In the wake of the National Security Agency cyber-spying revelations, you may be worrying about the government keeping track of your digital life. But, for less than $300, a group of ordinary hackers found a way to tap right into Verizon cellphones.
This is a group of good-guy, or “white hat”, hackers. They hacked the phones to warn wireless carriers that the phones have a security flaw.
I got to experience having my phone broken into. I met the hackers at a hotel room in downtown San Francisco. A moment after I stepped in, Tom Ritter pulled me over to look at a computer screen. Ritter is a security consultant for iSEC Partners, which specializes in helping companies locate technology security flaws.
As I looked down at Ritter’s laptop screen, he pointed to a number.
“Is this your phone number?” he asked.
It was. The minute I’d walked into the room Ritter had gotten into my phone.
Then, he showed me how he could listen to my conversations. I called up Nico Sell, who works with Ritter. We had a brief conversation. After I hung up, Ritter played a recording of the entire call for me.
Ritter said he was able to tap into my call with something called a femtocell, also known as a wireless network extender. The one he used was made by Samsung for Verizon and cost about $250. The femtocell is about the size of a wireless router. You can buy one at Best Buy.
And, Ritter said, “Everything we did can be done with free software you can download online — nothing terribly special.”
He says companies like Verizon support these devices for customers who live in rural areas or high-rise buildings and have poor cellphone reception.
“You can get these from carriers to give yourself a better signal,” he said.
Ritter explained that the femtocell is basically cell phone tower; that’s why it’s able to pick up all the phone signals around it. In case you were wondering, it also intercepts your text messages, including photos and if you use the browser to sign into your bank’s website, the device will be able to get your login and password. Yikes!
Ritter says someone has to be within around 40 feet of the femtocell for it to tap into their phone. But, given that it can fit in a purse Ritter imagines a lot of situations where getting close enough would be easy.
Ritter painted a scenario in which “a lady goes out to … a bar in downtown DC … At this place a whole bunch of congressman are hanging out.” In her purse, this “lady” had a femtocell.
“She happens to pick up a whole bunch of picture messages,” Ritter said. “It doesn’t take a whole lot of stretch of the imagination to see that there’s a lot of potential here for targeting high-profile individuals or just ordinary people.”
In case you’re wondering, the lady with the purse could be in a different room. The femtocell will pick up a signal through most walls.
This particular femtocell taps into Verizon phones. However, Ritter believes it might be possible to find a similar problem with femtocells that work with other providers.
Ritter is trying to help these companies. So, he told Verizon about the hack. David Samberg, a Verizon spokesman, says the company patched the flaw in the femtocells without customers realizing it.
“It was an over-the-air software push,” he said. “All of the devices received the software upgrade.”
Samberg claims it’s no longer possible to do what Ritter and iSEC did. Samberg said that anyone who tried to block the fix on their femtocell would be disconnected from the network. However, he could not explain how Ritter and iSEC were still able to tap into my phone.
Ritter and other security analysts don’t agree that the problem has really been fixed. Ritter will be part of a presentation at Def Con, a conference for Web developers. iSEC and Ritter were chosen to present because Def Con organizers have always believed that these femtocells, which have been on the market for a few years, were vulnerable because they mimic cellphone towers.
Chris Wysopal, the CTO of the security firm Veracode, who sits on the committee that picked Ritter to present at Def Con, says that “with the way that these devices work, you know, mimicking a cell tower, looking like a trusted connection to your phone, it is a point of vulnerability.”
The femtocell may electronically look like a cell tower to your phone, but to a hacker Wysopal said, it’s a lot easier to get into than a real cell tower. “It’s a physical device that an attacker can get their hands on they can open it up,” he said. “That’s not something you can do with a cell tower, obviously, because it’s a locked building with fences around it.”
For its part, Verizon says it has its own team of security experts who are regularly looking for vulnerabilities in its hardware and software. But the company says it’s a constant battle. Like building a better safe at a bank, it will deter more people but nothing is perfect, Verizon says.
Ritter of iSEC says there are much better fixes than what Verizon has done, but they cost a lot more money.
“I make sure that I don’t send anything over the phone that I wouldn’t be comfortable with someone else seeing,” Ritter said.