24

My current understanding is that sniffing traffic on 4G (lets use Wimax and LTE for the purposes of this question) and 3G is not a simple matter and either requires you setting up a fake base station that people connect to or having insider access to the Carrier (physical or logical)

Here is an article today on Defcon 4G hacking. It does involve installation of an update on Android: http://seclists.org/fulldisclosure/2011/Aug/76

How difficult is this to do? Can someone elaborate the attack tree in a relatively abstract or way that is easy for a non mobile technical person to follow?

Question also sparked by the fact I couldn't find a definite source to say the Facebook iPhone and Android apps use TLS.

My current understanding: enter image description here

nealmcb
  • 20,693
  • 6
  • 71
  • 117
Rakkhi
  • 5,803
  • 1
  • 23
  • 47
  • 1
    Intercept the SDH is a subset of Microwave and fiber as these are the physical medium of transmission between the Basestation and CO – Stuart Aug 10 '11 at 11:37
  • Also eavesdrop on the air interface. IE receive and decode the radio signals. – Stuart Aug 10 '11 at 11:38
  • A friend posted on G+ "Most likely MITM via a hacked femtocell I would have thought." http://thcorg.blogspot.com/2011/07/vodafone-hacked-root-password-published.html – Rakkhi Aug 11 '11 at 15:47
  • Remember, the airlink is only one place you can get owned. Carrier backhaul networks are not impervious to more traditional attacks, and it's clear that various three-letter agencies have access to sniff traffic this way if they ask. Besides that, without TLS, your traffic will cross the core of the Internet in the clear, vulnerable to tampering by any ISP on the path (or that can insert itself into the path; recall the YouTube blackhole a while ago). – Steve Dispensa Sep 06 '11 at 20:57
  • 1
    Don't forget about side channel attacks either. – Zian Choy Oct 17 '11 at 05:11

2 Answers2

1

I spoke at DefCon about WiMAX security a couple times, and I know coderman pretty well, and the idea is pretty simple. WiMAX femtocells exist, and are not as expensive as you might think. You buy a cell, configure it to look like a clear tower, and people will connect to it, no questions asked. You can then do with them whatever you want.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
pierce
  • 141
  • 1
0

On the subscriber side, if you have their IMEI, you can do just about anything. If they are in Verizon for example and have recently set up a weak password for their data. Or if they have another provider and a Clear generic-branded cell 4G/3G point then you can get away with more.

One subscriber tinkering is not necessariy a big accomplishment relatively speaking. I am not encouraging any bs just pointing out in the context of the chart.

Read the latest Wired article about the government listening in at critical access points on the backhaul itself. Detail-specific misinformation probably but you will get the gist. No holds barred snooping in the broadband infrastructure realm and all of the providers are in on it because they are compensated bigtime.

The deep packet inspection is trivial at the pre-aggregator, pre-compression level. We pay for it in our phonebills indirectly as well...

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 1
    Can you provide some links - I have searched for the article you mention, but don't see anything mentioning providers being in on snooping etc. – Rory Alsop Apr 23 '12 at 15:32