included in the authorization held by the licensee providing service to them.
Re: (Score:2, Interesting)
Re: (Score:2)
So... what are you, AT&T, or the FBI going to do to prevent or track/trace or even find out about such exploits being used?
Rhetorically "you", of course. Literally, though, how would anyone find out?
Re: (Score:3, Insightful)
Funny, the "cell site" I run and maintain broadcasts on said frequencies and is perfectly legal.
The manufacturers/sellers claim that, but funny, they never cite the regulations which would support such a claim.
This is a grey area - if they are legal, it's for the same reason you don't need a license to operate a cell phone, because it's communicating with a system licensed for that frequency band (the cell carrier). Wilson, probably the manufacturer with the best reputation in this market, says "Wilson cell phone boosters fully comply with FCC regulations for cellular devices and are FCC type accepte
Re:Ya forget AT&T, ask the FBI (Score:5, Insightful)
"Hey, you need to charge this guy, he broke wiretapping laws!"
That might be just a bit difficult to convince a jury, given that his "wiretapping" is going to be limited to a small area that likely includes just the conference room full of people their for expressly this purpose, for not particularly long. If anyone doesn't want to be "wiretapped" perhaps they can restrain themselves and not make any phone calls during that short period in that room.
Why is it that some people are always so convinced "the law" is something like the laws of physics that's set in stone and not interpreted for a specific purpose?
I'm guessing he'll be breaking FCC regulations. If someone wants to make some big complaint about the few minutes he'll be running his demo, well I'd help contribute to whatever pathetic fine they might try to assess. In reality this would never happen since the FCC has better things to do.
Parent
Re: (Score:3, Informative)
From what I've heard of jury duty and from people I know who have had jury duty, they strongly emphasis only whether or not the law was broken and will screen for anyone thinking. Guess if they can't get a plea bargin, they go for the next easiest thing.
Re:AT&T Doesn't Care (Score:4, Insightful)
Parent
Rumour? (Score:4, Informative)
Re:Rumour? (Score:4, Insightful)
Yeah. It's called "New Media." It's like news, but without the journalism degrees or standards of professionalism.
Parent
Re: (Score:3, Insightful)
Yeah.. cause we can see how professional all those journalists are that have the degrees. They are impartial, and fact check everything.
Re: (Score:3, Insightful)
There are still plenty that do, although it's true that gone are the days of Cronkite. It's sad, really, but 24-hour news cycles mean they can't put as much time and effort into making sure that they cover relevant information accurately. That's not an excuse, more of an indictment. Do people even watch the evening news anymore?
Re: (Score:3, Funny)
Why does news only have to last 24 hours? Any story worth telling probably has at least a few years worth of action in it. Slow is better. Trust me.
Re: (Score:3, Interesting)
I try but they always tack on some celebrity or sports shit and then I turn off the TV.
Re:Rumour? (Score:4, Insightful)
So it's like news?
Parent
Re: (Score:2)
So he blogged that he heard that AT&T might sue him to stop the talk, AT&T deny the rumour, it makes headlines.
To be honest, the first think I thought when I read his blog entry was "scapegoat". Maybe he realized his hack doesn't work quite right, or is flawed in some other way and wants an easy way out of giving the presentation? Claiming worry about a big lawsuit sounds pretty good for that.
I'm betting at this point that AT&T came forward because they:
1) Want to make sure he can't use them as an excuse, and
2) They really want to know (probably more than most people) if the hack really works.
I can easily see
Re: (Score:2)
So where did he get the idea AT&T might sue? Did they tell him they might sue? Did someone else with inside knowledge of AT&T's plans tell him they might sue? Did some random person think to themselves, "hey, AT&T could sue!" and told him it was a possibility? Did he make it up himself and lie about it?
Also, did AT&T decide not to sue because they looked at the situation, considered their best course of action, and determined that suing wasn't the right thing to do? Or did they decide t
Glad AT&T is not being evil (this time) (Score:3, Insightful)
Good to hear that AT&T is actually doing the "right thing" and hopefully learning from the research instead of attempting to suppress it.
Re: (Score:3, Informative)
The right thing is to give these companies time to respond and to close potential security vulnerabilities before the information goes public. In this case, that obviously is not going to happen (by that I mean addressing vulnerabilities). I hate that they have to release this information in such a public way and wish they wouldn't, but I see the need for it all the same.
Re: (Score:2, Insightful)
Sometimes the greatest incentive to change your ways is to have your foibles on public display.
Re: (Score:2)
Re: (Score:2)
I think it's not so much a matter of not knowing about this as a potential vulnerability, as it is a case of the hardware necessary to pull it off suddenly becoming cheap and affordable to just about anyone with the slightest interest in doing it.
Perfect illustration of "exploit" that becomes possible due mainly to falling prices:
My best friend owns two Blu-Ray players. One is Region "A". He bought it for $99 the day after Thanksgiving last year. The other is Region "B". He paid around $160 for it, includin
Re:Glad AT&T is not being evil (this time) (Score:4, Informative)
There already was a public talk about this GSM vulnerability last december. Back then, the group cracking the protocol didn't have the hard/software to demultiplex the connections a GSM basestation has to handle in realtime. That problem is now solved and so the hack is fully functional. The rainbowtables needed to crack the protocol were publicly created for almost all of 2009. The GSM industry had PLENTY of time to react and get their shit together, instead they stonewalled, ignored and threatened the hacking group as Mr. Piaget described back in his December 2009 talk.
