Phony cell towers are the next big security risk

[Jeffrey Walton <noloader () gmail com>]

http://www.theverge.com/2014/9/18/6394391/phony-cell-towers-are-the-next-big-security-risk

Last month, a Mr. Li in Shenyang, China, received a text from his
bank's customer service number, notifying him that his credit card had
accumulated reward points and telling him how to cash them in. When he
followed the link and logged in, the site went dead. An hour later, he
noticed more than $650 missing from his account. Only then did he
realize he'd been scammed. The text had come from his bank's number,
but it didn't come from his bank.

Instead, it came from a fake cell tower, a racket that's reaching
epidemic levels in China. Scammers use a device called a base station
to set up a fake signal coming from a local house or shop. As long as
it's the strongest signal available, phones will connect
automatically. The phony tower can't reach the larger network, so if
you try to place a call or visit a website, you'll come up empty — but
unless you're actively using your phone, you'd never know the
difference. From there, scammers can send texts from any number they
want. In cases like Mr. Li's, that turns out to be a very lucrative
trick.

Qihoo 360, China's largest mobile security firm, has caught more than
1.2 billion messages from fake cell towers between April and June of
this year, more than 13 million per day. Qihoo's figures only include
messages caught by the company's app, so it's likely the total number
is even higher. "It's very lucrative to have a tower device right now.
People will pay big money for it," says Ren Huan, Qihoo 360’s head of
mobile security. "We predict that this year and next year will be the
worst time for us."

Roughly half the messages were simple advertising, sent from fake cell
stations so as to dodge mass-texting fees, but Qihoo tagged another
third of the messages as promoting illegal services, and 15 percent as
outright fraud. The messages can appear as fake invoices, credit card
statements, or phone bills from the carriers themselves. In each case,
the message comes from the bank or phone company's official customer
service number, giving targets no reason to doubt that the message is
real.

At the heart of the scam is a basic vulnerability with the GSM or 2G
phone network, established in the mid-’80s before the rise of 3G and
4G networks. Towers check that each connected phone is legitimate, but
there's no system to authenticate the towers themselves. When the
system was designed 30 years ago, cell tower hardware was too
expensive for such an attack to be practical. Now, a fake base station
can be built for as little as $700, making it much easier to turn a
profit.

As of this April, it's a felony to mass-manufacture the devices within
Chinese borders, but in the thriving world of Chinese electronics
manufacturing, those restrictions can be hard to enforce. Qihoo shows
the densest cluster of attacks coming not in the populous south, but a
northern manufacturing city called Zhengzhou, where unauthorized
hardware can be more easily manufactured and sold under the table.
Chinese police have been cracking down on any factories caught with
the equipment, with regular arrests and 24 production sites shut down
so far this year, but judging by Qihoo's numbers the crackdown has
barely put a dent in the attacks.

While China has seen the most widespread attacks, the vulnerability is
being exploited on an increasingly global scale. In the US, law
enforcement uses the same weaknesses to follow suspects, setting up
fake towers with officially sanctioned Stingray device, although many
have questioned the legality of the tactic. Reports have also shown an
alarming number of fake cell towers operating in Washington DC,
although it’s difficult to pin down who is behind the irregularities.
Outside of the US, a similar attack was used by journalists in India
to wiretap politicians, while Czech police say they’ve seen it used
for industrial espionage. In a landmark paper in The Harvard Journal
of Law and Technology, the ACLU's Christopher Soghoian describes how
the technology has spread, and why it has become so difficult to
contain. "The fact that there are so many places in China that you can
buy this stuff is alarming, but they don't have a monopoly on this
technology. There are places you can buy this stuff in India, in
Russia, and Israel too," Soghoian told The Verge. "It's time to secure
our phone calls."

Some in the US government are trying to do just that. In July,
Congressman Alan Grayson sent the Federal Communications Commission a
formal inquiry about the problem, and the agency has since formed a
task force to investigate the issue. Still, securing the network may
be harder than it sounds. Modern 3G and 4G networks are immune to the
attack, thanks to two-way authentication, but it will be years before
the US can abandon the vulnerable GSM or 2G networks entirely, and
doing so means upgrading thousands of towers across the country. So
far, AT&T is leading the way, planning to abandon GSM by 2017, but
that gives attackers three years to keep exploiting the vulnerability
in the US, and even longer in the rest of the world.

In the meantime, China is relying on scrappier fixes like the Qihoo
app, which blocks any messages it identifies as suspicious but can't
stop them from being delivered to the phone. Beyond that, researchers
like Huan are relying on Chinese police getting smarter about tracking
down the people buying and selling the towers. "We actually have a lot
of data from the end user," Huan says, "but we are not law
enforcement. And then there are the agencies responsible for catching
these guys, but they don't have any data."

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.