Chinese researchers unveiled a new mobile phone hacking technique they have created during a talk at this year’s Black Hat hacker conference in Las Vegas, Nevada. The researchers are from Qihoo 360’s Unicorn Team. The Unicorn Team specializes in hacking radio and cellular technology. On Thursday, July 27th, the Unicorn Team delivered a presentation at Black Hat on their new research into cellular phone hacking. The presentation was titled “Ghost Telephonist” Link Hijack Exploitations in 4G LTE CS Fallback. The vulnerability discovered by the Unicorn Team involves a problem with the Circuit Switched Fallback on 4G LTE cellular networks. With 4G LTE the cellular network an authentication check is performed to ensure a device and number is correct. However, when traveling between different cell towers with older networks like 2G, the authentication check is not performed. This is done to keep the connection more stable.
The vulnerability discovered by the Unicorn Team is particularly hard to detect. If an attacker takes control of a victim’s cellular phone number, the victim may never know. If a hacker were to use the technique discovered by the Unicorn Team, they could use it to take control of the victim’s social media accounts. The vulnerability with 4G can cause big problems for victims who are attacked through this technique. Because social media sites like Facebook both allow for searching of user profiles by their phone number, and allow a user to reset their password with a cell phone, an attacker that has gained control of a victim’s number could then find the victim’s social media account and then reset the password and gain control of their social media account.
The researchers with the Unicorn Team say they have contacted the organizations which create the standards for mobile networks and have disclosed the vulnerability to them. According to the Unicorn Team, some cellular service providers have already fixed the issue and that others are currently working on implementing solutions to fix the issue. The researchers have recommended that cellular service providers change their authentication process or to switch to more secure technologies. One of the possible ways cell phone users could protect themselves is by switching to airplane mode. “If you are in airplane mode, that means your phone already told the network, ‘I’m offline’,” Lin Huang, a researcher with the Unicorn Team, told CNET.
A better way that users can try to avoid vulnerabilities such as the Ghost Telephonist is by using apps such as AIMSICD (Android IMSI Catcher Detector). The AIMSICD app helps alert and prevent users from connecting to cell towers which use weak encryption or no encryption at all. The Ghost Telephonist hacking technique relies on victims connecting to cell towers which use weak encryption or no encryption at all. It is likely that the same exploits that the Unicorn Team has discovered are being used in newer IMSI catchers, which are popularly known as Stingrays. These Stingray devices are often used by law enforcement agencies, intelligence agencies, militaries, and hackers. They are used to conduct mass surveillance on cellular device users and to track the location of cellular devices.
This is not the first time the Unicorn Team has presented findings of huge security flaws. Earlier this year the Chinese researchers with the Unicorn Team discovered how to steal cars with just 20 dollars worth of radio gear. The researchers were able to spoof the wireless keys to cars which had keyless entry systems installed in them. The encryption used on the keyless entry systems was not cracked, but instead the researchers recorded the transmissions used to unlock the car and were then able to replay the transmission and gain entry. Two years ago the Unicorn Team was back in Las Vegas at the DEFCON hacker conference demonstrating techniques they had developed to spoof GPS signals. The researchers used SDR (Software Defined Radio) to replay old, and create new, GPS signals. Using the GPS spoofing techniques they developed, they were able to manipulate a drone which used GPS signals to control where it flew.