The DECT industry group for cordless phones who use a similar encryption method but weaker as GSM had their protocol examined bofore that in 2008 or so by the same people. When the hackers approached the DECT people they were basically welcomed and both, DECT group and hackers, worked together on fixing the protocol, spec and especially implementations.
Ironically the DECT industry group and the GSM association is made of largely of the same companies...
Parent
Re: (Score:2)
Good to hear that AT&T is actually doing the "right thing" and hopefully learning from the research instead of attempting to suppress it.
For AT&T, 'learning from research' would be admitting inferiority in a way. It's better for them to stay away officially then send geeks of their own to 'learn from the research', even though their own geeks failed to see iPhone problems before millions did.
Re:Glad AT&T is not being evil (this time) (Score:4, Informative)
Good to hear that AT&T is actually doing the "right thing" and hopefully learning from the research instead of attempting to suppress it.
Time was when "research" and "AT&T" were damn near synonymous. But yeah, it's good that they're keeping the sharks in check.
Parent
Re: (Score:2)
Time was when AT&T wasn't just a name purchased by Cingular.
Re: (Score:3, Informative)
There was a time when Nuclear Power Plants and "Westinghouse" were nearly synonymous, yet now they're making cheap toasters that don't work.
The "AT&T" of today only happens to use the same name as the "AT&T" of years ago. Other than that, they died out entirely, much like Polaroid. What's now calling itself AT&T is, in fact, SBC, and has all the baggage associated with that shiftless company.
Re: (Score:2)
If you could cover any significant urban area with a small and low powered antennae sitting on a table inside a theater, mobile calls would be a lot cheaper than they are. This is research, and it's being done inside the lab. Also, stopping research is fucking stupid. If I got my conference interrupted by the FBI, I would go ahead and sell the technology to spammers. That would be far worse. Do not attempt to stop research, ever. It is the wrong thing to do, both in ethical and practical considerations.
Words and Deeds are often different (Score:2, Insightful)
There are many examples of a corporate spokesman saying one thing, while the company immediately did the opposite.
just imagine:
Well dressed spokesman speaking to TV reporter: "Absolutely not! There is no credibility to the rumor that there is any terrorist activities or police actions taking place at this facility! The rumors are absolutely false! I can
Re: (Score:2)
Or when Kennedy came out saying that no Americans would be involved in any invasion of Cuba right about the time of Bay of Pigs fiasco with the CIA...
Re: (Score:3, Insightful)
Just because one person at AT&T said they won't do anything about it, there is absolutely no guarantee that someone else doesn't have different plans.
The way I read it was: "Oh no, we won't interfere with the talk at all. But just wait until you see what we do after the talk!"
Maybe it will help the network (Score:2, Insightful)
Too many problems with the iPhones - personal towers might be a good idea
Defcon != Blackhat (Score:2, Informative)
Different conference. My understanding is that the EFF is involved, and signs are being posted around the perimeter. Either way, I won't be using a GSM enabled phone. Should be interesting.
Re: (Score:2)
Re: (Score:2, Informative)
There's nothing 'non-' or 'un-blackhat' about DEFCON.
Remeber Adobe? (Score:5, Insightful)
It doesn't matter what some mediadroid says. All it would take is one phone call from the right person at AT&T to the right person in the DOJ.
AT&T could deny any and all prior knowledge when the Feds arrest the presenter for breaking some law or another. Hell, AT&T could even call for his release afterward knowing that history would repeat itself.
Considering how big AT&T is again there really isn't anything anyone can do even if they did move openly. Boycott? HA!, how many of us can afford to give up our cell phones, home phones and Internet connections in protest? AT&T knows they have most of us by the tender bits.
Re: (Score:2)
AT&T, Verizon, and Sprint all provide competitive cell phone service. Sure, maybe you'd have to give up the exact model of cell phone you currently use, but that's it.
"Home phone" is a bit of an anachronism now. Wire a cell
15 years ago... (Score:2)
Listening in on cell phone calls was sometimes as trivial as turning on your TV to the right UHF station. If you wanted to get sophisticated, you bought a scanner to listen on the right frequency.
It's interesting someone found a way to make a base station an do a MITM attack, but this is nothing compared to the massive problem with cloning, interception, and everything else than went on in the analogue era of cell phones for many many years.
Isn't that the point? (Score:2)
Sera
How times have changed (Score:2)
I think it is strange that we are now more worried about being sued then about the technical knowledge and the fact that if he can do it, everybody else can do it.
And this is a place where everbody says IANAL. This is a place about IT. And yet most people are more concerned about the law then about the technical side of it all.
So let's see what calls we can pick up... (Score:4, Funny)
Senator Stampingston: Gentlemen, it's clear that we're in a universally precarious situation. Dethklok has summoned a troll.
General Krosier: That's impossible, there's no such thing as trolls.
Senator Stampingston: Then how do you explain the dead unicorns?
Um... Okay, moving on to the next call...
strange (Score:2)
Don't they teach students about man-in-the-middle attacks anymore, these days?
Re:I see AT&T's position (Score:4, Insightful)
If they don't, he'll just have some nastygrams to hang on his wall, and a story of being oppressed by the man, without any lingering consequences.
They might just be ignoring it entirely, figuring that the Streisand effect is not with them on this one; but the path of maximum vindictiveness actually requires them to let him go ahead...
Parent
Re: (Score:2)
the presenter may well have just committed a number of crimes in front of a live audience, and probably a fair few cameras.
A live audience filled with feds...
Re: (Score:2, Insightful)
...critical systems are now running in a decentralized manner...
Not so. Your entire internet is still in the hands of a small group that can cut your connection at any time with a simple flip of a switch or drop of an anchor.