Hack this: Researchers turn Verizon device into ‘mobile spy station’
Tom Ritter and Doug DePerry demonstrated for Reuters how it is
technically possible to eavesdrop on text messages, photos and
phone calls made with an Android phone and an iPhone by using
compromised Verizon products.
The hacking requires nothing more than a femtocell, which serves as a small cellphone tower to boost signal reception, which Verizon sells for $250; dozens of other carriers also offer the same technology.
The finding comes at a time of intense international debate about privacy after former NSA analyst Edward Snowden last month blew the whistle on a top-secret US surveillance program, known as PRISM, which has the capability to collect and store records on telephone and internet communications around the world.
The Verizon discovery, however, would put the power of spying into the hands of ordinary citizens, according to the researchers.
"This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people," said Tom Ritter, a senior consultant with the security firm iSEC Partners.
Verizon announced it has updated the software on its femtocells to thwart hackers from carrying out a similar attack on its system.
But Ritter said diligent hackers will be able to discover other ways to hack mobile phone customers of Verizon, as well as those offered by other carriers.
The two researchers, who plan to give more intensive demonstrations at the upcoming Black Hat and Def Con hacking conferences in Las Vegas, declined to show how they were able to compromise the software.
The researchers admitted that, with a little effort, they could have ‘weaponized’ the system for ‘stealth attacks’ by bundling the equipment needed for a surveillance operation into a backpack that could be dropped near a specific target, Reuters reported.
They gave as an example “a group interested in potential mergers might place such a backpack in Manhattan restaurants frequented by investment bankers.”
Verizon's website said the booster device has a 40-foot range, but the researchers believe that range could be expanded by adding special antennas.
While the iSEC researchers admit they are not the first to demonstrate the vulnerabilities of femtocells, they say they are the first to hack the femtocells of an American carrier, and one that operates on a wireless standard known as CDMA.
CTIA, a wireless industry group headquartered in Washington, in February published a report that pointed to femtocells as a potential point of weakness in the wireless system.
John Marinho, CTIA's vice president for cyber security and Technology, said the group has been more concerned about other potential attacks, such as malicious apps. He said he is unaware of any incidences where an attack was launched via femtocells.
Still, he added, the wireless industry is monitoring the issue: "Threats change every day," he told Reuters.